Sovereign AI

Your models. Your data. Provable control.

Enterprises are moving off hosted AI APIs and onto open-source models running on their own hardware. The moment you do, the provider's spend dashboard, rate limits, and audit trail disappear with the provider. AgentGuard® is the governance layer that stays: it runs inside your perimeter, and it signs a receipt that proves which model ran, whose weights it used, and where.

Govern a local model in 60 seconds See a signed receipt
The sovereignty gap

Self-hosting gives you the weights. It takes away the controls.

When your agents call OpenAI or Anthropic, the provider gives you spend limits, usage logs, and abuse controls for free. Point those same agents at vLLM, Ollama, or your own GPU cluster and all of that is gone. No caps. No kill switch. No audit trail. And you cannot rent the trust layer from a model vendor: a vendor cannot be the neutral auditor of its own models. Sovereignty needs a control plane that belongs to you.

The answer

A control plane that lives in your runtime, not ours.

AgentGuard is a pure SDK. There is no gateway in your traffic path, no proxy, no vendor cloud. Install it next to your agent, point it at any OpenAI-compatible endpoint including your own, and every action passes a signed, content-free gate before it runs.

$ npm install @agentguard-run/spend  # or: pip install agentguard-spend
$ agentguard init # works with vLLM, Ollama, TGI, Bedrock, or any OpenAI-compatible endpoint

New to self-hosting? Start with the 2026 hardware and setup guide: verified GPU prices, buy-vs-rent math, and the full vLLM/Ollama walkthrough.

01

Zero data plane

Prompts, completions, keys, and policies never leave your infrastructure. Signing happens locally. We could not see your data even if we wanted to; there is nothing to subpoena, breach, or train on.

02

Hard enforcement, locally

Spend caps, capability gates, and a kill switch enforced in-process, before the action happens. Not a retrospective log in someone else's cloud.

03

Model-agnostic by design

Hosted frontier APIs, open-source models on your GPUs, or both in one fleet. Swap models freely; the governance rail and the receipt format do not change.

04

Forge-proof receipts

Every decision settles to an Ed25519-signed, hash-chained, content-free receipt that anyone can verify independently, off-platform. Edit one byte and verification fails.

Provenance, attested

The receipt proves the sovereignty claim itself.

Saying "we run our own models and keep our data in-country" is a policy. Proving it is a receipt. AgentGuard receipts carry model and hosting provenance: which model family and version ran, the origin of its weights, the jurisdiction it ran in, and the data-retention posture. China-origin weights (GLM, DeepSeek, Qwen, Kimi and family) are detected and flagged automatically, and can be blocked for regulated workloads.

actionissue_credit · within cap
modelglm-4 · self-hosted
weights_originCN · flagged
jurisdictionself-hosted · your perimeter
data_retention0 days · zero data plane
decisionALLOWED · ed25519 signed
verifyindependently · off-platform

For a regulator, an auditor, or your own board, that is the difference between "trust us" and "verify it yourself." Receipts are content-free: they prove the decision and its provenance, never the underlying data.

Who this is for

Built for the teams the frontier labs cannot serve neutrally.

Enterprises running open-source models on-prem or in VPC

You forked the model to own your intelligence. AgentGuard restores the governance you gave up: caps, gates, kill switch, and an audit trail your compliance team can hand to anyone.

Regulated industries with residency and logging obligations

Financial services, healthcare, legal, public sector. Jurisdiction and retention are fields on every receipt, aligned with the logging expectations of frameworks like the EU AI Act for high-risk systems.

Teams that refuse to share proprietary data with model vendors

Your data is your moat. A governance product that routes your traffic through its own cloud is asking you to mortgage it. AgentGuard never sees your traffic, by architecture.

"You cannot rent intelligence from the same place that rents it to your competitor, and you cannot rent trust from the vendor whose model you are auditing. Own the weights. Own the data. Own the proof."