GEO
AI大模型

Tansive:安全可控的AI智能体自主部署平台

2026/1/24
Tansive:安全可控的AI智能体自主部署平台
AI Summary (BLUF)

Tansive is a platform for securely running AI agents and tools on your own infrastructure with fine-grained policy enforcement, runtime controls, and tamper-evident audit logs. It enables developers and operations teams to deploy AI agents independently of external platforms while maintaining full visibility and control over agent actions, tool access, and data handling. (Tansive是一个用于在自有基础设施上安全运行AI智能体和工具的平台,具有细粒度策略执行、运行时控制和防篡改审计日志功能。它使开发人员和运维团队能够独立于外部平台部署AI智能体,同时保持对智能体操作、工具访问和数据处理的完全可见性和控制。)

Introduction

As AI agents become integral to automating complex workflows, the challenge of managing their security, compliance, and operational integrity grows exponentially. These agents require access to sensitive data and critical systems, creating a significant attack surface and operational risk. Tansive addresses this challenge head-on by providing a platform to securely deploy, govern, and observe AI agents on your own infrastructure.

随着AI智能体成为自动化复杂工作流程不可或缺的一部分,管理其安全性、合规性和操作完整性的挑战呈指数级增长。这些智能体需要访问敏感数据和关键系统,从而产生了巨大的攻击面和操作风险。Tansive直面这一挑战,提供了一个平台,用于在您自己的基础设施上安全地部署、治理和观察AI智能体。

Core Value Proposition

Tansive enables organizations to harness the power of AI automation without compromising on security or control. It provides fine-grained policy enforcement, runtime security, and tamper-evident audit logs, all while allowing agents to operate within your existing network boundaries and leverage your preferred frameworks.

Tansive使组织能够利用AI自动化的力量,同时不牺牲安全性或控制力。它提供细粒度的策略执行、运行时安全和防篡改审计日志,同时允许智能体在您现有的网络边界内运行,并利用您偏好的框架。

Key Problems Solved

  • Secure Integration: AI agents need context from many systems, but integrating securely across different APIs is challenging. Tansive provides rules-based access control at every interface.
    • 安全集成:AI智能体需要来自许多系统的上下文,但跨不同API进行安全集成具有挑战性。Tansive在每个接口提供基于规则的访问控制。
  • Risk Amplification: Chained agent actions can turn small problems into major incidents. Tansive provides full execution graph visibility to trace and mitigate risks.
    • 风险放大:链式智能体操作可能将小问题变成重大事件。Tansive提供完整的执行图可见性,以追踪和缓解风险。
  • Operational Burden: Managing disparate agent deployments is complex. Tansive offers a unified, GitOps-friendly control plane for your existing infrastructure.
    • 操作负担:管理分散的智能体部署非常复杂。Tansive为您现有的基础设施提供了一个统一的、支持GitOps的控制平面。
  • Compliance: Meeting regulatory requirements (SOC2, HIPAA, etc.) for AI systems is non-trivial. Tansive delivers policy-based control and auditable logs.
    • 合规性:满足AI系统的监管要求(SOC2、HIPAA等)并非易事。Tansive提供基于策略的控制和可审计的日志。

Key Concepts

Understanding Tansive's architecture begins with a few fundamental building blocks.

理解Tansive的架构始于几个基本的构建模块。

SkillSet

A SkillSet is a declarative YAML template that defines a collection of tools, agents, and configuration needed to accomplish a specific type of task (e.g., "Kubernetes troubleshooting" or "patient record analysis"). It is the core unit of deployment and management.

SkillSet 是一个声明式的YAML模板,定义了完成特定类型任务(例如,“Kubernetes故障排除”或“患者记录分析”)所需的工具、智能体和配置的集合。它是部署和管理的核心单元。

View

A View is a security policy that defines what actions are permitted. It uses granular tags called Capabilities (e.g., kubernetes.deployments.restart, patient.records.read) to allow or deny access to specific skills within a SkillSet. Different Views can be applied for different environments (dev vs. prod) or roles (engineer vs. analyst).

