CIMControl in Motion

Every AI agent action
decided before it executes.

CIM validates every agent action against its delegation contract before it reaches any system. In under 10ms. Fail-closed. Always.

$pip install sunbeam-cim

Talk to us See how it works ↓

< 10ms

per decision

decision types

Fail-closed

gateway unreachable = DENY

CIM

GATEWAY

evaluating

How it works

Three steps. Every action. Every time.

→

Agent calls cim.decide()

Before any action — database query, API call, file write, tool invocation — the agent calls cim.decide() with the action context.

→

Gateway evaluates contract

CIM validates the action type, domain, spend, rate limits, and approval requirements against the agent’s active delegation contract. Sub-10ms.

Decision returned

✓ ALLOW✕ DENY≡ REDACT◎ REQUIRE_APPROVAL

If the gateway is unreachable, the action is DENIED. Always.

Delegation Contracts

Every agent gets a contract.
Every action checked against it.

A delegation contract defines exactly what each agent is authorised to do — which domains it can reach, which tools it can invoke, what it can spend, and which actions require human approval before proceeding.

Contracts are versioned, auditable, and enforced on every single action. No exceptions. No overrides without a new contract version approved by an Admin.

Delegation Contract

Four Decision Types

Every action gets one of four outcomes.

✓ALLOW

The action is within the agent’s contract. Execution proceeds immediately.

When: llm_call within rate limit, data_read on approved domain

✕DENY

The action violates the contract or policy. Execution is blocked. Logged immediately.

When: external_http to non-whitelisted domain, action_execution on Read Only contract

≡REDACT

The action is allowed but output contains restricted content. PII or sensitive data is removed before delivery.

When: llm_call response contains customer email, NI number, or other PII matching policy rules

◎REQUIRE_APPROVAL

The action requires a human decision before execution. Paused until approved or denied in Central.

When: database write on Human in the Loop contract, high-spend action approaching monthly limit

Integrate in Minutes

Works with how your agents are already built.

$pip install sunbeam-cim

from sunbeam_cim import CIMAgent

agent = CIMAgent(
    gateway_url="http://localhost:8001",
    agent_id="my-agent-001",
    tenant_id="your-tenant-uuid",
)

decision = agent.check(
    "http_request",
    domain="api.example.com"
)

if decision.allowed:
    execute_request(...)
elif decision.result == "REQUIRE_APPROVAL":
    await human_approval(decision.approval_id)

Python SDKLangChainFail-closed HTTPDocker/K8sPostgreSQL + RLSFastAPI

OpenAI AdapterBedrock AdapterAutoGenSelf-hosted LLMSaaS Onboarding

Put every agent action
under authority.

CIM is available for Enterprise customers. Talk to us about deployment.

Talk to us See the Scanner

Docker-based. Self-hosted. Air-gap friendly.

Every AI agent actiondecided before it executes.