Listing Thumbnail

    Kevros AI Governance Gateway

     Info
    Deployed on AWS
    Cryptographic interlock for autonomous AI agents. Six-layer formally verified kernel issues a signed ALLOW, CONSTRAIN, or DENY verdict before any action executes. Hash-chained evidence. Fail-closed.

    Overview

    Kevros AI Governance Gateway enforces verifiable governance on every AI agent decision before execution.

    Autonomous AI agents are making high-stakes decisions at machine speed. Compliance infrastructure built for human-paced workflows cannot keep up. Kevros closes that gap. Every agent action receives a signed ALLOW, CONSTRAIN, or DENY verdict before it executes. Use cases include agent-initiated trade workflows, automated claims handling, industrial control supervision, and payment authorization. If governance is unreachable, execution halts. No exceptions. No silent failures.

    Deploys inside your AWS account using AWS CloudFormation, Amazon ECS on AWS Fargate, Application Load Balancer, Amazon EFS, AWS Secrets Manager, and Amazon CloudWatch. Customer data and signing keys are not transmitted outside your account by default.

    Six-Layer Formal Verification Kevros is the only AI governance offering on AWS Marketplace with end-to-end formal verification of the enforcement kernel. Six independent verification layers spanning model checking, SMT proofs, bounded checks, runtime assertions, cross-language vector regression, and interactive theorem proving collectively explore 1.94 billion system states and produce 71 SMT proofs and 20 mechanically-checked theorems with zero counterexamples and zero unproven assumptions.

    Why Kevros Tamper-evident provenance ledger. Every governance decision is recorded in a hash-chained, append-only ledger on Amazon EFS. Auditors verify chain integrity using the published verifier specification.

    Fail-closed architecture. Governance unavailability triggers automatic execution blocking. Agents cannot circumvent oversight under any failure condition. Dual-lane post-quantum signatures. ML-DSA-87 (FIPS 204) anchors every 100-record block of the hash-chained ledger. SLH-DSA-SHA2-256f (FIPS 205) provides the off-chain co-signing lane on settlement-class events. Quantum-resistant from day one.

    Tier-conditioned rate limiting. Per-tier API Gateway UsagePlan throttling at the publisher edge. Free Trial 5 requests per second; Starter 25; Professional 50; Enterprise 200.

    ML behavioral drift detection. Latency-drift and semantic-drift monitors flag anomalous agent behavior before violations materialize. CloudWatch and CEF observability. Container metrics and governance events surface in CloudWatch dashboards. CEF-formatted syslog export for any CEF-capable collector.

    Built for AWS Deploys via AWS CloudFormation as a customer-side stack. Talon classifier inference runs in the TaskHawk publisher account; classifier weights never enter the customer image. Image is signed with cosign against an AWS KMS key; signatures verify against the publisher KMS public key.

    Compliance-Aligned Evidence Generates evidence designed to support governance reviews under NIST AI RMF, EU AI Act risk classification (Annex III), and SOC 2 control families. Hash-chained decision records, post-quantum-signed block roots, and certifier-grade evidence bundles in auditor-ready format. Kevros provides verifiable technical evidence; it does not replace your compliance program, risk assessment obligations, or legal determinations.

    Plans Free Trial. $0 per month. 1,000 calls. Hash-chained evidence. Starter. $499 per month. 100,000 calls. Production capacity. Professional. $1,499 per month. 1,000,000 calls. Adds ML drift plus dual-lane post-quantum signing. Enterprise. $4,999 per month. 5M inclusive calls plus AWS Marketplace metered overage. Adds fleet drift, CEF syslog export, evidence bundles.

    Click Continue to Subscribe to deploy in your AWS account. Typical deployment under 20 minutes.

    Highlights

    • Six-layer formal verification: 1.94B states, 71 proofs, 0 sorry. Zero property violations.
    • Dual-lane post-quantum signing: ML-DSA-87 (FIPS 204) and SLH-DSA-SHA2-256f (FIPS 205) on every record.
    • Hash-chained evidence on Amazon EFS. Fail-closed architecture. Deploys in your AWS account.

    Details

    Delivery method

    Type

    Supported services

    Delivery option
    Container image (ECS + EKS)
    A2A server on Amazon Bedrock AgentCore Runtime
    MCP server on Amazon Bedrock AgentCore Runtime

    Latest version

    Operating system
    Linux

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Kevros AI Governance Gateway

     Info
    Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    1-month contract (4)

     Info
    Dimension
    Description
    Cost/month
    Free Trial
    Evaluation tier with 1,000 included governance calls per month, hash-chained evidence ledger, signed release tokens.
    $0.00
    Starter
    Production tier with 100,000 included governance calls per month, 25 req/sec rate limit, multi-protocol agent access (REST, MCP).
    $499.00
    Professional
    Production tier with 1,000,000 included governance calls per month, ML behavioral drift detection, dual-lane post-quantum signing (ML-DSA-87 + SLH-DSA-SHA2-256f), 50 req/sec rate limit.
    $1,499.00
    Enterprise
    Production tier with 5,000,000 included governance calls per month, fleet-level drift monitoring, CEF-formatted syslog export, certifier-grade compliance evidence bundles, 200 req/sec rate limit.
    $4,999.00

    Vendor refund policy

    TaskHawk Systems, LLC subscription fees are non-refundable, except as required by applicable law. AWS Marketplace subscriptions are also subject to AWS Marketplace refund policies. To request a refund or discuss billing concerns, contact support@taskhawktech.com . We will respond within 2 business days. For full terms, see https://taskhawktech.com/terms .

