Frequently asked questions
Runtime governance, sovereignty receipts, and how Kovera differs from gateway-only deployments or ordinary audit trails.
How is Kovera different from CloudTrail-style logs or gateway-only AI guardrails?
CloudTrail-style products excel at recording API activity once credentials are exercised. Gateways excel at routing, quotas, and routing policy at the edge. Neither replaces mediation that binds agent identity to tool calls before irreversible effects, nor produces sovereignty receipts your reviewers can verify outside Kovera's UI. Kovera sits on those enforcement paths and writes tamper-evident records tied to approvals when policy demands human involvement.
Does sensitive payload data leave our environment?
Governance metadata and cryptographic summaries sync for ledger anchoring per your deployment model. Payload handling follows your retention and residency controls. Your security team defines what crosses the boundary; receipts reference hashes and decision context suitable for auditors without dumping raw prompts into shared logs by default.
Will auditors accept signed exports?
Vanguard, Sovereign, and Fortress engagements ship digitally-signed PDF and JSON bundles with identifiers auditors expect: timestamps, signatures, Merkle linkage where enabled, and cited controls. SOC 2 and HIPAA-oriented packs pair narrative controls language with artifacts mapped to evidence lockers such as Drata or Vanta where your contract includes automated sync.
Can verification hooks run inside CI/CD or deployment pipelines?
Pipelines can call Kovera verification endpoints or require presence of an approved sovereignty receipt before promoting builds. That pattern mirrors runtime guardrails extended into release governance rather than repurposing legacy static scanners that never observed production agents.
What happens when policy routes an action through human approval?
High-risk flows pause after sandbox simulation and structured Slack approvals with cited rules. Approvals mint a DecisionHash that anchors into the ledger so incident response and audit teams share one authoritative timeline instead of fragmented threads.
Which stacks does Kovera integrate with?
Deployments commonly pair Kovera with enterprise identity providers, Slack or Teams escalation channels, observability sinks, and AI gateways such as Portkey for complementary routing controls. Tier-specific packs expose REST hooks for verification portals including verify.kovera.tech. Tell us about your mesh during onboarding so engineers wire the mediator closest to production agents.