Voice agents (Realtime API)
Govern the tool calls and output of an OpenAI Realtime voice agent with the same policy, risk scoring, and audit trail as any other agent.
A voice agent built on the OpenAI Realtime API
keeps a live WebSocket open and calls tools mid-conversation. Those tool calls
are the same security surface AxioRank already governs for text agents, so
createRealtimeGuard maps each one to the same policy engine, risk scoring,
audit trail, approvals, and multi-step kill-chain correlation.
It is transport-agnostic. You own the socket (WebSocket, WebRTC data channel, or a server-side sideband connection); the guard just needs each server event.
Install
npm install @axiorank/sdkGuard a session
import { AxioRank } from "@axiorank/sdk";
import { createRealtimeGuard } from "@axiorank/sdk/realtime";
const axio = new AxioRank({ apiKey: process.env.AXIORANK_KEY! });
const guard = createRealtimeGuard(axio, { sessionId });
ws.on("message", async (raw) => {
const event = JSON.parse(raw.toString());
const verdict = await guard.onServerEvent(event);
// On a denied function call, send the block back so the tool never runs.
for (const ev of verdict.send) ws.send(JSON.stringify(ev));
if (verdict.kind === "function_call" && verdict.decision === "allow") {
// run the tool, then send your own function_call_output
}
});What gets governed
Function tools (preventive). When the model asks to run a function, OpenAI
emits response.function_call_arguments.done. The guard scores it before your
app executes anything. On a deny it returns a function_call_output carrying
the block plus a response.create, so the model gets a blocked result and
continues gracefully. The action never fires.
Output (detective). The guard inspects the model's output transcript
(response.output_audio_transcript.done) for leaked secrets and PII.
In a live voice call the audio has already streamed by the time a transcript is
final, so an output finding is audited and alerted, not un-said. Wire
onOutputLeak to route it into your incident flow. Use inspectOutput: false
to turn it off.
MCP tools (already covered). If your realtime session attaches an mcp tool
whose server_url points at your AxioRank MCP gateway,
those calls are inspected server-side today, with no extra code. createRealtimeGuard
governs the function tools your own app executes.
Options
| Option | Default | What it does |
|---|---|---|
sessionId | none | Groups this call with its siblings on the Agent Runs page. |
inspectOutput | true | Inspect output transcripts for secret/PII leakage. |
outputTool | "realtime.output" | Tool name recorded for output inspection. |
onOutputLeak | none | Called when output DLP flags a leak in what the agent said. |
metadata | none | Tags merged onto every governed call (for example your end-user id). |
The whole conversation is one AxioRank run, and governance inherits your
client's outage posture, so a gateway blip never silently halts a call unless
you configured fail_closed.
Browser agent security
Govern AI agents that act inside the browser with a Chrome extension that scans pages for prompt injection, blocks secret and PII exfiltration through forms, network requests, and the clipboard, and mints a signed, offline-verifiable Browser Session Seal.
Config as code
Export, review, and import your workspace governance as a versioned JSON document.