17 CreateAccessKey events in the last 72 hours from arn:aws:iam::user/ci-deployer, your baseline is ~2/wk and all prior calls were during deploy windows. None of the new keys have been used yet. No matching deploy in your release log.
How an agent works
An agent watches one thing and acts on it. Not a workflow, just a standing watch that usually does nothing and acts the moment it should.
You stay in control
An agent does what you'd do, and only what you've authorized.
The same trusted numbers
It acts on the same governed metrics as your dashboards, and every action is logged and traceable.
You approve anything that writes
It alerts and recommends on its own; anything that changes data is yours to approve.
Try it on a test channel first
Point a new agent at a throwaway channel and watch its judgment before it touches anything real.
No false alarms
It remembers what it already flagged and waits before acting again, so it won't alert you about the same thing twice.
What you can put an agent on
Tie control-plane activity to your deploys and the blast radius
It joins your CloudTrail events to your deploy log and affected resource inventory, so a burst of API calls is not just a count in a log; it is a service, a release, and the resources it touched. You see whether the activity was a deploy doing its job or something that happened outside any known change.
Catch unusual API patterns before they become incidents
When a principal starts calling APIs it has never called, or call volume on a service spikes outside deploy windows, it flags the actor, the event names, and the affected resources. You find out when the pattern breaks, not during a forensic review three weeks later.
Watch for credential and permission drift
It tracks who is creating keys, assuming roles, and modifying IAM policies, and flags the ones that fall outside your normal change pattern. You catch the orphaned access key or the over-permissioned role change before it becomes an audit finding.
Run any Python it needs to get the job done
Beyond alerts and write-backs, an agent can run arbitrary Python, so it can do whatever the task actually requires: call an API, kick off a job, reshape the data, or wire into your own tooling. The action space is yours to define.
Why not just build it yourself?
You could rig one of these with a cron job and a Slack webhook in an afternoon. The watching is the easy part. Here's what you'd own forever, and don't, here:
- →The cross-source join: not one tool's data, but it reconciled against the rest of your stack
- →A trusted, consistent metric: the same number your dashboards use
- →The investigation into why, when something fires
- →A full audit trail of everything it did
- →The upkeep, when the schema drifts or the script breaks at 2am
The data it works from
Every AWS CloudTrail object, modeled and query-ready the moment you connect.
It runs on your real CloudTrail log (read-only noise, service-linked role chatter, test-account leakage and all), not a tidy demo.
Where it acts
Slack
A message in the channel you choose, with the context and a button to act on it.
A summary in the inbox of the people who need to see it.
Webhook
A payload to your own systems, to wire the agent into whatever you already run.
Warehouse write-back
A flag written back to your warehouse for everything downstream to pick up.
Hand off to Fi
Kick the question to Fi to investigate the why and propose the fix.
MCP
Expose it to your own agents and tools over MCP, and drive it from your stack.
Run it in your own VPC or fully self-hosted. Everything it does is pure SQL and Python you can inspect.
Build your agents with Fi
Fi is your AI analyst. It helps you build and customize everything in Definite, including the agents that watch and act.
Fi
Your AI analyst. Ask questions in plain English, and let it help you build and customize everything in Definite, including your agents.
Meet Fi →Agents
The watchers and actors. Once you've built one, it runs on its own, keeping an eye on what matters and acting the way you would.
Autonomous agents →Get started
- 1Connect AWS CloudTrail, and the sources it needs to reconcile against. Synced and modeled in an afternoon.
- 2See the numbers tie out to what you already trust.
- 3Put an agent on one thing you can't afford to miss. Fi helps you build it.