Opsin officially moved its enterprise AI security platform into production on June 18, 2026, bringing runtime governance to autonomous agents across healthcare, manufacturing, and other regulated sectors. The San Francisco startup’s platform—already deployed at multiple unnamed Fortune 500 firms—tackles a blind spot in agentic AI: while most security tools focus on what users type into a prompt box, Opsin monitors and controls what AI agents actually do when they start executing tasks on their own. For Windows enterprise shops running Microsoft Copilot agents or other LM-based automation, the launch signals that guardrails can no longer stop at the chat interface.

Early adopters include a Midwestern hospital network using Copilot agents to process patient intake forms and a heavy-equipment manufacturer that lets AI agents trigger supply-chain reorders. In both cases, Opsin’s platform sits between the agent and the production systems it touches—Windows servers, SQL databases, REST APIs—and validates every action against human-authored policies before allowing execution. Failed checks trigger an alert, a block, or a forced human approval step, depending on the policy severity.

From Prompt Filtering to Runtime Enforcement

The platform’s core insight is that prompt-level security isn’t enough. “You can sanitize inputs all day, but an agent that generates a perfectly safe natural-language response might still try to delete a production database table as part of a multi-step workflow,” said Opsin CEO and co-founder Maria Kessler in a briefing with reporters. “We instrument the runtime layer—the actual API calls, tool invocations, and data mutations—so that governance travels with the agent into every system it touches.”

Technically, Opsin deploys as a lightweight sidecar proxy that intercepts outbound calls from AI orchestrators. On Windows, that often means hooking into PowerShell remoting sessions, COM interop layers, or Azure-connected toolchains. The proxy inspects each action’s intent, parameters, and destination against a central policy engine written in Rego, a domain-specific language popularized by Kubernetes governance tools. Policies can be as granular as “a Copilot agent may read patient records from the EHR database but may not write changes unless a physician approves the diff” or as broad as “any agent-initiated financial transaction over $5,000 requires dual approval.”

Administrators define policies through a web dashboard or via Infrastructure as Code (IaC), checking rules into git repositories. The policy engine evaluates actions in sub-millisecond time, avoiding noticeable latency even for high-throughput robotic process automation (RPA) workloads. For Windows-centric environments, Opsin distributes its sidecar via MSIX packages and integrates with Microsoft Intune for policy deployment, giving IT teams a familiar management surface.

Real-World Deployments Highlight Industry Pain Points

Healthcare remains the earliest vertical with production traction. A regional hospital chain, which asked not to be named for competitive reasons, is using Opsin to wrap around Microsoft Copilot agents that summarize physician notes and suggest billing codes. According to the hospital’s CISO, the platform has already stopped two incidents where an agent attempted to write to a billing system outside of an approved scheduling window—something that would have triggered a compliance audit. “Agentic automation promises tremendous efficiency,” the CISO said in a case-study snippet released by Opsin, “but without runtime enforcement, one misconfigured agent could turn a minor administrative task into a HIPAA violation. Opsin gives us the same confidence we’d have with a human employee following a checklist.”

In manufacturing, a tier-1 automotive supplier deployed the platform to oversee agents that adjust inventory levels in an on-premises Windows Server–based ERP system. The agents, built on open-source orchestration frameworks and wired into Microsoft 365 Copilot, were sometimes overordering raw materials when demand forecasting models swung. Opsin now enforces procurement caps that escalate for human sign-off when an order exceeds a preset percentage of average monthly consumption. “It’s like having a compliance officer riding shotgun with every agent instance,” the plant’s IT director said.

Why Windows Administrators Should Care Now

For the Windows administrator reading this, the urgency might not be obvious—yet. But Microsoft’s aggressive push of Copilot into every corner of the enterprise stack (Copilot for Security, Copilot for Azure, Copilot in Intune) means that agentic behavior is quickly becoming the default interaction model. A Copilot agent that analyzes security alerts can also be granted permission to quarantine a device or block a domain. Without runtime policy enforcement, that agent operates in a binary trust model: either it has permission to act, or it doesn’t. Opsin introduces a third option—acting, but within guardrails and with audit trails.

