See exactly what AAF would have blocked.
Shadow Mode runs Agent Action Firewall non-enforcing for 30 days. Every action your agents take is evaluated against your policies — but nothing is blocked. Get a weekly digest showing the risks you can’t see today.
A week of Shadow Mode looks like this
Sample digest from a mid-size SaaS team running 5 agents. Names redacted.
Your AAF Shadow Mode digest — week of Apr 19
From: digest@agentactionfirewall.com
Total actions
18,420
Would deny
47
Would require approval
312
Divergence rate
1.95%
Top risky operations this week
| Tool · operation | Count | Reason |
|---|---|---|
| stripe:refund | 14 | Amount exceeds policy ceiling |
| postgres:delete_user | 11 | Production target, no approval |
| salesforce:export_contacts | 9 | Missing DLP scan |
| github:close_pr | 7 | Cross-repo not in agent grants |
| aws:terminate_instance | 6 | No approval ticket |
How Shadow Mode works
Four steps. No code changes. No production risk.
- 1
Enable Shadow Mode
Toggle Shadow Mode on in your AAF dashboard. Your agents continue executing every action — nothing is blocked.
- 2
AAF evaluates every action
Each action is scored against your policies in parallel. Decisions are recorded as `shadow_decision` (allow / deny / require_approval) without enforcement.
- 3
Weekly digest hits your inbox
Every Monday: total actions, would-have-blocked count, top risky tools, and divergence rate. PDF attached for your CISO.
- 4
Flip the switch when ready
Once the divergence rate stabilizes, switch from Shadow Mode to enforcement. No code changes — just a config flip.
Why most teams start with Shadow Mode
Three reasons it’s the safest way to evaluate AAF before committing.
Zero risk of blocking real traffic
Shadow Mode is read-only. Your agents continue exactly as they do today. AAF observes, you decide.
Quantify risk before you commit
See your divergence rate (% of actions that would not have been allowed) trend over the period. Most teams find 1–4%.
Build the policy backlog with evidence
The digest tells you exactly which tools and operations need policy work, ranked by frequency. No more guessing.
Run AAF in Shadow Mode for 30 days. Free.
No credit card. No code changes. Cancel any time. Find out exactly what you don’t know about your agents’ behavior.