Security
Security Model
Last updated: May 24, 2026
Forsig is in private beta. The product is designed to help autonomous AI agents pause before risky actions, ask the right human for a decision, and resume with an audit trail.
Current Launch Status
The public website collects waitlist, referral, contact, and optional qualification information. The beta product direction focuses on approval requests, reviewer decisions, agent resume responses, communication workflows, and audit logs.
Security Principles
- Minimize data exposure. Forsig should receive only the intervention context selected by the user or agent.
- Make decisions auditable. Approval status, reviewer decisions, timestamps, and returned instructions should be recorded.
- Keep humans accountable. Reviewers should see enough context to approve, reject, or edit responsibly.
- Avoid over-automation. Risky workflows should have explicit human decision points.
- Fail closed by default. Production workflows should stop or fall back safely when a decision expires, cannot be verified, or cannot be delivered.
Escalation Context
Forsig may process agent names, run IDs, task descriptions, proposed actions, risk categories, context fields, approval status, human decisions, timestamps, reviewer metadata, and audit logs. Users control what context their agents send and should avoid secrets or unnecessary sensitive data.
Data Minimization
Forsig examples intentionally send small, reviewer-ready payloads instead of entire customer records, secrets, payment credentials, API keys, prompts, or full production logs. The recommended pattern is to send a short task title, proposed action, risk reason, and the minimum context needed for a human decision.
Decision Verification
Beta API examples use bearer-token authenticated requests. Webhook signing and verification examples are part of the developer docs so teams can verify decision callbacks before their agents trust the returned instruction.
Communication Channels
The private beta starts with a web approval inbox. Slack and email workflows are planned. WhatsApp, Discord, Microsoft Teams, and similar channels may be added based on user demand. Each integration will introduce its own configuration and security considerations.
Access Control And Retention
Current beta workspaces support scoped developer access, API key hold/revoke flows, audit export, and reviewer email routing. Team RBAC, retention controls, and deletion workflows will continue to mature before a broader public launch.
Audit Logs
Audit logs are part of the product. Forsig is intended to record what the agent proposed, what the reviewer decided, what instruction was returned, and when those events happened.
Beta Controls
- API keys are shown once at creation, then masked in the console.
- Keys can be held for temporary pause or revoked permanently.
- Workspace owners can choose who receives escalation email notifications.
- Audit trails can include real, test, and shadow simulation events for launch debugging.
Responsible Disclosure
If you believe you found a security issue, use the contact page and include a clear description, reproduction steps, affected URLs or endpoints, and potential impact. Please avoid accessing or modifying data that is not yours.
Compliance
Forsig is not currently claiming SOC 2, ISO 27001, HIPAA, PCI, or other formal certification. The compliance roadmap is to document controls, retention, access review, incident response, and vendor management as the private beta moves toward team and public launch readiness.
What Users Should Do
- Start with non-critical workflows during private beta.
- Do not send secrets or unnecessary sensitive data in intervention context.
- Use clear reviewer ownership for risky workflows.
- Keep your own agent safeguards in place.
- Review audit logs for decisions that affect customers, billing, data, or production systems.