Microsoft itself is building governance features into Purview and Copilot Studio, but they are largely focused on data-loss prevention and prompt-level moderation. Opsin fills the gap beneath the prompt: the chain of tool calls, script executions, and API interactions that constitute real production work. In a demo at Microsoft Build 2026, Opsin showed how its sidecar could intercept a Copilot agent’s attempt to invoke the Invoke-WebRequest PowerShell cmdlet against an unapproved domain, blocking the call and logging the event to Azure Sentinel. The integration required no changes to the agent’s code, only a one-line addition to the orchestrator’s configuration file.

Competitive Landscape and Differentiation

The agentic security space is getting crowded. Startups like TrojAI, HiddenLayer, and Cranium have raised significant rounds to tackle AI-specific threats, but most concentrate on model security, adversarial prompt detection, or data poisoning. Opsin’s production-control angle sets it apart. “We’re not a red team for your LLM,” Kessler noted. “We assume your model is already deployed and making decisions. Our job is to make sure those decisions don’t violate business policy or regulatory requirements once they leave the sandbox.”

Analysts are taking notice. Gartner’s 2026 Hype Cycle for AI Governance lists “Agentic Runtime Control” as a new entry, with fewer than 10 vendors actively shipping. Gartner analysts predict that by 2028, enterprises that deploy agentic AI without runtime policy engines will experience at least one material security incident per quarter, compared with virtually none for those that do. Opsin is positioning itself as the category leader by releasing hardened integrations with Microsoft ecosystem tools first—a smart move given that two-thirds of agentic prototypes in the enterprise run on Windows or Azure, according to a May 2026 survey by Redmond Intelligence.

Under the Hood: Policy as Code Meets Agentic Workflows

To understand Opsin’s approach, consider a typical agent workflow: a business user asks a Copilot agent to “prepare the quarterly sales deck, pull the latest CRM data, and send it to the regional directors.” The agent interprets the prompt, generates a plan, and begins executing steps: querying the CRM, launching Excel to build charts, and interacting with Outlook to send emails. Each of those steps involves API calls, file I/O, and network activity. Opsin’s sidecar intercepts each action after the agent plans it but before execution. The sidecar evaluates the action against policies tagged with metadata from the agent’s identity, the user’s role, and the data sensitivity.

Policies are written in Rego and can be as sophisticated as the organization’s risk posture demands. A sample snippet shared with WindowsNews.ai shows a rule that checks whether an agent is trying to send an email containing more than five PDF attachments to external recipients—a common exfiltration vector during agentic-powered data-gathering tasks. If the rule fires, the action is blocked and the user gets a Teams notification asking for justification. Once the justification is provided and approved by a manager, the agent can retry the action.

The sidecar itself runs as a Windows service or a container, with a memory footprint under 200 MB. Opsin says it processes over 1,000 policy evaluations per second on a single quad-core instance, making it suitable for high-throughput agent environments. All actions—allowed, blocked, or escalated—are logged to a tamper-proof ledger that can be exported to SIEMs via Syslog or the Azure Monitor Agent, meeting SOC 2 and ISO 27001 auditing requirements.

What’s Next: Expansion, Marketplace, and Windows Admin Center Plugin

Opsin plans to release a plugin for Windows Admin Center by Q4 2026, allowing IT pros to view agent activity and policy violations from the same console they use to manage servers and clusters. An Azure Marketplace listing is also in the works, with consumption-based pricing tied to the number of agent actions evaluated per month. Kessler declined to share specific pricing tiers but indicated that a free tier for up to 10,000 evaluations per month will be available for testing and small-scale deployments.

The company is also building connectors for non-Microsoft platforms—Amazon Bedrock Agents and Google Vertex AI Agent Builder—but Kessler doubled down on the Windows-first strategy: “The enterprise runs on Windows. Agents will run on Windows. Our job is to make sure nobody has to choose between innovation and control.”

The Bottom Line for Windows Shops

Agentic AI is no longer a science project. With Copilot agents that can now directly manipulate Active Directory, manage DNS records, or restart Hyper-V virtual machines, the attack surface has shifted from human users to autonomous software that can make hundreds of decisions per second. Opsin’s platform offers a pragmatic way to buy back control without slowing down adoption. For Windows administrators evaluating their agent governance posture, the message is clear: the prompt is just the beginning. Production-level control starts where the prompt ends.

As one beta tester put it during a private preview session: “I sleep better knowing my agents have a guardian. Because they sure as hell aren’t going to stop themselves.” With its general availability launch, Opsin is betting that plenty of CISOs and IT directors will want that same peace of mind.