Q-SAG — AI Agent Governance Gateway

Early stage — open for testing. This is v0.3.0. We are building in public. Tests are self-conducted. Third-party audit is planned. Found something broken or insecure? [email protected] — we will fix it and credit you.

Gateway

—

checking...

Signing

ML-DSA-44

NIST FIPS 204 · post-quantum

Encryption

ML-KEM-768

NIST FIPS 203 · post-quantum

Tests

47/47

acceptance tests passing

What Q-SAG does

Policy enforcement

Every agent action evaluated against its defined policy before execution

real-time

Attack detection

Prompt injection, exfiltration, memory poisoning, MCP tool poisoning

OWASP ASI

Quantum-signed audit

Every decision signed with ML-DSA-44, immutable ledger

FIPS 204

Human control

Kill switch, emergency lockdown, approval queue for high-risk actions

EU AI Act Art.14

What Q-SAG does NOT do

✗ Does not store your payload content — only pattern metadata

✗ Does not train ML models on your data or attacks

✗ Does not replace human oversight for high-stakes decisions

✗ Does not claim to catch every possible attack

✗ Does not certify EU AI Act compliance — that is your organisation's responsibility

✗ Is not a production-ready product — this is v0.3.0, a working demo

Detection uses pattern matching, not ML. New patterns are added continuously. Found a bypass? Email us — we fix it and credit you.

Who this is for

Students & Researchers

Run python3 demo.py --probe to test with your own attack payloads. See what gets caught, what doesn't, and why. Email bypasses you find. Academic access is free — unlimited evaluations.

Small & Medium Businesses

Enterprise AI governance costs £50k+. Q-SAG is free to start. Register an agent, add 10 lines of code, get governance immediately. You don't need a dedicated security team.

Developers

Open source core library at github.com/Neoxyber/qsag-core. Run locally, fork it, contribute. EU AI Act compliance infrastructure you can actually build on.

How this works: A temporary demo agent is registered on your behalf. Your payload is sent to the gateway. Q-SAG evaluates it and returns a decision. Your payload is not stored — only the pattern family and decision metadata are logged. The demo agent is low-privilege (read only).

Test the gateway no agent registered

Action

Payload

Agent policy: Role: demo customer support agent. Allowed: read, list, summarise. Risk level: low. Anything outside this is a policy violation.

Click "Evaluate" to send your payload to Q-SAG.
Result appears here in real time.

What each result means

✓ APPROVED

Action is within the agent's policy. Decision is quantum-signed with ML-DSA-44 and written to the audit ledger.

✗ BLOCKED

Action violated policy or a security threat was detected. Blocked before execution. Logged with OWASP ASI code.

⏳ PENDING

High-risk action held in approval queue. A human operator must approve or reject before the action can execute.

ML-DSA-44 + ML-KEM-768

NIST FIPS 204 + FIPS 203 — Post-quantum cryptography, both standards selected August 2024

1312

Public key bytes

2420

Signature bytes

2560

Private key bytes

Verify an audit entry

Audit Entry ID

Run python3 demo.py to get an audit ID, then paste it above. Verification calls the gateway's verify endpoint which runs OQS_SIG_verify() — real cryptographic verification, not a string check.

What ML-DSA-44 means

Post-quantum secure
Resistant to attacks from both classical and quantum computers. CRYSTALS-Dilithium lattice-based scheme.

Microsoft uses Ed25519
Their Agent Governance Toolkit (released April 2, 2026) signs with Ed25519 — not quantum-safe. Q-SAG uses ML-DSA-44 — the NIST post-quantum equivalent.

Tamper-evident
If any audit record is modified after signing, verification fails immediately. You can verify any decision offline using liboqs-python.

Offline verification
pip install liboqs-python
python scripts/verify_audit.py --id YOUR_ID

ML-KEM-768 — Post-quantum encryption NIST FIPS 203

1184

Public key bytes

2400

Private key bytes

+AES-256-GCM

Hybrid encryption

Used for sensitive data at rest. ML-KEM-768 encapsulates a shared secret, AES-256-GCM encrypts the data using that secret. This is hybrid post-quantum encryption — the same pattern used in TLS 1.3 post-quantum extensions.

Note: OWASP does not certify products. These are Q-SAG's technical mitigations per risk category, not a certification claim. Pattern matching catches known variants. Novel attacks may slip through — that is why the LLM evaluation layer exists.

