Platform · Allow-listsExplicit permission for every model, tool, and domain

Allow only what
you've explicitly
approved.

Obiguard's allow-list system gives you a positive-permission model for AI access. If it isn't on the list, it doesn't run — no exceptions, no drift.

01 / What you can allow-list

Models. Tools. Domains. Users.

Allow-lists operate at four levels. Any call that touches a non-listed resource is blocked and written to the Audit Ledger — with full context for the reviewer.
01 — MODELS

Model allow-list

Specify exactly which model IDs are permitted per agent. A call to llama-3.1-405b from an agent approved only for gpt-4.1 is blocked immediately.

Per-agent · model family · version-pinned
02 — TOOLS

Tool allow-list

Register the tools each agent is permitted to invoke. A db.query call routed to the payroll schema from an agent not approved for that table is blocked.

Tool · scope · schema-level
03 — DOMAINS

Domain allow-list

Control which external domains agents can reach via retrieval or browser tools. Exfiltration to an unregistered endpoint is caught before the request leaves.

Outbound · domain · path-level
04 — USERS

User allow-list

Restrict which end-users or service accounts can invoke a given agent. Useful for internal tooling that should never be reachable from a public-facing surface.

Identity · role · attribute-based