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    Container image (ECS + EKS)

    Supported services: Learn more 
    • Amazon ECS
    • Amazon EKS
    • Amazon ECS Anywhere
    • Amazon EKS Anywhere
    Container image

    Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.

    Version release notes

    v4.6.3 strengthens runtime evidence, deployment integrity, and enterprise auditability for Kevros AI Governance Gateway.

    What changed:

    • Adds an optional delegated-authority witness path for Enterprise deployments. When configured, selected governance audit records can be written to an append-only witness stream for independent verification workflows.

    • Strengthens evidence durability for governance decisions, including hash-chained provenance records, signed verdicts, release-token verification, and evidence-bundle retrieval.

    • Rebuilds the AWS Marketplace package against immutable image digest sha256:a0ee566eaf0a10b6060f74fe5b595551a5c10d21dedcb8f69e641ce8a942c5fe.

    • Updates CloudFormation templates for ECS and EKS deployments with digest-pinned image references and safer runtime defaults.

    • Preserves AWS Marketplace entitlement resolution, tier limits, billing dimensions, A2A delivery, MCP delivery, and AgentCore Runtime compatibility from v4.6.2.

    Compatibility: no breaking changes to the A2A API, MCP tool list, product code, entitlement model, tier limits, or billing dimensions. Existing v4.6.2 customers can move to v4.6.3 by updating the image reference or redeploying with the v4.6.3 Marketplace templates.

    Additional details

    Usage instructions

    DEPLOYMENT (Typical: 15 to 20 minutes)

    Recommended path: deploy with the v4.6.3 AWS CloudFormation templates attached to this Marketplace version. The reference deployment provisions Amazon ECS on AWS Fargate, an Application Load Balancer, Amazon EFS for the provenance ledger, AWS Secrets Manager for runtime secrets, AWS KMS for evidence-bundle encryption, and Amazon CloudWatch for operational visibility.

    Runtime image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/taskhawk-systems/kevros-a2a-gateway:4.6.3-daa-2fe4e7b

    Release digest: sha256:a0ee566eaf0a10b6060f74fe5b595551a5c10d21dedcb8f69e641ce8a942c5fe

    After subscribing, select the deployment template for your plan: Free Trial, Starter, Professional, or Enterprise. The templates use digest-pinned image references and configure the AWS Marketplace product code required for entitlement checks.

    Verify deployment health: curl https://<your-gateway-host>/health

    Expected response: HTTP 200 {"status":"healthy"}

    Submit a governance request: POST https://<your-gateway-host>/governance/verify

    Body: {"agent_id":"<callerId>","action_type":"<type>","action_payload":{...}}

    Expected response: A signed ALLOW, CONSTRAIN, or DENY decision with a release token and verification_id.

    Retrieve an evidence bundle: POST https://<your-gateway-host>/governance/bundle

    Runtime evidence: Kevros records governance decisions as hash-chained provenance records and supports evidence-bundle retrieval for audit windows. Enterprise deployments can optionally enable a witness path for selected governance audit records when customer-managed private infrastructure is configured.

    Tier features:

    • Free Trial: 1,000 governance calls per month, 5 req/sec
    • Starter: 100,000 governance calls per month, 25 req/sec
    • Professional: 1,000,000 governance calls per month, 50 req/sec, ML behavioral drift detection, post-quantum signing
    • Enterprise: 5,000,000 governance calls per month, 200 req/sec, fleet drift monitoring, CEF syslog export, evidence bundles, optional witness integration

    Documentation: https://www.taskhawktech.com/developers  Product overview: https://www.taskhawktech.com/platform  Support: support@taskhawktech.com  Security disclosures: security@taskhawktech.com 

    Resources

    Support

    Vendor support

    Support is provided directly by TaskHawk Systems, LLC.

    Contact

    Email: support@taskhawktech.com  Web: https://www.taskhawktech.com/company  Documentation: https://www.taskhawktech.com/developers 

    Response Times

    Free Trial: best-effort, business hours (Monday through Friday, 9:00 AM to 5:00 PM US Eastern), 2 business day response. Starter: 1 business day response on technical issues. Professional: 8 business hours response on technical issues; 4 business hours on production-impacting issues. Enterprise: priority support; 4 business hours response on technical issues; 1 business hour on production-impacting issues.

    Scope of Support

    Deployment assistance for the AWS CloudFormation stack, configuration of governance policies, integration support for REST and MCP agent endpoints, troubleshooting of Kevros runtime behavior, and guidance on evidence ledger verification.

    Customers are responsible for their own AWS account configuration, IAM permissions, network connectivity, and AWS service costs (Amazon ECS on AWS Fargate, Amazon EFS, Application Load Balancer, AWS Secrets Manager, Amazon CloudWatch). AWS service issues are routed to AWS Support per your AWS Support plan.

    Security incident reporting: security@taskhawktech.com  or follow the disclosure process at

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.