AI agents are in production. The governance infrastructure is not. Finance, legal, and HR teams are running agents against sensitive data — and the enforcement layer those deployments need, something that evaluates policy at every request and produces verifiable evidence it ran, doesn't yet exist. OWASP Agentic AI ASI01–10 and NIST AI RMF both identify runtime enforcement and tamper-evident audit trails as baseline requirements organizations have not yet deployed. EU AI Act deployer obligations for high-risk AI systems are now due December 2, 2027 (standalone) and August 2, 2028 (embedded) following the May 2026 Omnibus deal — and Art. 5 prohibited practices are already in force. The enforcement infrastructure gap is real regardless of which regulatory clock you are watching.

That gap is what Steer closes. Today we're releasing Steer publicly under the Apache 2.0 license.

Why governance in the system prompt fails

The standard approach is to embed governance logic into the agent itself — prompt instructions, guardrail checks, output filters. This has three structural problems:

• It doesn't produce evidence. When a CISO or auditor asks whether the constraint ran, "it was in the system prompt" is not an answer. You need a cryptographically verifiable record that policy was evaluated at a specific point in time against a specific input.
• It's tied to the model. Prompt-based guardrails vary by model, drift with fine-tuning, and can be bypassed by a sufficiently adversarial input. A governance control that can be talked out of isn't a control.
• It doesn't scale. Every new agent, every new framework, every new model version requires re-implementing the same logic. There is no single enforcement point to audit.

The infrastructure answer to this problem exists in adjacent domains. API gateways enforce authentication and rate limiting at the network layer. WAFs enforce security policies before application code runs. Steer applies the same architectural pattern to AI agent governance.

How Steer works

Steer sits between your AI agents and your LLM providers. Change your OpenAI base URL from api.openai.com to your Steer endpoint. That's it. No SDK to install, no agent code to modify, no framework dependency.

At every request, Steer evaluates your Cedar policy rules against the agent's context — the input, the calling identity, the current policy state, and the session history. The evaluation returns one of three decisions:

• Allow — the request passes through to the LLM provider.
• Steer — the request is modified or augmented before reaching the provider (adding a system prompt constraint, stripping a sensitive term).
• Block — the request is rejected with a structured response your agent can handle.

Every decision — allow, steer, or block — generates a tamper-evident audit record. Records are cryptographically chained: each record includes a hash of the previous record in the chain. A gap or alteration in the chain is detectable. This is the audit trail that matters when a regulator asks what happened on a given day.

Cedar policies

Policy evaluation in Steer uses Cedar, the open policy language Amazon developed for IAM-style access decisions. Cedar policies are readable, compositional, and formally analyzable — you can verify that a policy set covers a given scenario without running it.

Steer ships with 23 managed policies out of the box, mapped to:

• OWASP Agentic AI Security (ASI01–10)
• EU AI Act Articles 9, 10, 11, 13, 14, 15, and 26
• NIST AI Risk Management Framework
• PCI DSS v4.0

The managed policies are a starting point. Your Cedar rules extend them — or replace them entirely. The policy engine is the same regardless of which policies are loaded.

Latency is governance's enemy

Governance infrastructure that adds meaningful latency will be routed around. Our engineering constraint from the start: enforcement overhead must be imperceptible to agents operating in real workflows.

Steer adds less than 14ms p50 to LLM request latency in typical deployments. The policy evaluation is synchronous and in-process with the proxy — there is no external policy service to call. Cedar evaluation on a modern policy set completes in microseconds.

The proxy also operates fail-open by default: if Steer is unreachable for any reason, your agents continue operating against the LLM provider directly. Fail-open is the only acceptable default for a network-layer governance component — you don't want a governance infrastructure outage to take down your AI agents.

Why the enforcement layer has to be open

The enforcement engine that sits on your AI agent traffic needs to be auditable. You should be able to read the code that makes governance decisions, understand exactly what it does, and verify that it doesn't exfiltrate data, doesn't phone home, and behaves the way we claim it does.

The Apache 2.0 Core license means you can run Steer in your own VPC, audit the enforcement logic, and modify it for your environment. There is no telemetry in the open-source build. No payload data ever leaves your network boundary.

A governance control that you can't audit isn't a governance control — it's a trust relationship. For the infrastructure layer that sits on your AI agent traffic, trust relationships aren't sufficient.

What's next

Steer is the enforcement layer. We're building the rest of the lifecycle around it:

• Spike — AI-powered AI risk assessment and regulatory gap analysis. AI agents interview your teams in parallel and deliver gap analysis and draft documentation in 5–7 days. Coming later this year.
• Pulse — Regulatory intelligence and incident tracking across jurisdictions. Structured intelligence tuned to EU AI Act, DORA, and emerging AI regulation globally.
• Loop — The operational workspace for governance teams. Policy authoring, evidence review, human-in-the-loop decision workflows, and compliance reporting.

If you're deploying AI agents in a regulated environment, we built this for you. Reach out — we'll get you running and help map your specific obligations to policies.

---

Steer is available now on GitHub. Documentation is at docs.enforcegrid.com. Managed cloud is available for teams that want Steer running without operating it themselves — see the Steer product page.