Cerbos + Aperture by Tailscale
AI Agent Access Control
Aperture by Tailscale shows what your AI agents are doing. Cerbos controls what they're allowed to do.
Visibility
See every agent action across your organization
Control
Allow or deny tool calls based on identity and policy
No code changes
Policies enforced at the gateway, independent of agent code
Supported agents
Works with the tools your team already uses
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
Claude Code
Enforce policies on tool calls from Claude Code sessions.
OpenAI Codex
Control what OpenAI Codex agents can access in your environment.
Gemini CLI
Apply access rules to Gemini CLI agent operations.
Azure AI Agents
Authorize tool calls from Azure AI Agent Service deployments.
Amazon Bedrock
Enforce least privilege on Bedrock agent actions and tool use.
DeepSeek
Apply authorization policies to DeepSeek model tool calls.
Mistral AI
Control agent access for Mistral-powered workflows and tool use.
Groq
Enforce policies on tool calls from Groq-hosted models.
xAI Grok
Apply access rules to xAI Grok agent operations.
MCP Servers
Authorize tool calls across any MCP-compatible server integration.
Custom agents
Any agent framework that supports a custom base URL.
Self-hosted models
Apply the same policy controls to internally hosted LLMs.
+
What you get
Zero Trust security for
AI Agents
1
See every agent action
Aperture tracks which agents are running and which tools they invoke. Cerbos shows what was allowed, denied, and why.
Aperture tracks which agents are running and which tools they invoke. Cerbos shows what was allowed, denied, and why.
2
Tie actions to identities
Tailscale's identity layer associates every request with a user or machine. Audit logs trace each decision back to who initiated it.
Tailscale's identity layer associates every request with a user or machine. Audit logs trace each decision back to who initiated it.
3
Enforce least privilege access
Cerbos policies determine which tools an agent can invoke, based on the identity, role, and environment. Allow or deny, per request.
Cerbos policies determine which tools an agent can invoke, based on the identity, role, and environment. Allow or deny, per request.
4
Update without redeployment
Policies are defined externally. When requirements change, update the policy. No code changes. No downtime.
Policies are defined externally. When requirements change, update the policy. No code changes. No downtime.
AI agent security
Zero Trust
RBAC
ABAC
Policy-as-code
Least privilege
Audit logs
Tool call authorization
Coding agent controls
MCP security
SOC 2
HIPAA
Control your coding agents
Cerbos policies determine which tool calls proceed and which are blocked. Decisions are deterministic, auditable, and independent of agent code.
Block or allow specific tool calls
Define which tools an agent can invoke based on who launched it, what role they hold, or what environment it is running in. Policies determine what is permitted.
Different rules for different identities
A senior engineer's agent and a CI pipeline's agent do not need the same permissions. Cerbos evaluates each request against the policies that apply to that identity.
No changes to agent code
Policies are defined externally and enforced at the gateway. No SDK to add, no configuration to embed. The agent does not need to know about Cerbos.
Update policies without redeployment
When a new model is approved, a tool is restricted, or a team's permissions change, update the policy. No redeployment. No downtime.
Visibility
Visibility for your LLM usage
Aperture and Cerbos each surface a different layer of agent activity. Together, they show what is happening and whether the policy allowed it.
Agent activity across both platforms
Aperture tracks which agents are running, which models they call, and which tools they invoke. Cerbos shows what was allowed, what was denied, and which policy produced the decision.
Usage analytics and policy decisions
Aperture provides usage reporting — tokens, requests, tool calls by user. Cerbos provides authorization reporting — what happened, and whether the policy permitted it.
Every action tied to an identity
Tailscale's identity layer means every request is associated with a specific user or machine. Audit logs trace each tool call back to who initiated it and what the policy decision was.
From observation to enforcement
Understanding what agents do is the prerequisite for deciding what they should be allowed to do. Start with visibility. Add enforcement when ready.
How it works
From connection to enforcement
1
Agents route through Aperture
AI coding agents connect through the Aperture gateway on your Tailscale network. Aperture identifies who initiated the request and which agent is acting.
AI coding agents connect through the Aperture gateway on your Tailscale network. Aperture identifies who initiated the request and which agent is acting.
2
Activity appears on both dashboards
Aperture shows agent usage, tokens, and tool calls across your organization. Cerbos shows which actions were allowed, which were denied, and which policy applied.
Aperture shows agent usage, tokens, and tool calls across your organization. Cerbos shows which actions were allowed, which were denied, and which policy applied.
3
Cerbos returns allow or deny
When an agent invokes a tool, Cerbos evaluates the action against your authorization policies. Permitted requests proceed. Denied requests are blocked.
When an agent invokes a tool, Cerbos evaluates the action against your authorization policies. Permitted requests proceed. Denied requests are blocked.
Cerbos + Aperture by TailscaleSet up agent access control
Connect Cerbos to your Aperture deployment. Policies apply immediately.
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.