How Verra Works

One governed pipeline, on every interaction.

Setup

It starts with one URL change.

Point your existing OpenAI or Anthropic client at Verra and add one header. Nothing else in your code changes.

Before

base_url = "https://api.openai.com/v1"
api_key  = "sk-..."

After

base_url = "https://api.helloverra.com/api/proxy"
api_key  = "sk-..."
headers  = {
  "x-verra-key":     "va-...",      # required
  "x-verra-user-id": "user-123",    # optional: end-user attribution
}

Prefer an SDK? @verra/sdk drops the same governance into LangChain, CrewAI, AutoGen, LlamaIndex, and Semantic Kernel agents.

The Pipeline

Every request runs the same path.

From the first check to the logged receipt, no interaction skips a phase. Each phase links to the section that covers it.

Authenticate & load policy

The agent is verified and the policy that governs it is loaded.

Resolve tools & MCP origins

MCP

Tools the agent can't use are stripped; the rest resolve to a registered MCP server.

Authorize delegation

A2A

Delegated work is checked against the trust relationship between the two agents.

Detect & decide

Four detectors run in parallel and resolve to a single verdict.

Route & forward

Low-risk traffic routes to the default model; sensitive traffic to a private one.

Log the receipt

A receipt is written for every call, with no raw prompt text stored.

Policy

Observe first, enforce when you're ready.

Every agent runs under an org-wide policy with optional per-agent overrides.

OBSERVE

Every call is scanned and logged; nothing is blocked. See exactly what enforcement would catch before you switch it on.

GOVERN

Policy is enforced. Risky calls are blocked, masked, or held for approval, per your thresholds.

ENFORCE

Everything in Govern, plus a regulation-mapped evidence pack generated for each reporting period.

Tool Access Control

Not every agent gets every tool.

Each agent is cleared for a specific set of tools. Verra checks every tool call against that policy and flags pairings that don't fit the agent's role, like a support agent reaching for a database.

Sample permission matrix

	email	database_query	code_execution	admin
hr	✓ allowed	⚠ suspicious	✗ forbidden	✗ forbidden
finance	✓ allowed	✓ allowed	⚠ suspicious	✗ forbidden
engineering	✓ allowed	✓ allowed	✓ allowed	⚠ suspicious
security	✓ allowed	✓ allowed	✓ allowed	✓ allowed

Agent-to-Agent

Agents don't automatically trust each other.

When one agent delegates work to another, Verra checks the trust relationship before the second agent can act.

Sensitive data crossing certain agent-type boundaries is always blocked. An HR agent cannot hand a payload containing SSNs or salary data to an engineering agent, even when both agents are registered and the delegation is otherwise allowed.

Browser Extension

The other half of the surface area.

The proxy governs the agents you ship. The browser extension governs the AI your employees reach for on their own, closing the loop into one end-to-end story.

SHADOW AI DETECTION

Surfaces unsanctioned ChatGPT, Claude, Gemini, and Copilot use across the workforce, with who, what tool, and which workspace, scored against the same policy as your registered agents.

CLIPBOARD MONITORING

Catches sensitive data the moment it lands in a chat window: secrets, PII, customer records pasted out of a CRM. Verra blocks, masks, or warns before the paste reaches the model, with the same verdict scheme as the proxy.

Receipts from the browser flow into the same audit trail as receipts from the proxy, so one dashboard covers both your agents and the humans driving them.

Detection

Four detectors in parallel.

The four detectors run concurrently on every request and make a combined verdict: allow, warn, mask, or block.

Prompt injection

Catches attempts to override the agent's instructions with hidden or embedded commands, whether they come from the user or from content the agent reads.

Jailbreak

Catches attempts to push the agent past its guardrails, including role-play escapes and prompts that tell it to ignore its own rules.

Data exfiltration

Catches personal data and credentials in a request, along with probes designed to pull out sensitive records or the agent's own instructions.

System prompt extraction

Catches direct and indirect attempts to make the agent reveal its system prompt.

99%

Injection recall

explicit attacks · HackAPrompt

92%

Indirect injection recall

email agent attacks · LLMail

~50ms

p50 scan latency

injection and jailbreak scanned in parallel

100%

MCP origin attribution

every tool call resolves to a registered server

Risk signals annotate every receipt, whatever the verdict

Personal data

· Email addresses

· Phone numbers

· Social security numbers

· Dates of birth

Secrets

· OpenAI API keys

· AWS access keys

· GitHub tokens

· Bearer tokens

The Verdict

Every call resolves to one of four actions.

Which action fires is set by your org-wide policy, and the call is scored in under 100ms at the median. Whatever the verdict, the agent gets a structured response it can handle, and a receipt is written to the audit trail with a content hash and metadata, never raw text.

ALLOW

No findings. The request goes straight to the model and the agent gets a normal response.

WARN

Findings below the block threshold. The request still goes through, and the receipt is annotated for security review.

MASK

Personal data or secrets detected. Verra redacts them before the request reaches the model.

BLOCK

The request is stopped before it reaches the model, either because the risk crossed the block threshold or because policy requires a human to approve it first.

Model Routing

Risk decides which model sees the request.

Verra picks the destination by risk level, then scans the response before it returns to the agent.

LOW RISK

Routed to your default model provider (OpenAI, Anthropic, Azure, Bedrock, or Vertex).

ELEVATED RISK

Routed to a private or self-hosted model, so sensitive content never reaches a third-party API.

Visibility

Full observability.

Verra is OpenTelemetry-native, and every trace exports to any OTLP backend.

A sample receipt, with no raw prompt text stored

agentfinance-report-agent
agent typefinance
operatoremployee-jane
end userpatient-7842
risk levelHIGH
verdictBLOCK
findingsprompt injection, SSN
prompt hashsha256:e3b0c44298fc1c...
prompt bytes1,847
modelgpt-4o
forwardedfalse
timestamp2026-03-17T14:32:01Z

Receipts

Every proxied call, with risk level, findings, agent, and trace ID. Filterable by user, finding type, and tool attribution.

Approvals

Pending human reviews with approve, reject, and a full audit trail, grouped by what triggered the escalation.

MCP Servers

Inventory of registered MCP servers with trust tier, prompt count, and recent drift events.

Compliance Reports

Regulation-mapped evidence packs for EU AI Act and DORA, each hash-verified and downloadable as PDF or JSON.

Shadow AI

Unregistered AI usage surfaced with the agent, timestamp, and request metadata.

Agents

All registered agents with their model targets, environments, tool permissions, and call stats.

Lineage

Agent relationship graph, with a per-agent view and trace lookup.

Policy

Org-wide rules: block and warn thresholds, PII handling, and MCP trust-tier controls.

OTel export

Every trace is OpenTelemetry-native, exportable to Grafana Tempo, Jaeger, Honeycomb, Datadog, or any OTLP backend.

Analytics

Calls over time, risk distribution, and agent performance trends.

See it running on your stack.

Book a Demo

SOC 2 · HIPAA · EU AI Act · DORA · No raw text stored