View 是一个安全策略,定义了允许执行哪些操作。它使用称为Capabilities的细粒度标签(例如,kubernetes.deployments.restartpatient.records.read)来允许或拒绝对SkillSet内特定技能的访问。可以为不同的环境(开发与生产)或角色(工程师与分析员)应用不同的View。

Session

A Session is a runtime instance of a SkillSet, constrained by a specific View. When you create a session, Tansive instantiates the tools and agents, applies the policy rules, and provides a secure endpoint (like an MCP server) for interaction. Each session is isolated and fully audited.

Session 是SkillSet的一个运行时实例,受特定View的约束。当您创建一个会话时,Tansive会实例化工具和智能体,应用策略规则,并提供一个用于交互的安全端点(如MCP服务器)。每个会话都是隔离的并受到完全审计。

MCP (Model Context Protocol)

Tansive leverages the Model Context Protocol as a standard interface for AI tools. It can create secure, policy-governed MCP endpoints from your SkillSets, making them safely consumable by AI-powered IDEs (like Cursor or Claude Desktop) and agent frameworks.

Tansive利用模型上下文协议作为AI工具的标准接口。它可以从您的SkillSet创建安全的、受策略管理的MCP端点,使它们能够被AI驱动的IDE(如Cursor或Claude Desktop)和智能体框架安全地使用。

How Tansive Works: A Developer's Perspective

For developers, Tansive integrates seamlessly into existing workflows, adding layers of security and observability without forcing a rewrite.

对于开发人员而言,Tansive可以无缝集成到现有的工作流程中,在不强制重写代码的情况下增加安全性和可观察性。

1. Authoring and Integration

You can author agents in any popular framework (LangChain, LangGraph, CrewAI, etc.) and tools in any language (Python, Node.js, Go). Tansive does not lock you into a proprietary SDK.

您可以使用任何流行的框架(LangChain、LangGraph、CrewAI等)编写智能体,使用任何语言(Python、Node.js、Go)编写工具。Tansive不会将您锁定在专有的SDK中。

2. Policy-Driven Tool Access

Instead of calling tools directly, your agents call them through Tansive's governed endpoint. This allows Tansive to intercept every call, validate it against the active View policy, apply any input transformations (e.g., redacting PII), and log the entire interaction.

您的智能体不是直接调用工具,而是通过Tansive的受治理端点进行调用。这使得Tansive能够拦截每一次调用,根据活动的View策略进行验证,应用任何输入转换(例如,编辑PII),并记录整个交互过程。

Example: Creating a Secure Tool Session

$ tansive session create /skillsets/tools/deployment-tools --view devops-engineer
Session created. MCP endpoint:
https://127.0.0.1:8627/session/mcp
Access token: tn_7c2e4e0162df66d929666703dc67a87a

This command creates a session that exposes only the tools the devops-engineer view permits, providing a secure MCP endpoint and token for access.

此命令创建一个会话,仅暴露devops-engineer视图允许的工具,提供一个安全的MCP端点和访问令牌。

3. Runtime Enforcement and Audit

Every tool invocation is checked in real-time. The audit log captures not just the action, but the full chain of reasoning (the "call graph") and the specific policy rule that allowed or denied it. This is crucial for debugging and compliance.

每次工具调用都会进行实时检查。审计日志不仅捕获操作本身,还捕获完整的推理链(“调用图”)以及允许或拒绝该操作的具体策略规则。这对于调试和合规性至关重要。

How Tansive Works: An Operations Perspective

For platform and DevOps teams, Tansive acts as a centralized control plane, bringing order and security to AI agent deployments.

对于平台和DevOps团队,Tansive充当一个集中式的控制平面,为AI智能体部署带来秩序和安全性。

Declarative, GitOps-Friendly Management

All components—SkillSets, Views, agent configurations—are defined in YAML files. These can be version-controlled in Git, enabling familiar CI/CD pipelines, peer review, and rollback capabilities for your AI infrastructure.

