Colosseum

Ship agents the way you ship code —
identity, least privilege, audit, review.

Secure360 · Minneapolis · 2026

s360-26.0x509.com

Abhi Devireddy

Director of Technology Services
Essentia Health — Duluth, MN

github.com/abhid · secure360.org 2026

s360-26.0x509.com

Today

What we're covering

ACT 1

The Problem

ACT 2

Colosseum

ACT 3

So What

Act 1 · The problem

Agents are already in your environment.

non-deterministic · credentialed · unaudited

Act 1 · The problem

You can’t judge what you can’t produce

The Dunning–Kruger effect isn’t just about overconfident beginners.
It’s about a closed feedback loop — you can’t see what you can’t see.

what we think

what’s actually true

Act 1 · The problem

Three gaps. All structural.

SPEED

Agents operate faster than human review cycles were designed for

OPACITY

LLM reasoning is not auditable by traditional log-scraping

NOVELTY

No shared vocabulary yet between security and AI teams

Act 1 · The problem

The status quo doesn’t scale.

WHAT TEAMS TRY

A. Block AI tools entirely

B. Allow, monitor after the fact

C. Per-request manual approval

D. SDK-level rate limits only

WHY IT FAILS

Reactive security at 2× agent speed

Act 1 · The problem

Real defense is architecture,
not automation.

Controls that hold before the run — not detectors that fire after the damage.

Better evals won't save you from an overreaching tool call.
A stricter prompt won't recover a deleted bucket.
An AI watching the agent won't either.

Act 2 · Colosseum

Colosseum — an agent control plane

identity

least privilege

audit

review

replay

one binary

Act 2 · Colosseum

Six primitives. All composable.

Profiles

Scoped identity per agent

Allowlists

Least-privilege tool access

Vaults

Bound secrets, not env vars

Sandboxes

Docker-first execution

Policy Gates

Human approval in the loop

Telemetry

Forensic replay & export

Act 2 · Colosseum

Policy & approvals — the human gate

// Example: require approval for any shell.exec that writes outside the sandbox
policy.Rule{
    Tool:  "shell.exec",
    Match: func(a Args) bool { return writesOutside(a.Cwd, a.Cmd) },
    Action: policy.RequireApproval,
}

The agent pauses, a notification goes to the UI, a human approves or rejects — with a reason, captured in the audit log.

Act 2 · Colosseum

Telemetry — the run is the evidence

Runs
Steps
Tool calls
Events
Spans
Artifacts

counter to

"I can't prove what the agent did."
You can. It's in SQLite. It's queryable. It's exportable.

Act 2 · Colosseum

Replay & export — reproducible forensics

The export bundle is your incident write-up's attachment.

Act 3 · So what

Live Demo

DEMO SCRIPT — keep this window open. 1. Open Agents → support-triage-bot. Show the sectioned config: identity, prompts, tools, credentials, planning, contract. 2. Toggle planning_mode = required. Save. 3. Set output_contract = schemas/triage-v1.json. Save. 4. Kick off a run with a sample ticket. Narrate: "This plan is the first thing a human sees." 5. Approve the plan. Watch the telemetry stream into Run Detail live. 6. Hit the shell.exec approval gate. Approve with a reason. Show the approval in the audit log. 7. Show the artifacts tab — the JSON output matching the contract. 8. Open the run graph. Walk the step tree. Point at the recorded tool calls. 9. Replay the same run with a narrower allowlist. Show that the denied call is visible as an event. If anything goes sideways: append ?demo=video to the URL and the fallback recording takes over.

Act 3 · So what

Confident deployment

Ship the harness, not the hope.

Act 3 · So what

Incident response, rebuilt for agents

What did it do?
Who authorized it?
Can it happen again?
Who else is affected?

The execution graph is the audit trail.

