Luca Defense is the control plane that stores, executes, and organizes your entire privileged-access posture — tiered zones, phishing-resistant identity, and an AI Admin-Gate that brokers every privileged action an agent takes: scoped to one task, alive for minutes, approved where it matters, and immutably audited.
just-in-time.AI agents are a new kind of principal: they authenticate like a machine, act with the reach of a senior operator, behave non-deterministically, and can be steered by any content they read. Handed standing privilege, they are a permanent, machine-speed path to catastrophe.
Built on Microsoft's Enterprise Access model. A higher zone is never administered from a lower one, and credentials never flow downward. An asset's zone is the highest tier it can control — so a server's BMC lives with the identity it could seize.
Identity and anything that can seize it.
The control planes that run everything.
Users, apps, and every AI agent.
A single narrow choke-point for every privileged action an agent initiates. There is no other path from an agent to a control plane — and the gate never trusts the agent's own narrative for the decision.
Security posture lives in one place, is pushed out from one place, and is governed in one place.
Every zone, Conditional-Access & PIM policy, break-glass account, firewall intent, AI action-allowlist, and broker grant — versioned, diffable, one source of truth.
The only thing that pushes settings outward — to the directory, the firewall, the BMCs, and the broker — always report-only before enforce, so nothing locks you out.
Governs who and what may invoke each action, routes AI through the admin-gate, and keeps a tamper-evident record of every change.
Luca Defense is in build now, dogfooded across our own estate. Request early access or a walkthrough of the architecture.
Request access