Back to MeshGuard
Layer comparison
In-process governance is necessary. It is not the fleet control plane.
MeshGuard is complementary to in-process libraries. Use AGT or another PEP inside the agent, then delegate production operations to a neutral control plane.
| Capability | In-process governance | MeshGuard control plane |
|---|---|---|
| Policy enforcement point | AGT, framework adapter, or custom code | Uses any PEP as a client |
| Policy decision point | Local process or local YAML | Tenant-scoped remote PDP with audit and SLOs |
| Human identity | Out of scope | SSO, SCIM, RBAC, JIT, break-glass audit |
| Audit | Process-local emission | Tamper-evident tenant stream with export and SIEM egress |
| Deployment | Where the agent runs | SaaS, dedicated, customer cloud, sovereign, self-hosted, air-gapped |
| Federation | Out of scope | Cross-tenant trust and linked audit evidence |