Act 3 · So what

Colosseum vs. "just the SDK"

	Raw SDK	Hosted agent product	Colosseum
Tool allowlist per agent	—	partial	yes
Scoped credential vaults	env vars	vendor	yes
Human-in-loop approvals	DIY	limited	yes
Output contracts	DIY	partial	yes
Full telemetry & replay	—	vendor-locked	yes
Runs on your infra	yes	—	yes
Single binary, no cluster	yes	—	yes

Closing

Open source — all the way down

MIT licensed.
Single Go binary
Embedded UI
Bring your own provider
Bring your own tools

ship in 5 minutes

Closing

Thank you

Colosseum is MIT-licensed and ready to run.

code

github.com/abhid/colosseum-go

docs & demos

README · architecture · runbook

Questions? Catch me after — or open an issue.

s360-26.0x509.com

Appendix

Reference slides · not presented

Act 2 · Colosseum

LLM for synthesis.
Deterministic code for guarantees.

Let the model do what only it can do — reason, summarize, suggest.
Keep enforcement, gating, and audit in code you can read.

Every control in Colosseum is proactive: defined, versioned, and enforced before the agent takes a step — not inferred from its exhaust afterwards.

Act 2 · Colosseum

Agent profiles — scoped identity

name: support-triage-bot
model: claude-sonnet-4-6
provider_config: anthropic-prod
system_prompt: |
  You are a support triage agent. You may read Zendesk and
  the internal KB. You may not write to either.
allowed_tools: [web.fetch, files.read, json.parse]
credential_vault: zendesk-readonly
planning_mode: required
output_contract: schemas/triage-v1.json

One YAML file. One reviewable artifact. Version-controlled like any other deploy.

Act 2 · Colosseum

Tool allowlist — least privilege, per agent

shell.exec
files.read · files.write
web.fetch · browser.navigate
http.request — with URL allowlist
subagent.invoke — explicit agent-calls-agent

counter to

Tool overreach. If a tool is not in the allowlist, it is not callable — enforced in the step loop, not in the prompt.

Act 2 · Colosseum

Credential vaults — scoped secrets, bound per agent

vaults:
  - name: zendesk-readonly
    entries:
      ZENDESK_TOKEN: ${from: doppler, key: ZD_READ_ONLY}
  - name: prod-deploy
    entries:
      AWS_SECRET_ACCESS_KEY: ${from: vault, path: secret/aws/prod}

agents:
  - name: support-triage-bot
    credential_vault: zendesk-readonly   # can't touch prod-deploy

Injected into tool calls at the last possible moment. Redacted from logs and UI by default.

Act 2 · Colosseum

Environments — Docker-first sandboxes

Session lifetime bounded — no zombie containers

counter to

"It ran rm -rf on my laptop."
Blast radius is whatever the container can reach — nothing more.

Act 2 · Colosseum

Output contracts — "looks good" isn't good enough

Contract violations are a terminal error, not a warning

counter to

"The answer looked right, but it was wrong."
The contract turns a qualitative check into a deterministic one.

Act 2 · Colosseum

Planning mode — force a reviewable plan

Three modes, per agent:

off

suggest

required

The plan is stored with the run. You can replay the run and show that the plan was followed.

Closing

What's next

scale

multi-tenant

policy

sandboxes

integrations

tools

Colosseum

Abhi Devireddy

What we're covering

Agents are already in your environment.

You can’t judge what you can’t produce

Three gaps. All structural.

The status quo doesn’t scale.

Real defense is architecture,not automation.

Colosseum — an agent control plane

Six primitives. All composable.

Policy & approvals — the human gate

Telemetry — the run is the evidence

Replay & export — reproducible forensics

Live Demo

Confident deployment

Incident response, rebuilt for agents

Colosseum vs. "just the SDK"

Open source — all the way down

Thank you

Appendix

LLM for synthesis.Deterministic code for guarantees.

Agent profiles — scoped identity

Tool allowlist — least privilege, per agent

Credential vaults — scoped secrets, bound per agent

Environments — Docker-first sandboxes

Output contracts — "looks good" isn't good enough

Planning mode — force a reviewable plan

What's next

Real defense is architecture,
not automation.

LLM for synthesis.
Deterministic code for guarantees.