# Runtime Governance — Nine Firewalls

## The Security Inversion

Every other agentic AI system trusts LLM output and executes it as code. Mission Control inverts this model: allow nothing, enable specific things. Synthetic workers cannot do anything that is not a pre-approved, human-authored capability.

## The Nine Layers

Governance is enforced at runtime, not on a checklist. Every action a synthetic worker takes flows through every layer:

1. **Identity Verification** — Each worker has a unique identity with verifiable credentials. No anonymous execution.
2. **Role-Based Access Control (Human)** — Human administrators define what workers can access, using the same RBAC model they use for human employees.
3. **Role-Based Access Control (Synthetic)** — Workers have their own credential sets and permission boundaries, provisioned through the same IT workflows as human accounts.
4. **Execution Sandboxing** — All generated code runs in a restricted environment with a package whitelist. Prohibited imports (os, subprocess, sys) are blocked at the interpreter level.
5. **Audit Logging** — Every LLM call, every MBU execution, every file access, every message is logged with full provenance: who, what, when, why, with what context.
6. **Delegation Controls** — Workers can delegate to other workers, but only within their permission scope. A worker cannot grant permissions it does not have.
7. **Scheduling Constraints** — Workers operate within defined time windows and concurrency limits. No unsupervised 3am executions unless explicitly configured.
8. **Communications Filtering** — All inter-worker and worker-to-human communications are logged and auditable. No side channels.
9. **Capability Whitelisting** — The MBU activation list defines exactly which capabilities a worker has. Capabilities not on the list do not exist for that worker.

## No Arbitrary Execution

This is the single most important security property. The synthetic worker's LLM can generate code, but that code runs in a sandbox with:
- A whitelist of approved Python packages
- No access to os, subprocess, sys, or any system-level operations
- Resource limits on memory and execution time
- No network access outside approved endpoints
- Full logging of every execution with inputs, outputs, and timing

The LLM does not have the ability to break out of this sandbox. It is a runtime constraint, not a prompt instruction.

## Bounded Blast Radius

Every worker operates within explicit permission boundaries. If a worker misbehaves, the impact is limited to:
- The specific systems it has credentials for
- The specific data it has access to
- The specific time window it is allowed to operate in

There is no scenario where one worker's failure cascades to the entire platform or to systems outside its scope.

## SOC2 Compliance

Mission Control maintains SOC2 compliance via Drata, with continuous monitoring of security controls, access patterns, and data handling practices.

---

*For the interactive visual walkthrough: https://usemissioncontrol.com/platform/#architecture-governance*