Enact wraps every agent action in four layers: policy enforcement before it runs, a signed receipt after, human-in-the-loop for high-risk ops, and one-command rollback when something slips through. Your agents keep working. You get proof.
Source-available SDK · Zero-knowledge cloud · SOC 2 / SOX / EU AI Act
Install, connect your systems, define policies, call enact.run(). That's it.
One package. No infra required to start.
GitHub, Postgres, Filesystem, Slack — pass your credentials, get policy-gated, receipt-backed actions back.
Deterministic Python functions. No LLMs. Versioned in Git. Testable with pytest.
Your agent gets a result and a receipt. Blocked actions are logged with a reason.
# 1. install
pip install enact-sdk
# 2. set up your client
from enact import EnactClient
from enact.connectors.postgres import PostgresConnector
from enact.policies.db import block_ddl, dont_delete_without_where
enact = EnactClient(
secret="your-secret",
systems={"postgres": PostgresConnector(dsn="postgresql://...")},
policies=[block_ddl, dont_delete_without_where],
)
# 3. your agent calls this — policy-gated, receipt-backed
result, receipt = enact.run(
workflow="safe_insert",
user_email="agent@company.com",
payload={"table": "users", "data": {...}},
)Already have an agent? See the Migration section ↓ for before/after code.
enact-sdk from PyPI and runs it client-side — no server, no mock output. Pick a scenario and hit Run to see policy enforcement happen live.
There's no code that says "don't drop a table outside a maintenance window" or "don't bulk-email every customer from a draft." Every agent is one bad prompt away from a live incident.
When your auditor, VP, or CISO asks "what did the agent actually do?" — you're digging through CloudWatch at 2am. No searchable log. No compliance path. No proof.
When something slips through, you're restoring from backups, manually reconstructing state, and explaining it to stakeholders. There is no undo.
High-risk actions run without any human seeing them first. If your agent decides to delete rows, merge to main, or message a thousand customers — nothing stops it.
An AI agent optimizing resource allocation had broader permissions than anyone realized. It began terminating critical EC2 instances across availability zones. No human approval. No safety check. Cascading failures took down major services for 13 hours.
Root cause: "The agent should never have had write access to production compute resources."
An AI agent doing "database maintenance" identified what it thought were unused tables and deleted them. They were critical production tables. The agent generated plausible explanations for why the deletion was safe. The data was gone.
Root cause: Full write access to production schema. No approval workflow. No audit trail.
With Enact: pre-action row capture means enact.rollback(run_id) restores every deleted record in one command — with a signed rollback receipt showing exactly what was reversed and what couldn't be.
Your agent's reasoning and planning logic doesn't change. You're adding a safety layer between it and your systems. Same calls, same results — now with policy enforcement, a full audit trail, and rollback.
Swap your existing SDK clients for Enact connectors. GitHub, Postgres, Filesystem, Slack — same credentials, now policy-gated and receipt-backed.
Any if/else checks you already write become Python policy functions. Or just use ours — 20+ ship out of the box.
tool.do_thing() becomes enact.run(). That's the whole migration.
# your agent today — calling tools directly
import github_sdk
import psycopg2
# direct call — zero policy check
github_sdk.create_pr(
repo="myorg/app",
branch="agent/fix-123",
title="Fix bug",
)
# no WHERE protection — deletes everything
db.execute("DELETE FROM sessions")
# no audit trail. no rollback. no proof.# one-time setup — replaces your SDK clients
from enact import EnactClient
from enact.connectors.github import GitHubConnector
from enact.connectors.postgres import PostgresConnector
from enact.policies.git import dont_push_to_main
from enact.policies.db import dont_delete_without_where
enact = EnactClient(
secret="...",
systems={
"github": GitHubConnector(token="..."),
"postgres": PostgresConnector(dsn="postgresql://..."),
},
policies=[dont_push_to_main, dont_delete_without_where],
)
# same intent — now policy-gated + receipt-backed
result, receipt = enact.run(
workflow="agent_pr_workflow",
user_email="agent@company.com",
payload={"repo": "myorg/app", "branch": "agent/fix-123"},
)Pure Python functions — no LLMs, versioned in Git, testable with pytest. Register any combination on your EnactClient.
block_ddl
dont_delete_row
dont_delete_without_where
dont_update_without_where
protect_tables(list)
Factory — blocks any operation on a named table. Exact, case-sensitive match. Pass-through if no table in payload.
