FirstOpsFirstOps
Sign in
Governance for the agent runtime

The control plane
for AI agents at work.

FirstOps is 360° identity, access, and audit for the entire agent runtime: every MCP server, every tool call, every LLM call, every skill and subagent. So your security team can say yes to agents in production.

See the platform ↓
app.firstops.dev/home
FirstOps home: agent inventory, principals, access groups
40%
of enterprise apps will embed AI agents by 2026
Gartner
71%
of GenAI connections bypass identity and access management
Industry
97%
of AI security incidents lacked proper access controls
Industry
$670K
higher breach cost with high shadow-AI usage
IBM
§ 01 / THE RUNTIME, SURFACE BY SURFACE

Every action on the record.
Tied to a real identity.

Each surface gets its own console, all wired to the same policy engine and the same audit log.

01 / MCP SERVERSThe connection layer

Every agent connection, routed through one place.

MCP is how agents reach Notion, GitHub, Postgres, Stripe. We put a gateway in the middle. Credentials are brokered per request, so agents never see tokens. Your security team gets one list of every agent-to-system connection in the org.

  • Auto-discovers every MCP server already wired up on the machine
  • Per-call policy, scoped to a real principal
mcp-gateway · 13 servers routed
Outbound traffic, last 60s
notion
allow
github
allow
postgres-prod
deny
stripe
review
datadog
allow
aws-vault
deny
credentials · brokered at request time◆ agent never sees raw tokens
// MCP SERVERS1 / 4
01 / MCP SERVERSThe connection layer

Every agent connection, routed through one place.

MCP is how agents reach Notion, GitHub, Postgres, Stripe. We put a gateway in the middle. Credentials are brokered per request, so agents never see tokens. Your security team gets one list of every agent-to-system connection in the org.

  • Auto-discovers every MCP server already wired up on the machine
  • Per-call policy, scoped to a real principal
mcp-gateway · 13 servers routed
Outbound traffic, last 60s
notion
allow
github
allow
postgres-prod
deny
stripe
review
datadog
allow
aws-vault
deny
credentials · brokered at request time◆ agent never sees raw tokens
02 / TOOL CALLSThe action layer

Every tool an agent invokes, inspected before it runs.

Read a file. Run a shell. Push to git. Install a package. Every one is a tool call, and every one can be the moment something goes wrong. We see every one, and we can stop the ones that shouldn't happen.

  • Zero agent code changes
  • Full session trace per principal
tool-calls · last 24h · 996 invocationslive
Scope
Tool
Count
Denied
fileread_file247-
filewrite_file892
shellbash41218
netfetch1564
pkgpip install325
pkgnpm install481
gitgit push12-
03 / LLM CALLSThe reasoning layer

Prompts and completions, scoped to a real identity.

The prompt is a database query now. It leaks PII, embeds credentials, carries customer names. We see every LLM call: tied to a real human principal, scrubbed on the way out, inspected on the way back.

  • Per-principal prompt + completion audit
  • Cost, latency, tokens, tied to one session trace
llm-calls · trace · ses_a9f31cclaude-sonnet-4.5
# principal
agent:customer-research-agent · acting-for jamie@acme.com
# prompt (redacted)
Summarize recent tickets for customer ████████ and flag anomalies.
↳ 1 PII entity scrubbed before send · policy:customer-pii
# metadata
tokens in4,218
tokens out612
latency1.84s
cost$0.041
verdictallow ◆ scrubbed
retention90d
04 / SKILLS & SUBAGENTSThe capability layer

Skills are the new npm packages.

A skill is a few hundred lines of instructions that silently expand an agent's capabilities. A subagent gets invoked without your approval. Most teams have no idea what's loaded in their agents' context. We classify every artifact (hash, prevalence, verdict) across your tenant.

  • Hash-based lineage across every skill and subagent
  • Prevalence per artifact: by agent, by machine, by team
skills & subagents · 247 seentenant-wide
pitch-deck-builder@1.2.0
3 agents · 2 machines
clean
office-hours@0.4.1
new · unverified publisher
doubtful
staff-engineer@2.0.0
12 agents · 8 machines
clean
gtm-strategy@0.1.0
prompt-injection · quarantined
malicious
devops-engineer@1.1.3
6 agents · 4 machines
clean
// AND
The console built around them.
ConnectionsPrincipalsAccess GroupsAudit LogPolicy EditorSession ReplayFleet Rollout
§ 02 / ARCHITECTURE

One policy engine sits in front of the entire runtime.

One engine decides. One log records. Verdict-chasing becomes one query. Audit prep becomes one export, not a week of stitching logs.

CONTROL PLANE TOPOLOGY
AGENTS
claude-code
coding
cursor
coding
customer-research-agent
autonomous
data-analyst-agent
autonomous
ci-summarisation-agent
autonomous
FIRSTOPS CONTROL PLANE
Runtimelocal · sub-ms
Bash, file I/O, package install, network, LLM calls, and the skills and subagents that load into context. Every action, scoped to a real principal, before it runs.
policy-engine
runtime
Principals
users + agents
Access Groups
RBAC
Policies
one engine, hot-reload
Audit
exportable to SIEM
MCP Gatewayproxied · <10ms
Every MCP call routes through FirstOps. Credentials brokered at request time. Agents never see raw tokens.
UPSTREAM
Notion
GitHub
Postgres (prod)
Stripe
AWS + Vault
STEP 01
Intercept
Every agent action is seen before it leaves the machine.
STEP 02
Identify
Principal + access group resolved. Agent ≠ user.
STEP 03
Decide
Policy engine runs. Allow, deny, scrub, escalate.
STEP 04
Record
Every decision audited. Exportable to your SIEM.
// WORKS WITH
CODING AGENTS— native
Claude Code
Cursor
Windsurf
Cline
Aider
AUTONOMOUS AGENTS— via SDK
LangGraphClaude Agent SDKOpenAI Agents SDKAutoGencustom Python / Node
Works with any harness. A few lines of SDK and your agent writes to the same audit log as the coding agents on the left.
§ 03 / WHY NOW

Your security team already knows what's missing.

They can't tell you which agents are connected to what. They can't tell you which tools those agents can call. They can't point an auditor at a log that maps every agent action to a real person. Here's what they told us.

Most things in tech aren't derived from something that was secure. It's usually: oh, this is neat. Then everyone uses it. Then: how do we make it safe?
Head of Security
Public SaaS, 1,200 engineers
CISOs will tell you: I don't know that the CSM just built a bot that now looks at our entire backend accidentally.
Ex-CISO, VC Operating Partner
On the visibility gap
Whether they're doing it today or not is irrelevant. If they do, are we prepared? Right now the answer is no.
Infra Engineer
Agent platform team
§ 04 / INSTALL

Ships with your MDM. Zero developer action.

Ship the FirstOps package through JumpCloud, Jamf, or Intune. Every coding agent on the device — Claude Code, Cursor, Windsurf, Cline, Aider — is covered on first boot. Nothing to set up, nothing to patch, no code change. Autonomous agents you build take a small SDK and write to the same audit log.

  • Deploys via JumpCloud, Jamf, Intune, Kandji — zero developer action
  • Small SDK for autonomous agents built on any harness
  • Auto-discovers MCP servers already wired up per machine
  • Policy evaluated locally, hot-reload in < 1s
# single-machine install — MDM rollout is zero-touch
fo :: zsh
GET STARTED

Say yes to agents in production.
With a security team that can.

Deploys through your MDM. See your agent runtime before your security team asks about it.

We reply within one business day. No demo bots. Read by a human.