ASI01

Agent Goal Hijacking

Prompt injection, jailbreak attempts, DAN attacks, instruction override

✓ Pattern matching + LLM semantic evaluation

ASI02

Tool Misuse & MCP Exploitation

Actions outside allowlist, shell injection, SQL injection, MCP tool poisoning

✓ Allowlist enforcement + MCP scan endpoint

ASI03

Identity & Privilege Abuse

Data exfiltration to external URLs, credential access, ghost agents

✓ Exfiltration patterns + ghost detection

ASI04

High-Impact Autonomous Actions

Payments, bulk deletions, irreversible operations requiring human sign-off

✓ Risk classification + approval queue

ASI05

Unexpected Code Execution

Shell commands, RCE attempts, code injection in payloads

✓ Shell/code injection pattern blocking

ASI06

Memory & Context Poisoning

Instructions to alter future agent behaviour across sessions

✓ Memory poisoning pattern detection

ASI07

Insecure Inter-Agent Communication

Unverified MCP servers, tool supply chain attacks

✓ MCP server registry + scan-tools endpoint

ASI08

Cascading Failures

Circuit breakers, auto-quarantine of misbehaving agents

✓ Behavioural anomaly detection + quarantine

ASI09

Human-Agent Trust Exploitation

High-risk actions requiring human approval before execution

✓ Approval queue + 24h expiry auto-reject

ASI10

Rogue Agent Behaviour

Behavioural anomaly detection, ML-DSA-44 audit trail

✓ Kill switch + immutable quantum-signed log

Layer 1 — Pattern Matchinginstant · free

Deterministic regex patterns covering OWASP ASI01-06. Runs before any database lookup. Cannot be confused or distracted. Catches known attack strings immediately. Limitation: misses novel phrasings and AI-generated paraphrases.

jailbreak · injection

data exfiltration

credential access

shell injection

SQL injection

memory poisoning

Layer 2 — LLM Semantic Evaluationmedium-risk only

Claude Haiku evaluates payloads that pass pattern matching. Catches AI-generated paraphrases and novel attack phrasings. Advisory only — the LLM cannot approve anything. Final decisions are always deterministic.

Injection defences

Payload wrapped in <untrusted> tags. LLM responds only in strict JSON. Invalid response = treated as threat. Stateless — no memory between calls.

When it runs

Only on medium-risk approved payloads. Never on clear blocks (patterns caught). Never on clearly safe low-risk payloads. ~10-15% of requests reach this layer.

Layer 3 — Human Review Escalationuncertain decisions

When LLM confidence is below threshold or a decision is high-risk, Q-SAG does not auto-approve. The action goes into the approval queue. A human operator reviews and decides. The agent polls for the decision. If no decision within 24 hours, the action is auto-rejected. This is how Q-SAG meets EU AI Act Article 14 — human oversight is structurally enforced, not optional.

Admin endpoints require X-Admin-Key header. These are not exposed publicly. If you are running Q-SAG locally, your ADMIN_KEY is in your .env file. The live demo does not expose admin access — see docs/HUMAN_CONTROL.md for full documentation.

Kill Switch — three layers

Database flag

is_active=FALSE instantly. Fast, reversible. Standard approach.

Cryptographic revocation

SHA-256 key hash added to in-memory set. O(1) check before any DB lookup. Survives database reset.

In-memory lockdown cache

Emergency state in memory AND database. Attacker needs DB access + server restart simultaneously.

Admin endpoints

POST /api/v1/control/kill/{agent_id}
POST /api/v1/control/reinstate/{agent_id}
POST /api/v1/control/lockdown
POST /api/v1/control/lockdown/lift
GET   /api/v1/control/lockdown/status
GET   /api/v1/control/approval/queue
POST /api/v1/control/approval/{id}/approve
POST /api/v1/control/approval/{id}/reject

All require X-Admin-Key header. See HUMAN_CONTROL.md for exact curl commands.

EU AI Act Article 14 mapping

Stop operation	Kill switch <100ms
Suspend all	Emergency lockdown
High-risk approval	Approval queue
Audit trail	ML-DSA-44 signed ledger
6-month retention	PostgreSQL + Supabase

Academic access is free. Unlimited evaluations for verified students and researchers. Email [email protected] with your institution.

Quick start

# Download and run — no setup needed
curl -O https://raw.githubusercontent.com/Neoxyber/neoxyber-qsag/main/demo.py
python3 demo.py

# Showcase — 8 scenarios automated
python3 demo.py

# Research mode — your own payloads
python3 demo.py --probe

# Register your own agent
python3 demo.py --interactive

# Different agent roles
python3 demo.py --role finance
python3 demo.py --role devops
        

Research questions — open

Q1 — Can pattern matching be bypassed with AI-generated paraphrases?
Use ChatGPT or Claude to rephrase known attacks. What gets through?

