Skip to content
Muswell
Book a demo

Product

Central control and audit for all your AI agents.

Muswell wraps your AI agents: every tool call an agent makes is checked against your policy before it reaches the tool, and every decision lands in an evidence-grade log. It works across providers — so you keep the agent stack you already have.

How it works

Four steps from agent intent to auditable outcome.

  1. 01

    An agent goes to act

    An agent in your firm goes to call a tool — to send an email, write a file, open a pull request. Because Muswell wraps the agent, that call is routed to the gateway before it reaches the tool.

  2. 02

    The policy gate evaluates

    The gateway checks the call against your policy: scoped permission, sanitised inputs, rate limits, blast-radius checks. Sensitive actions trigger a step-up approval.

  3. 03

    The action executes or pauses

    Approved calls pass through to the underlying tool. Calls awaiting approval queue for a named human; denied calls return a structured refusal the agent can handle gracefully.

  4. 04

    Evidence is recorded

    Every prompt, retrieved context item, tool call, parameter, approver and outcome is appended to a tamper-evident audit log. Exception MI surfaces what your second line needs to see.

The gateway model

Sit between the agent and the tools, not inside the model.

Model-layer alignment is necessary but not sufficient. The NCSC and OWASP both flag indirect prompt injection as a class of attack that cannot be fully patched at the model. Muswell works at the execution boundary, where actions are bounded by code rather than by hope.

That means you get the same guarantees regardless of which provider, framework or model your team picks next quarter.

AGENT RUNTIME

Your AI agents

Any provider

Any framework

MUSWELL

Policy gate

Approvals

Audit log

TOOLS

Email, CRM

Files, Git

Payments, APIs

request →
decision →
action
← response
← outcome
← result

Example gateways

The gateways Muswell manages when it wraps an agent.

When Muswell wraps an agent, each tool that agent can reach sits behind a gateway with its own policy and conservative defaults — easy to relax, expensive to forget. These are examples; the set keeps expanding as agentic tooling spreads across the financial-services landscape.

Filesystem

Read-only by default

Agents can browse and read project files. Writes, deletes and renames require an explicit policy grant — by directory, file pattern and named approver.

Git

Pull-request only

Agents can branch, commit and open PRs. Direct pushes to protected branches are blocked. Merges require a human review on the PR itself, never the agent.

Email

Draft-only by default

Agents can compose, address and attach files. Sending requires a named approver per recipient class. Drafts and decisions are recorded on the audit log.

Payments and CRM

Expanding

Gateways for payments and CRM systems — Stripe, GoCardless, HubSpot, Salesforce and common practice-management tools — join the set as agentic tooling spreads across the firm.

The audit log

A tamper-evident record of every agent action, built to be exported.

Muswell writes an append-only record for every tool call the policy gate evaluates. Entries are cryptographically linked, so if a historical record is altered the change shows up on review — the log stands as evidence, not just history.

Logs export as JSONL for ingest into your SIEM, GRC tooling or auditor's evidence locker, and a signed manifest accompanies every export.

Captured per call

  • Agent identity and version
  • Underlying model and provider
  • Full prompt (with system, user, tool messages)
  • Retrieved context (with source URI and content hash)
  • Tool name, parameters and arguments
  • Policy decision and matched rule
  • Approver identity and timestamp (if applicable)
  • Tool response and outcome status
  • Token, latency and cost telemetry
  • Cryptographic link to the previous entry

Where we are

What's live, and what's next.

Muswell today is a working policy gate, the example gateways and the audit log described on this page — enough to run a real agent end to end with a design partner. Role-based access, GRC and SIEM connectors and automated incident response come next. If your firm is starting to put agents into regulated workflows, we would like to talk.

Talk to the team