所有组件——SkillSet、View、智能体配置——都在YAML文件中定义。这些文件可以在Git中进行版本控制,从而为您的基础设施启用熟悉的CI/CD流水线、同行评审和回滚功能。

Example: SkillSet YAML Snippet

spec:
  rules:
    - intent: Allow
      actions:
        - system.skillset.use
        - kubernetes.pods.list
        - kubernetes.troubleshoot
      targets:
        - res://skillsets/agents/kubernetes-agent
    - intent: Deny
      actions:
        - kubernetes.deployments.restart
      targets:
        - res://skillsets/agents/kubernetes-agent

This policy allows a Kubernetes agent to list pods and troubleshoot, but explicitly denies it the ability to restart deployments, enforcing a separation of duties.

此策略允许Kubernetes智能体列出Pod并进行故障排除,但明确拒绝其重启部署的能力,从而强制执行职责分离。

Deployment Flexibility

Tansive's portable runtime allows you to deploy sessions anywhere:

  • On VMs/Cloud VPCs: To serve other applications or execute backend tasks.
  • On User Machines: To automate individual workflows with appropriate guardrails.
  • With Any Model: Connect to LLM APIs (OpenAI, Anthropic, etc.) hosted anywhere.

Tansive的可移植运行时允许您将会话部署在任何地方:

  • 在虚拟机/云VPC上:为其他应用程序服务或执行后端任务。
  • 在用户机器上:在适当的防护下自动化个人工作流程。
  • 使用任何模型:连接到任何地方托管的LLM API(OpenAI、Anthropic等)。

Key Features in Detail

1. Runtime Policy Enforcement & Constraints

Beyond simple allow/deny, Tansive can pin runtime sessions to specific values (like a patient_id) and apply user-defined transforms to tool inputs and outputs. This enables use cases like PII redaction, data enrichment, or feature flagging without modifying underlying tool code.

除了简单的允许/拒绝,Tansive可以将运行时会话固定到特定值(如patient_id),并对工具输入和输出应用用户定义的转换。这使得在无需修改底层工具代码的情况下,实现PII编辑、数据丰富或功能标志等用例成为可能。

2. Tamper-Evident Audit Logging

All actions are logged in a hash-linked chain, creating an immutable record. Each log entry includes the full context, policy decision, and data lineage, which is essential for post-incident analysis and regulatory audits.

所有操作都以哈希链接链的形式记录,创建不可变的记录。每个日志条目都包含完整的上下文、策略决策和数据沿袭,这对于事后分析和监管审计至关重要。

3. Unified Tool Orchestration

Tansive can natively run your scripts (in any language), proxy to local MCP servers, or connect to remote MCP servers. It unifies these into a single, policy-governed interface, simplifying security management.

Tansive可以原生运行您的脚本(任何语言)、代理到本地MCP服务器或连接到远程MCP服务器。它将所有这些统一到一个单一的、受策略管理的接口中,简化了安全管理。

(Due to length constraints, this overview focuses on the core concepts and operational model. The subsequent sections of the original content—such as architecture deep dive, live demos, getting started guides, and FAQs—provide extensive practical details for implementation.)

(由于篇幅限制,本概述侧重于核心概念和操作模型。原始内容的后续部分——如架构深入探讨、实时演示、入门指南和常见问题解答——提供了大量实施的实践细节。)

标签
AI应用开发生成式AIAI助手本地部署AI大模型
← 返回文章列表
分享到:微博
下一篇
AgentKit:基于TypeScript的确定性多智能体编排框架

版权与免责声明:本文仅用于信息分享与交流,不构成任何形式的法律、投资、医疗或其他专业建议,也不构成对任何结果的承诺或保证。

文中提及的商标、品牌、Logo、产品名称及相关图片/素材,其权利归各自合法权利人所有。本站内容可能基于公开资料整理,亦可能使用 AI 辅助生成或润色;我们尽力确保准确与合规,但不保证完整性、时效性与适用性,请读者自行甄别并以官方信息为准。

若本文内容或素材涉嫌侵权、隐私不当或存在错误,请相关权利人/当事人联系本站,我们将及时核实并采取删除、修正或下架等处理措施。 也请勿在评论或联系信息中提交身份证号、手机号、住址等个人敏感信息。