Q2 — Can the LLM evaluator itself be prompt-injected?
Try to craft a payload that tricks the judge. The payload is wrapped in <untrusted> tags — does that hold?

Q3 — Is the quantum signature verifiable independently?
Get an audit_entry_id, fetch the entry, verify with liboqs-python locally.

Q4 — What is the false positive rate?
Send 100 legitimate payloads. How many get blocked? What is the threshold?

Responsible disclosure

We welcome researchers probing Q-SAG. If you find a bypass — an attack that gets through when it should not:

1. Email [email protected] with what you sent and what you expected
2. We investigate within 3 business days
3. If confirmed, we add a detection pattern and credit you in the changelog
4. We do not pursue researchers who probe in good faith

We follow the AVID (AI Vulnerability Database) taxonomy for formal reporting. This is how detection improves — community research, not secrecy.

Step 1 — Register your agent

curl -X POST https://neoxyber-qsag.onrender.com/api/v1/agents/register \ -H "Content-Type: application/json" \ -d '{ "name": "my-support-agent", "owner": "[email protected]", "allowed_actions": "read,list,summarise,search", "risk_level": "low", "description": "Customer support agent. Must never access finance or execute code." }'

You receive an api_key. Keep it secret. Use it in every evaluate call.

Plain Python — no dependencies

import urllib.request, json

QSAG = "https://neoxyber-qsag.onrender.com/api/v1"
KEY  = "qsag_your_key_here"

def governed(action, payload):
    body = json.dumps({
        "action": action,
        "payload": payload
    }).encode()
    req = urllib.request.Request(
        f"{QSAG}/gateway/evaluate",
        data=body,
        headers={
            "Content-Type": "application/json",
            "X-API-Key": KEY
        }
    )
    r = json.loads(urllib.request.urlopen(req).read())
    if r["decision"] == "approved":
        return your_tool(action, payload)
    raise PermissionError(r["reason"])
        

API response fields

Field	Values
`decision`	approved / blocked / pending_approval
`risk_level`	low / medium / high / critical
`risk_score`	0.0 – 1.0
`threat_type`	pattern family if detected
`owasp_ref`	ASI01 – ASI10
`block_reason_type`	policy_violation / security_threat
`quantum_signed`	always true
`audit_entry_id`	UUID for verification

This is v0.3.0 — an early-stage working demo. Tests are self-conducted. No third-party audit has been completed yet. We are building in public and fixing issues as they are found. Found something broken or legally unsafe? Email us — we will fix it.

The problem we are solving

Enterprise AI governance costs £50,000+ in contracts and setup. Only large companies can afford it. Small and medium businesses deploying AI agents have no governance infrastructure — they are flying blind with no oversight, no audit trail, and no kill switch.

By August 2026, the EU AI Act requires human oversight for high-risk AI deployments. Most small businesses will not be ready. They don't know what they need or how to build it.

Q-SAG is governance infrastructure that small businesses can actually use — free to start, 10 lines of code to integrate, real cryptographic proof.

What is built and working

✓ Policy enforcement — allowlist, role-based blocking

✓ Pattern detection — OWASP ASI01-06 coverage

✓ LLM semantic evaluation — catches AI-generated attacks

✓ ML-DSA-44 signatures — NIST FIPS 204, every decision

✓ ML-KEM-768 encryption — NIST FIPS 203, data at rest

✓ Kill switch — three independent security layers

✓ Emergency lockdown — in-memory + database

✓ Human approval queue — EU AI Act Article 14

✓ MCP tool poisoning scan

✓ 47/47 acceptance tests passing

✗ No third-party audit yet
✗ No dashboard for pending approvals yet
✗ No false positive feedback endpoint yet
✗ Not production-ready for regulated industries

Legal notices: Q-SAG is provided as-is for testing and research purposes. AIXYBER TECH LTD (Company No. 16826340, ICO ZC071900) makes no warranty of fitness for any regulated purpose. EU AI Act compliance is the responsibility of the deploying organisation — Q-SAG provides technical controls, not legal certification. OWASP does not endorse or certify this product. "ML-DSA-44" and "ML-KEM-768" refer to NIST-standardised algorithms implemented via the open-source liboqs library.

Open source: The core library is MIT-licensed at github.com/Neoxyber/qsag-core.

Contact: [email protected] — for security issues, responsible disclosure, research access, or general questions.