code_freeze_active
within_maintenance_window(start, end)
dont_read_sensitive_tables(list)
dont_read_sensitive_paths(list)
require_user_role(*roles)
require_clearance_for_path(paths, min)
contractor_cannot_write_pii
require_actor_role(list)
dont_push_to_main
dont_merge_to_main
dont_delete_branch
max_files_per_commit(n)
require_branch_prefix(prefix)
dont_delete_file
restrict_paths(list)
block_extensions(list)
dont_duplicate_contacts
limit_tasks_per_contact
require_channel_allowlist(list)
block_dms
no_mass_emails
no_repeat_emails Requires Cloud
dont_delete_without_human_ok("gdrive") Requires Cloud
dont_delete_without_human_ok("s3") Requires Cloud
Any callable (WorkflowContext) -> PolicyResult can be registered. No SDK extension needed.
def only_on_weekdays(ctx: WorkflowContext) -> PolicyResult:
ok = datetime.now(timezone.utc).weekday() < 5
return PolicyResult(
policy="only_on_weekdays", passed=ok,
reason="weekday OK" if ok else "no weekend ops"
)Three outcomes every production team needs to handle. Enact documents all of them — and gives you the receipt to prove it.
High-risk actions wait for a human to approve before continuing. Signed email link. One-time-use. Timeout = auto-deny with receipt. No login required for the approver.
Your agent calls the workflow as normal. Enact detects the gate and pauses execution before anything touches production.
Your ops contact gets a signed approve/deny link. No login. No account. Link expires after your configured timeout.
Approve → workflow runs, signed receipt generated. Deny or timeout → BLOCK receipt. Agent gets the reason either way.
from enact import EnactClient
enact = EnactClient(
systems={"github": gh},
policies=[dont_push_to_main],
workflows=[agent_pr_workflow],
secret="your-secret",
cloud_api_key="eak_...", # enables HITL + cloud receipt storage
)
result, receipt = enact.run_with_hitl(
workflow="agent_pr_workflow",
user_email="agent@company.com",
payload={"repo": "myorg/app", "branch": "agent/nuke-main"},
notify_email="ops@company.com", # who gets the approve/deny email
timeout_seconds=3600, # auto-deny after 1 hour of silence
)
print(result.decision) # "PASS" if approved, "BLOCK" if denied or timed outYour AI agent wants to execute a workflow and needs your approval before continuing.
Receipts are encrypted with your key before they leave your machine. Enact Cloud stores the encrypted blob — we can search the metadata (which workflow ran, pass/fail, timestamp) but we literally cannot read the payload (SQL queries, file contents, business data, PII).
Same model as 1Password, Proton Mail, and Signal. Your data is encrypted before it reaches us. If our servers are breached, attackers find encrypted blobs — not your SQL queries, not your business logic, not your customer data.
Your agents are already running. Auditors are already asking "how do you control your AI agents?" Enact makes the answer automatic:
40 hours of engineering time explaining "what did agents do" to an auditor costs $10,000+. Enact turns that into a 10-minute export.
These are the capabilities teams ask for most. Building them in the order that saves the most production incidents first.
Undo reversible agent actions in one command. enact.rollback(run_id) reverses what it can (branches, DB rows, files, open PRs, Slack messages), explicitly records what it can't (pushed commits), and generates a signed PASS / PARTIAL rollback receipt. Your undo button — with honest limits.
High-risk actions pause and wait for a human to approve before continuing. Signed email link, one-time-use, auto-expire. See how it works ↑
Browse, filter, and verify your agent receipts locally. Run enact-ui for a local web UI with signature verification. Ships with pip install enact-sdk. See the UI ↑
Pre-built policy sets for your industry — FinTech (no trading outside market hours, PII in transit controls), Healthcare (HIPAA field protection, PHI access audit), DevOps (prod deploy gates, blast-radius limits). Install, tune, done.
Generate SOC2, ISO27001, or HIPAA audit reports directly from your receipt database. Every agent action already logged and signed — turn it into a compliance artifact in one click. Hand it to your auditor, not your engineers.
Learn your agents' normal behavior. Flag deviations automatically — an agent touching 10x its usual number of records, a new action it's never called before, activity at unusual hours. Catch the subtle stuff before it becomes a postmortem.
When multiple agents want to modify the same resource simultaneously, Enact serializes and arbitrates — not your database. Define merge strategies, conflict policies, and priority rules. Your agents stop stepping on each other.
We're working with a handful of teams to validate each capability before shipping. Tell us which one you need most.
The Kiro outage cost millions. The Replit deletion was career-limiting. Preventing one incident pays for Enact for years.