Agent IAM
OpenClaw runs your agents. Carryall guards the data.
Every agent gets its own cryptographic identity. Every action gets a signed envelope. Every access gets logged. Your auditors will thank you.
The Stack
OpenClaw / LangChain / AutoGen / Claude Code
Carryall — Agent IAM
Vaults / Databases / APIs / File Systems
Carryall sits between your execution layer and your data. It doesn't replace your agents — it governs them.
How It Works
compile_policy
Describe what the agent needs in plain English. A local LLM determines the minimal permissions required.
Signed Envelope
Ed25519 cryptographic envelope. Scoped to specific resources. Time-limited. One envelope per task.
check_access
Every read and write is verified against the envelope before execution. No valid envelope, no access.
audit_log
Immutable, agent-attributed trail. Every action logged with who, what, when, and why.
The Demo
Two agents. Same machine. Same vault. Different keys.
accountant-agent
✓Can read tax documents
✗Denied investment data
✗Denied health records
investment-agent
✓Can read portfolio data
✗Denied tax documents
✗Denied health records
Both enforced cryptographically. Both logged immutably.
Show this to your compliance officer.
What Makes This Different
| NemoClaw | YAML Guardrails | Carryall | |
|---|---|---|---|
| When it operates | Deployment-time | Deployment-time | Runtime, every action |
| What it controls | Network calls | API access | Data access per document |
| Audit trail | Network logs | None | Agent-attributed, immutable |
| Policy format | YAML | YAML | Natural language → LLM → Rego |
| Platform | NVIDIA hardware | Varies | Any hardware, any framework |
| Policy decisions | Cloud | Cloud | Local LLM — never leaves your network |
Want to try it?
Zero to a fully authorized agent stack on your own hardware. Four steps, under an hour.