Overview
Kevros AI Governance Gateway enforces verifiable governance on every AI agent decision before execution.
Autonomous AI agents are making high-stakes decisions at machine speed. Compliance infrastructure built for human-paced workflows cannot keep up. Kevros closes that gap. Every agent action receives a signed ALLOW, CONSTRAIN, or DENY verdict before it executes. Use cases include agent-initiated trade workflows, automated claims handling, industrial control supervision, and payment authorization. If governance is unreachable, execution halts. No exceptions. No silent failures.
Deploys inside your AWS account using AWS CloudFormation, Amazon ECS on AWS Fargate, Application Load Balancer, Amazon EFS, AWS Secrets Manager, and Amazon CloudWatch. Customer data and signing keys are not transmitted outside your account by default.
Six-Layer Formal Verification Kevros is the only AI governance offering on AWS Marketplace with end-to-end formal verification of the enforcement kernel. Six independent verification layers spanning model checking, SMT proofs, bounded checks, runtime assertions, cross-language vector regression, and interactive theorem proving collectively explore 1.94 billion system states and produce 71 SMT proofs and 20 mechanically-checked theorems with zero counterexamples and zero unproven assumptions.
Why Kevros Tamper-evident provenance ledger. Every governance decision is recorded in a hash-chained, append-only ledger on Amazon EFS. Auditors verify chain integrity using the published verifier specification.
Fail-closed architecture. Governance unavailability triggers automatic execution blocking. Agents cannot circumvent oversight under any failure condition. Dual-lane post-quantum signatures. ML-DSA-87 (FIPS 204) anchors every 100-record block of the hash-chained ledger. SLH-DSA-SHA2-256f (FIPS 205) provides the off-chain co-signing lane on settlement-class events. Quantum-resistant from day one.
Tier-conditioned rate limiting. Per-tier API Gateway UsagePlan throttling at the publisher edge. Free Trial 5 requests per second; Starter 25; Professional 50; Enterprise 200.
ML behavioral drift detection. Latency-drift and semantic-drift monitors flag anomalous agent behavior before violations materialize. CloudWatch and CEF observability. Container metrics and governance events surface in CloudWatch dashboards. CEF-formatted syslog export for any CEF-capable collector.
Built for AWS Deploys via AWS CloudFormation as a customer-side stack. Talon classifier inference runs in the TaskHawk publisher account; classifier weights never enter the customer image. Image is signed with cosign against an AWS KMS key; signatures verify against the publisher KMS public key.
Compliance-Aligned Evidence Generates evidence designed to support governance reviews under NIST AI RMF, EU AI Act risk classification (Annex III), and SOC 2 control families. Hash-chained decision records, post-quantum-signed block roots, and certifier-grade evidence bundles in auditor-ready format. Kevros provides verifiable technical evidence; it does not replace your compliance program, risk assessment obligations, or legal determinations.
Plans Free Trial. $0 per month. 1,000 calls. Hash-chained evidence. Starter. $499 per month. 100,000 calls. Production capacity. Professional. $1,499 per month. 1,000,000 calls. Adds ML drift plus dual-lane post-quantum signing. Enterprise. $4,999 per month. 5M inclusive calls plus AWS Marketplace metered overage. Adds fleet drift, CEF syslog export, evidence bundles.
Click Continue to Subscribe to deploy in your AWS account. Typical deployment under 20 minutes.
Highlights
- Six-layer formal verification: 1.94B states, 71 proofs, 0 sorry. Zero property violations.
- Dual-lane post-quantum signing: ML-DSA-87 (FIPS 204) and SLH-DSA-SHA2-256f (FIPS 205) on every record.
- Hash-chained evidence on Amazon EFS. Fail-closed architecture. Deploys in your AWS account.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Description | Cost/month |
|---|---|---|
Free Trial | Evaluation tier with 1,000 included governance calls per month, hash-chained evidence ledger, signed release tokens. | $0.00 |
Starter | Production tier with 100,000 included governance calls per month, 25 req/sec rate limit, multi-protocol agent access (REST, MCP). | $499.00 |
Professional | Production tier with 1,000,000 included governance calls per month, ML behavioral drift detection, dual-lane post-quantum signing (ML-DSA-87 + SLH-DSA-SHA2-256f), 50 req/sec rate limit. | $1,499.00 |
Enterprise | Production tier with 5,000,000 included governance calls per month, fleet-level drift monitoring, CEF-formatted syslog export, certifier-grade compliance evidence bundles, 200 req/sec rate limit. | $4,999.00 |
Vendor refund policy
TaskHawk Systems, LLC subscription fees are non-refundable, except as required by applicable law. AWS Marketplace subscriptions are also subject to AWS Marketplace refund policies. To request a refund or discuss billing concerns, contact support@taskhawktech.com . We will respond within 2 business days. For full terms, see https://taskhawktech.com/terms .
