Astry is in Beta. The company brain that reasons, not just searches.
Astryastry

Access that is physical, not a prompt.

Before any inference, Astry builds a fresh sandbox holding only the files you are cleared to see, then runs the model with that directory as its entire world. You cannot prompt-inject your way to a file that is not there.

Trust Layer
Building projection…
computing
Tom Becker, analyst
clearance internal · groups: -
Your perimeter in the vault
298/ 644 captures accessible
346 captures out of your reach, physically absent from the sandbox.
0
copied to sandbox
0
discarded, never read
Why these files are discarded
Requires ‘confidential’ clearance128
Restricted to group ‘atlas’71
Requires ‘executive’ clearance54
Restricted to group ‘nova’38
Requires ‘restricted’ clearance29
Restricted to group ‘rh’18
Explicit exclusion8
Access filtering644 candidates
authorized → sandbox denied by ACL
Tools run in the sandbox · 6
glob**/*.md
read_file01_wiki/strategie-produit-2026.md
greproadmap Q3
read_file00_raw/slack-tech-2026-05.md
read_file01_wiki/budget-atlas.md
grepteam OKR

The agent has only these read-only tools, and they see only the sandbox — no access to the real vault or the network.

A physical copy, not a link — the sandbox holds no pointers to the real vault. The agent cannot read a discarded file: it does not exist for it.

full cycle: 4.2 s

298 copied to sandbox · 346 discarded, never read

Five deterministic steps before the model runs.

Access is decided in plain code, before the model exists for your request. Each step runs in order, every time. Nothing about the result depends on how the question is phrased.

  • 01

    Verify identity

    Astry reads the OIDC token issued by your identity provider and resolves the asker, their groups and their clearance. No parallel account, no second password.

  • 02

    Compute the authorized set

    It intersects the files that are semantically relevant to the question with the files the asker is actually permitted to read. Permissions inherit from the source system, so the set is exact.

  • 03

    Project into a sandbox

    Real copies of those files, never symlinks, are written into a fresh per-request temporary directory. Nothing outside the authorized set is present on disk.

  • 04

    Run the model, scoped

    The working directory is the sandbox and nothing else. Tools are read-only, the network is off, and the run is cost-bounded. The model can reach only what was projected for this request.

  • 05

    Audit, destroy, return

    Every file ID is written to an append-only record, the sandbox is deleted in a finally block, and the cited answer is returned. The evidence outlives the sandbox.

Security you can point to.

Not a policy the model is asked to respect. A boundary built into where the files live and where the model can look.

A filesystem boundary, not a prompt rule

Access is decided in plain code and enforced by the directory the model runs in. Path validation rejects any attempt to climb out. It is not an instruction the model could be talked out of following.

Permissions inherit from the source

Clearance comes straight from Slack, Drive, SharePoint and the rest. If you cannot open a channel there, nothing derived from it ever reaches your sandbox.

Per-request sandbox, then destroyed

Each question gets its own temporary directory, scoped to one asker. When the answer returns, the sandbox is deleted. No standing copy of your data sits around.

Every decision logged

Every query, every file ID and every response is written to an append-only record. Logging never blocks a request, so the trail is always complete.
See the audit log

Unlisted, so unreachable

Only the cleared files are copied in and written to the sandbox manifest. The model cannot cite, open or even discover a file it was never handed, because none of the others are on disk.

Runs inside your own cloud

Under BYOC the engine runs entirely on infrastructure you own, and Astry holds no credentials to it. The control plane sees only operational metadata, never your files, conversations or audit records.
Read about BYOC

The guarantees, at a glance.

Per-requestsandbox, built then destroyed
0files outside your clearance on disk
100%of file access logged, append-only
Fail-closedno membership means no access

Good to know.

  • Filtering normally happens inside or after retrieval, where a model is already in the loop. Here the filtering happens in plain code before the model exists for your request, and unauthorized files are physically absent from the sandbox rather than hidden behind a rule.

Trust is the architecture, not a clause.

See how a single request is projected, scoped and destroyed inside your own cloud.

Log inRead the security model