Four open-source projects. All solve AI agent compliance. They sound similar because they share the same HMAC-SHA256 audit chain at the core, but they serve different integration models. Here is the plain-English decision tree.
If you are still not sure after reading the decision tree, the answer is pip install air-trust. It is the default for a reason.
Three individual components and one complete stack that packages all of them together. All four share the same HMAC-SHA256 audit chain core. air-trust, gateway, and air-gate are the standalone pieces; air-platform is everything pre-wired.
pip install air-trust
docker run airblackbox/gateway
pip install air-gate
docker compose up
A flat matrix of what each product does and does not do. Use this to sanity-check the decision tree above.
| Capability | air-trust | gateway | air-gate | air-platform |
|---|---|---|---|---|
| What it is | Python library | HTTP proxy | Tool approval checkpoint | All three + observability, pre-wired |
| Includes the others? | Standalone | Standalone | Standalone | Yes (bundles air-trust + gateway + air-gate) |
| Language support | Python only | Any (HTTP client) | Python only | Any (via bundled gateway) |
| HMAC-SHA256 audit chain | Yes | Yes | Yes | Yes (unified across all components) |
| Human-in-the-loop approval | No | No | Yes | Yes (via bundled air-gate) |
| Distributed tracing (Jaeger) | No | No | No | Yes |
| Policy engine | Basic | Basic | Basic | Full (OPA-compatible) |
| Requires separate process | No | Yes | No | Yes (Docker Compose) |
| Install time | ~30 seconds | ~5 minutes | ~30 seconds | ~5 minutes |
| Works offline | Yes | Yes | Yes | Yes |
| CSA ATF conformance (v0.4.0+) | Yes | Planned | Planned | Yes (via bundled air-trust) |
| Typical user | Python developer | Platform engineer | Agent ops team | Enterprise / compliance lead |
| License | Apache 2.0 | Apache 2.0 | Apache 2.0 | Apache 2.0 |
Real situations from real developers. Find yours and copy the install command.
pip install air-trust. One import, three lines of code, done. You will have signed audit records on your disk in under a minute.air-trust for the rest of the agent's calls. They compose well.docker compose up and the complete AIR Blackbox stack is live: air-trust for Python agents, gateway for non-Python services, air-gate for tool approvals, a policy engine, an episode store, and Jaeger tracing. All sharing one audit chain. Point any test agent at it and show the dashboard.pip install air-trust. Its adapters cover LangChain, CrewAI, LlamaIndex, AutoGen, and 15+ others. If you switch frameworks later, the same air_trust.trust(...) call still works.Questions that come up on every office hours call and in every GitHub discussion.
Usually no. If you need more than one, use air-platform. For individual developers, pick the single component that matches your integration model (air-trust, gateway, or air-gate) and ship. For enterprises that want multiple integration models running together with unified auditing, use air-platform; it bundles all three plus a policy engine and tracing, so you get the full picture without wiring three separate installs together.
Honest answer: the audit chain is the same core, but the three integration models serve very different users. A Python developer does not want to run Docker. A platform engineer does not want to import a library into every service. A compliance lead does not want to write code at all. One tool cannot be the right shape for all three, but an enterprise deployment often needs all three running side-by-side. That is what air-platform is for: it is not a fourth product, it is the complete stack that bundles air-trust, gateway, and air-gate together with shared auditing, an episode store, a policy engine, and Jaeger tracing.
Yes. The audit record format is identical across all four. An air-trust SQLite database can be imported into a gateway deployment, and vice versa. Your historical evidence does not get stranded if you change integration models.
air-trust is the current focus. It just shipped v0.7.0 with CSA Agentic Trust Framework conformance, and it is the package most actively developed. The others receive backports of the shared audit chain logic but do not get new features as quickly.
No. None of these tools certify anything. The EU AI Act does not have a certification scheme for compliance tooling. Certification applies to the AI system itself. AIR Blackbox products produce the evidence (Article 12 record-keeping, Article 11 technical documentation) that regulators or auditors will ask for. The certification decision remains with the operator of the AI system.
That is when general-purpose AI model obligations under the EU AI Act become enforceable. If you are deploying agents in or serving users in the EU, Articles 11 and 12 apply to you on that date. All four AIR Blackbox products are designed to produce the evidence trail those articles require. Start with air-trust this week. Graduate to the others only if you hit a limitation.
If you are still not sure, install air-trust. It is one command, zero dependencies, and takes 30 seconds. You can switch to gateway, air-gate, or air-platform any time. Your audit records come with you.