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Container image (ECS + EKS)
- Amazon ECS
- Amazon EKS
- Amazon ECS Anywhere
- Amazon EKS Anywhere
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
v4.6.3 strengthens runtime evidence, deployment integrity, and enterprise auditability for Kevros AI Governance Gateway.
What changed:
-
Adds an optional delegated-authority witness path for Enterprise deployments. When configured, selected governance audit records can be written to an append-only witness stream for independent verification workflows.
-
Strengthens evidence durability for governance decisions, including hash-chained provenance records, signed verdicts, release-token verification, and evidence-bundle retrieval.
-
Rebuilds the AWS Marketplace package against immutable image digest sha256:a0ee566eaf0a10b6060f74fe5b595551a5c10d21dedcb8f69e641ce8a942c5fe.
-
Updates CloudFormation templates for ECS and EKS deployments with digest-pinned image references and safer runtime defaults.
-
Preserves AWS Marketplace entitlement resolution, tier limits, billing dimensions, A2A delivery, MCP delivery, and AgentCore Runtime compatibility from v4.6.2.
Compatibility: no breaking changes to the A2A API, MCP tool list, product code, entitlement model, tier limits, or billing dimensions. Existing v4.6.2 customers can move to v4.6.3 by updating the image reference or redeploying with the v4.6.3 Marketplace templates.
Additional details
Usage instructions
DEPLOYMENT (Typical: 15 to 20 minutes)
Recommended path: deploy with the v4.6.3 AWS CloudFormation templates attached to this Marketplace version. The reference deployment provisions Amazon ECS on AWS Fargate, an Application Load Balancer, Amazon EFS for the provenance ledger, AWS Secrets Manager for runtime secrets, AWS KMS for evidence-bundle encryption, and Amazon CloudWatch for operational visibility.
Runtime image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/taskhawk-systems/kevros-a2a-gateway:4.6.3-daa-2fe4e7b
Release digest: sha256:a0ee566eaf0a10b6060f74fe5b595551a5c10d21dedcb8f69e641ce8a942c5fe
After subscribing, select the deployment template for your plan: Free Trial, Starter, Professional, or Enterprise. The templates use digest-pinned image references and configure the AWS Marketplace product code required for entitlement checks.
Verify deployment health: curl https://<your-gateway-host>/health
Expected response: HTTP 200 {"status":"healthy"}
Submit a governance request: POST https://<your-gateway-host>/governance/verify
Body: {"agent_id":"<callerId>","action_type":"<type>","action_payload":{...}}
Expected response: A signed ALLOW, CONSTRAIN, or DENY decision with a release token and verification_id.
Retrieve an evidence bundle: POST https://<your-gateway-host>/governance/bundle
Runtime evidence: Kevros records governance decisions as hash-chained provenance records and supports evidence-bundle retrieval for audit windows. Enterprise deployments can optionally enable a witness path for selected governance audit records when customer-managed private infrastructure is configured.
Tier features:
- Free Trial: 1,000 governance calls per month, 5 req/sec
- Starter: 100,000 governance calls per month, 25 req/sec
- Professional: 1,000,000 governance calls per month, 50 req/sec, ML behavioral drift detection, post-quantum signing
- Enterprise: 5,000,000 governance calls per month, 200 req/sec, fleet drift monitoring, CEF syslog export, evidence bundles, optional witness integration
Documentation: https://www.taskhawktech.com/developers Product overview: https://www.taskhawktech.com/platform Support: support@taskhawktech.com Security disclosures: security@taskhawktech.com
Resources
Vendor resources
Support
Vendor support
Support is provided directly by TaskHawk Systems, LLC.
Contact
Email: support@taskhawktech.com Web: https://www.taskhawktech.com/company Documentation: https://www.taskhawktech.com/developers
Response Times
Free Trial: best-effort, business hours (Monday through Friday, 9:00 AM to 5:00 PM US Eastern), 2 business day response. Starter: 1 business day response on technical issues. Professional: 8 business hours response on technical issues; 4 business hours on production-impacting issues. Enterprise: priority support; 4 business hours response on technical issues; 1 business hour on production-impacting issues.
Scope of Support
Deployment assistance for the AWS CloudFormation stack, configuration of governance policies, integration support for REST and MCP agent endpoints, troubleshooting of Kevros runtime behavior, and guidance on evidence ledger verification.
Customers are responsible for their own AWS account configuration, IAM permissions, network connectivity, and AWS service costs (Amazon ECS on AWS Fargate, Amazon EFS, Application Load Balancer, AWS Secrets Manager, Amazon CloudWatch). AWS service issues are routed to AWS Support per your AWS Support plan.
Security incident reporting: security@taskhawktech.com or follow the disclosure process at
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.