Your infrastructure. Your credentials. Your control.
Cora runs on your hardware, uses your credentials, and keeps your data inside your perimeter. Security architecture built for autonomous AI employees. Not a SaaS checkbox.
How we secure every deployment
Six principles that govern how every Cora operates. No exceptions.
Customer-owned
You own the hardware, credentials, and data. We deploy software and manage operations. No vendor lock-in, no data leaving your perimeter.
Three-tier approval
Every action classified by risk level. Reads run freely. Updates require soft confirmation. Sends and deletes need hard approval.
Progressive autonomy
Tightest boundaries from day one. Scope expands only after 100+ outputs reviewed with zero corrections needed.
Human oversight
Approval gates on irreversible actions. Uncertain states halt execution. Humans stay in the loop on what matters.
Full visibility
Real-time execution logs. Daily automated security reviews. Every action traceable, attributable, and exportable.
AI-native defense
Purpose-built controls against prompt injection, tool misuse, and model manipulation. Not retrofitted SaaS security.
Risk-tiered action control
Every action Cora takes is classified by risk level and matched to an appropriate approval gate.
Read
Search emails, read documents, check calendars, gather data, analyze content.
No approval needed
Update
Move files, update spreadsheets, modify records, organize data, edit documents.
Soft confirmation
Act
Send emails, post messages, delete records, publish content, external communications.
Hard approval required
How tiers work
- You define which actions belong to which tier
- Approval requirements enforced at the system level, not by policy alone
- Actions can graduate between tiers as trust builds
- Tier assignments are documented and auditable
Earned trust, not assumed access
Cora starts in the tightest possible configuration. Expansion is earned through demonstrated reliability.
Month one: all external-facing actions require manual approval. Sensitive systems are accessed only through bridge mechanisms. No admin access to any system, ever. Scope increases only after consistent accuracy across hundreds of reviewed outputs.
Expansion criteria
- 100+ outputs manually reviewed with zero corrections before any action graduates to auto-send
- Each new system integration discussed and approved by client before configuration
- Access boundaries widen incrementally, one system at a time
- All expansion decisions documented and reversible
Identity and credential isolation
Dedicated AI identities with scoped, auditable permissions. Never shares human accounts.
Cora operates under its own dedicated accounts and credentials, completely separate from your team's identities. You define which systems it accesses, what actions are allowed, and where approval gates apply. Human MFA is preserved, not bypassed.
What this means for you
- Dedicated service accounts, never shared human credentials
- Granular permission scoping per integration
- MFA preserved on all connected systems
- No admin access granted to any system
Intermediary access layers
Sensitive systems accessed through bridge mechanisms, never direct connections.
Cora doesn't get full access to your CRM, inbox, or file system. It operates through scoped intermediaries: shared folders instead of full Drive access, staging spreadsheets instead of direct database writes, dedicated API endpoints with limited permissions.
What this means for you
- Shared folders instead of full Drive access
- Staging spreadsheets instead of direct CRM writes
- Scoped API endpoints per integration
- Blast radius contained even if a session is compromised
Defenses built for AI threats
Traditional security covers networks and identities. AI employees face a different attack surface.
Autonomous agents face attacks that traditional endpoint security doesn't address: malicious instructions hidden in emails, prompt injection through web content, tool exploitation through crafted inputs. Cora includes purpose-built defenses for each vector.
What this means for you
- Prompt injection detection across all input channels
- Tool call validation against configured allowlists
- Output filtering and sensitive data redaction before external actions
- Managed model versions with no arbitrary endpoint overrides
- Input sanitization on all ingested content
Hardened runtime environment
AI employees run in sandboxed, monitored environments on secure infrastructure.
Every deployment runs on hardened AWS infrastructure through our partnership. OS-level sandboxing restricts file system and network access. Every environment is treated as a managed corporate endpoint.
What this means for you
- Securely hosted on AWS infrastructure through our ISV partnership
- Full disk encryption standard
- Restricted file system and network access
- Continuously patched and monitored
- Managed as corporate endpoints under your MDM
Network boundaries and data controls
Restricted connectivity, minimized data exposure, and customer-controlled AI providers.
Outbound connectivity is restricted to approved destinations. Traffic is routable through your proxies and DNS filters. Data is minimized to task requirements. You choose the AI provider, control data retention, and set token spend budgets.
What this means for you
- Outbound restricted to approved destinations
- Compatible with corporate proxies and DNS filtering
- You choose the AI provider and control data retention
- Token spend monitoring and budget controls
- Data minimized to current task requirements
Observability and automated audits
Every action logged. Daily automated reviews. Full audit trail for compliance.
Every Cora produces detailed execution records: inputs, decisions, tools invoked, outputs, and outcomes. Daily automated security reviews check for anomalous patterns, configuration drift, and unauthorized access attempts. All logs are structured, exportable, and compatible with your SIEM.
What this means for you
- Real-time execution visibility
- Daily automated security reviews
- Structured, SIEM-compatible logs
- Session metrics: token usage, action counts, approval rates
- Supports compliance reviews and external audits
Incident response and recovery
Defined protocols for security events. Fast isolation. Proactive vulnerability tracking.
When a security event occurs, response follows a defined protocol: immediate agent isolation without data loss, root cause analysis, remediation, and post-incident rule updates. We actively track vulnerabilities in the agentic platform ecosystem and patch proactively, before exploits reach production.
What this means for you
- Immediate agent isolation capability
- Proactive vulnerability tracking for agentic platforms
- Post-incident review and rule updates
- Rollback paths always available
- External vulnerability disclosure monitoring
Updates and change management
Staged, documented, and reversible changes.
AI systems evolve quickly. Updates are staged, tested, and documented. Behavior changes are visible and reversible. You always know what changed and why.
What this means for you
- No surprise behavior changes
- Rollback paths always available
- Full changelog for every update
Framework and compliance alignment
Our controls map to frameworks built for AI systems, not just traditional IT security checklists.
We map controls to AI-specific standards, not just traditional security frameworks. Detailed framework mapping available during security walkthroughs.
Request a security walkthrough
We provide architecture reviews, framework mapping, and live demonstrations of security controls. Your security team gets full visibility before deployment.