AI Development Governance

Every company will need an
approved AI agent catalogue.

Developers now install software that reads your source code, executes shell commands, holds cloud credentials, and reaches production: AI agents, MCP servers, coding assistants. Attest is the system of record for which of them are approved, and the signed evidence that reality matches the registry.

Book a two-week pilot Read the pilot guide $ pipx install vozern && attest --demo
OPEN-SOURCE scanner: verify what we collect SIGNED evidence, never inventories ZERO employee surveillance, by architecture

The problem

Security teams govern everything but this.

An AI agent or MCP server arrives through a config-file line or an app download, bypassing device management, dependency scanning, app-sec review, and procurement. It is the most powerful software a developer has ever been able to install, and most organizations cannot answer which ones are running. Each one can:

How it works

Policy flows down. Evidence flows up.
Raw data flows nowhere.

01 · WORKSTATION

Discover, locally

The open-source CLI inventories AI agents, MCP servers, AI extensions, and the unmanaged software layer they live in (Homebrew, npm, pipx, IDE extensions), matching advisories via OSV.dev. The full report stays on the device.

02 · ATTESTATION

Sign the evidence

Each scan produces a signed record: control outcomes, severity counts, and a hash that commits to the local report, verifiable by an auditor at the machine. You choose the disclosure tier. The inventory itself is never transmitted.

03 · CONTROL PLANE

Govern the fleet

Dashboards show posture per control, trends, stale devices, and the approval queue. One click approves a tool for a group; the fleet converges on the next scan. Evidence packs export for SOC 2, ISO 27001, NIST, and DORA.

The registry

The approved AI tool registry is the product.

Your organization declares which AI tools are approved. Every scan reconciles reality against that catalogue: unapproved tools become findings, accepted ones carry a documented owner, justification, and expiry. Continuous, not a pre-audit scramble.

Claude CodeApproved
CursorApproved
GitHub CopilotApproved
github (MCP)Approved
payments-db-tunnel (MCP)Unapproved
shadow-agent (CLI)Unapproved

Privacy

Evidence, not surveillance. The platform is architecturally unable to see source code, files, or activity, not merely promising not to look.

Raw inventory never leaves the developer's machine. What leaves, if you turn it on, is signed control evidence. The scanner is open source, so the claim is checkable, and the control plane's API has no endpoint that could receive an inventory. Read the security & privacy architecture →

Pricing

Start free. Pay when you govern a fleet.

Community

Free
forever · open source
  • Full CLI: discovery, advisories, policy
  • HTML / JSON / SARIF / PDF reports
  • All control frameworks
  • Community support (GitHub)

Team

$5
per device / month, billed annually
  • Control plane: dashboard, trends, alerts
  • Approved AI tool registry + approvals
  • Signed attestations & evidence packs
  • Device groups · webhook digests
  • Email support, 1-business-day response

Enterprise

Custom
annual agreement
  • SSO deployment & rollout assistance
  • Custom control frameworks
  • Audit-season support & named contact
  • Security review / DPIA support
  • Slack Connect, 4-business-hour response

Design-partner program: the first organizations get the Team tier free for 90 days in exchange for a weekly 30-minute feedback call and a reference conversation. Apply →

Get started

Two weeks to your first fleet evidence pack.

The pilot is deliberately small: five devices, one team, your real AI-tooling catalogue. By day 14 you have a dashboard your CISO can read and an evidence pack your auditor can file.

See the day-by-day pilot guide Talk to us