Your IdP counts the humans. Nobody counts the keys, the service accounts, or the agents acting on their behalf. Idryx reads what Okta, Entra, AWS, GCP and Azure already log, adds the agent-event bus, stitches all of it into one identity graph with delegation chains and blast radius, and runs 21 deterministic detectors over the result. Read-only by design: it proposes Terraform diffs, it never applies.
This is a simulation, but it replays the shape of the live validation run: TokenFuse agent-event NDJSON and Agent Passports land in a Postgres-backed graph, the detectors read the state back, and findings fire. The same three detectors fired against a real Postgres 16 during validation: runaway_agent, attestation_missing, orphaned_nhi.
Five read-only connectors describe the humans, keys and service accounts; the agent-event bus streams what TokenFuse, Wardryx, Mockryx and Verdryx watched the agents do. One core resolves the graph, walks delegation chains root-first, and runs the 21 detectors. Everything that leaves is an alert, a BOM, or a proposed diff a human applies.
Humans, service accounts, keys, MCP servers and AI agents: five node kinds in one graph, not five tools. Agents are first-class, keyed name@url, with owner, runtime and attestation pinned to the node instead of lost in a generic service-account bucket.
on_behalf_of edges record who acts for whom: agent to sub-agent to service account to human. The walk is cycle-safe and resolves root-first, so the question audits stall on for weeks gets answered from the graph in one query.
runaway_agent, impossible_travel, mfa_fatigue, data_exfiltration, tainted_agent, mcp_drift and fifteen more. Statistics and rules over the graph; the LLM is never in the detection path, so every finding is reproducible and auditable.
When the auditor asks what agents you run, the answer is a CycloneDX 1.6 document: owner, runtime, attestation, tools and delegation chain for every agent identity. Its companion detector, bom_incomplete, flags the agents the BOM cannot yet prove.
What does this key reach, transitively? Idryx computes the union of every permission reachable through an identity's delegation chain. excessive_agency fires when an agent reaches admin-equivalent power through that chain (OWASP LLM06).
A Linux-only sensor on the sys_enter_connect tracepoint captures real outbound connections and flags egress to known LLM APIs. unmanaged_egress fires for identities the sensor is the only evidence of: no IAM record, no passport, just traffic.
SailPoint and CyberArk are serious IGA products for the identities they were built around: employees with logins. Idryx does not replace them, and it reads Okta and Entra as sources of truth. The difference is who gets first-class treatment: the keys, service accounts and agents that never log in at all.
| Idryx | IGA suites | Spreadsheets + scripts | |
|---|---|---|---|
| Covers AI agents natively | Yes: agents are a node kind | Bolted on | No |
| Time to first insight | Minutes: point it at logs | Quarters of rollout | Weeks of grep |
| Enforcement stance | Read-only, proposes diffs | Heavy write access | Manual |
| Delegation chains for agents | First-class, root-first | Rare | No |
| Evidence output | CycloneDX Agent-BOM | Proprietary reports | None |
| Price | Apache-2.0 | Six figures | Your weekends |
Idryx consumes the same envelope TokenFuse, Wardryx, Mockryx and Verdryx write: the agent-event. It validates Agent Passports against the platform contract, and the loop closes at the policy plane: its attestation_missing detector is the reason an unattested agent meets a 403 from Wardryx policies instead of your production data.
Download a v0.2.0 release binary (SHA256SUMS ships next to it), run detect against a log, then serve for the read-only dashboard on :8080.