Security is architecture, not a badge.
This page reads like an internal security review summary — because that's what enterprise buyers need. Concrete controls, real boundaries, recognized frameworks.
Isolation & Boundaries
Every tenant operates within strict isolation boundaries. Access to resources — data, runs, tool credentials, and configuration — is gated by tenant context at the infrastructure level.
Tenant Isolation
Per-tenant namespaces with infrastructure-enforced boundaries. No shared state across tenants. Modeled on AWS SaaS architecture fundamentals.
Data Boundaries
Encryption at rest (AES-256) and in transit (TLS 1.3). Scoped credentials per-tenant per-tool. Per-tenant encryption keys with rotation.
Credential Scoping
Tool credentials (DMS, EHR, CRM) are scoped to the tenant and the specific graph version. No credential sharing across workspaces.
Healthcare Readiness
AMQUR is designed so that HIPAA Security Rule safeguards are implementable and auditable per-run — not claimed as a blanket certification.
Administrative Safeguards
Access controls enforced per-user, per-role, per-tenant. Security incident procedures with automated alerting. Workforce training integration.
Technical Safeguards
Access controls, audit controls, integrity protections, and transmission security — all implemented as first-class platform capabilities.
Audit Controls
Every run produces an immutable audit trail: actions, tool calls, policy evaluations, approval decisions, and the chain of reasoning.
Security Assurance Artifacts
Enterprise security posture grounded in recognized frameworks — not badges on a marketing page.
SOC 2 Type II
Trust Services Criteria across five domains: security, availability, processing integrity, confidentiality, and privacy. Continuous monitoring, not point-in-time.
ISO 27001
Information Security Management System (ISMS) with continuous improvement. Risk assessment, treatment, and monitoring as ongoing operational practice.
Penetration Testing
Regular third-party penetration testing with remediation tracking. Security contacts and pen-test intake process available on request.
API Security Posture
The Java API gateway enforces deterministic security policies using OWASP API Security Top 10 as the external vocabulary for risk categories.
Authentication & Authorization
Multi-layer identity: trigger identity, execution identity, authorization identity, and tenant identity. Prevents privilege inheritance by autonomous agents.
Rate Limiting
Per-tenant, per-endpoint rate limiting. Resource consumption controls prevent abuse. Automatic throttling with graceful degradation.
Deterministic Gates
Security policies are hardcoded in the Java gateway — not controlled by model inference. An agent cannot bypass a policy gate regardless of its instructions.
AI Governance Alignment
AMQUR's controls map to recognized AI governance frameworks for organizations evaluating responsible AI deployment.
NIST AI RMF
Aligned to the four core functions: Govern (policies, gates), Map (workflow definition), Measure (observability, metrics), and Manage (drift detection, remediation).
AI TRiSM
Trust, Risk, and Security Management across the agent lifecycle: governance at design, monitoring in operation, security at every boundary, transparency in every decision.
Explainability
Every agent action includes the chain of reasoning, tool inputs/outputs, and policy evaluation results. No black boxes — full decision traceability.
Zero Trust Stance
Least privilege and continuous evaluation as architectural principles — aligned to NIST SP 800-207 Zero Trust Architecture.
Least Privilege
Every agent, tool, and user operates with the minimum permissions required. Permissions are scoped to the specific graph, run, and tenant context.
Continuous Evaluation
Trust is not granted once. Every request is evaluated against current policy, current credentials, and current context. Sessions are short-lived.
Identity Layering
Five distinct identity layers prevent the 'BodySnatcher' vulnerability where user permissions are inherited by an autonomous agent without explicit consent.
Need specifics for your security review?
Request a security packet with architecture diagrams, boundary documentation, and compliance artifacts.