Table of Contents

Axiomly Complete User Guide

Your comprehensive guide to using the Axiomly AI Governance Platform

Version 1.0 | Last Updated: March 17, 2026

What is Axiomly?

Axiomly is an AI governance platform that helps organizations control which libraries, packages, tools, and configurations AI agents can use. It acts as a centralized approval registry that ensures security, compliance, and consistency across your development teams.

Key Benefits

  • Security: Only approved, vetted libraries can be used
  • Compliance: Automatic tracking and auditing of all dependencies
  • Consistency: Everyone uses the same approved tools and versions
  • Control: Centralized management of all development dependencies
  • Transparency: Clear approval workflow with audit trails

How It Works

  1. Developer asks AI agent to install a library
  2. AI agent checks Axiomly for approval status
  3. If approved: Installation proceeds
  4. If not approved: Request is submitted for review
  5. Administrators review and approve/reject requests

Getting Started

Step 1: Access the Web Portal

Navigate to your organization's Axiomly URL (ask your administrator for the exact URL).

Step 2: Sign In

Option A: Single Sign-On (SSO)

  • Click "Sign in with Microsoft" (or your organization's SSO provider)
  • Authenticate with your organizational account

Option B: Local Authentication

  • Enter your username and password
  • Click "Sign In"

Step 3: First-Time Setup

After logging in for the first time:

  1. Your API key is automatically generated
  2. Review your profile information
  3. Download your personalized installer
  4. Install IDE integration

Web Portal Guide

Homepage (User Dashboard)

The homepage shows all approved items with powerful search and filtering:

  • Search Bar: Find specific items by name with real-time results
  • Filters: Filter by type (Library, MCP Server, Extension, etc.) and status
  • Sort Options: Sort by name, type, date added, or popularity
  • Download Installer Button: Get your personalized IDE installer
  • Item Cards: Click any item to view detailed information

Item Details Page

View comprehensive information about any approved item:

  • Basic Information: Name, version, type, status, description
  • Security Assessment: Axiomly risk analysis, vulnerability scan, health metrics
  • API Access: Code snippets for using the item via API
  • Metadata: Date added, last updated, approval history

Profile Page

View and manage your account:

  • User information (name, email, role)
  • API key status and prefix
  • Last used timestamp
  • Actions: Regenerate API key, Download installer
Important: After regenerating your API key, you must download and run the new installer to update your IDE configuration.

Request Access Page

Submit approval requests for new items:

  1. Select item type (Library, MCP Server, Extension, etc.)
  2. Enter name and version
  3. Provide justification (be specific!)
  4. Submit request

Security Assessment

What is Security Assessment?

Axiomly provides automated security analysis for library packages by aggregating data from trusted security research firms, package health services, and official package repositories.

Axiomly Score

The Axiomly Score is a comprehensive risk assessment (0-100, higher is better):

  • 90-100: Excellent - Low risk, well-maintained, secure
  • 70-89: Good - Acceptable risk, actively maintained
  • 50-69: Fair - Moderate risk, review carefully
  • Below 50: Poor - High risk, consider alternatives

Viewing Security Assessments

From Item Details Page

  1. Click any library item from the homepage
  2. Scroll to "Security Assessment" card
  3. Click "View Full Assessment" for detailed analysis

From Edit Item Page (Admins)

  1. Go to Tenant Admin > Approved Items
  2. Click "Edit" on any library
  3. Security assessment loads automatically in right panel
  4. Change version to see assessment for different versions

From Approval Requests (Admins)

Quick ratings appear inline for each library request showing:

  • πŸ“Š Axiomly Score (color-coded: green/yellow/red)
  • πŸ›‘οΈ Vulnerability Count
  • πŸ’Š Health Score

Using Security Assessments

For Users

  • Check security assessment before requesting approval
  • Look for high Axiomly Scores (70+)
  • Avoid packages with critical vulnerabilities
  • Consider alternatives if score is low

For Administrators

  • Review security assessment when approving requests
  • Use quick ratings to prioritize review queue
  • Reject packages with critical vulnerabilities
  • Require justification for low-scoring packages
  • Periodically review approved items for new vulnerabilities
Note: Security assessments are based on data from trusted security research firms, package health services, and official package repositories. Final approval authority rests with your administrators.

AI-Powered Risk Analysis

Automatic Package Scanning

When an approval request is submitted, Axiomly automatically downloads and analyzes the package source code using AI. The analysis checks for:

  • Obfuscated Code β€” Base64, hex encoding, eval/exec with encoded strings
  • Install Hooks β€” postinstall/preinstall scripts running arbitrary code
  • Network Calls β€” Hardcoded IPs, suspicious domains, data exfiltration
  • File System Access β€” Reading ~/.ssh, ~/.aws, env files, writing to disk
  • Process Spawning β€” Shell commands, child process execution
  • Credential Harvesting β€” Environment variables, tokens, API keys
  • Binary Blobs β€” Encoded data or binaries embedded in source
  • Prototype Pollution β€” Object prototype manipulation patterns
  • Backdoor Patterns β€” Conditional execution based on hostname/IP/env
  • Known Incident Dependencies β€” Dependencies involved in known security incidents
  • Typosquatting β€” Dependencies with names similar to popular packages
  • Dependency Confusion β€” Internal-looking package names on public registries
  • Pinned Compromised Versions β€” Dependencies pinned to known-bad versions
  • License Risk β€” Copyleft or restrictive licensing

Supply Chain Version Diff Analysis

When a newer version of an already-approved package is requested, Axiomly performs a version diff analysis β€” comparing the old and new versions to detect suspicious changes between releases, such as newly added network calls, obfuscated code, or dependency changes.

Supported Ecosystems

Risk analysis supports packages from: npm, PyPI, NuGet, RubyGems, Maven, Cargo, Go, and Packagist.

Viewing Risk Analysis Results

  1. Go to Tenant Admin β†’ Approval Requests
  2. Click "View Details" on any analyzed request
  3. The Risk Analysis panel shows the verdict, confidence score, and detailed findings for each check

Verdicts

  • Benign β€” No suspicious patterns detected. Safe to approve.
  • Suspicious β€” Potential risk indicators found. Manual review recommended.
  • Malicious β€” Strong indicators of malicious intent. Do not approve.
  • Not Applicable β€” Package is too large for source code diff analysis (common for packages that bundle binaries like browser engines or native modules). Rely on the AI Security Assessment for risk evaluation.
  • Error β€” Analysis could not complete. Retry or review manually.
Note: Risk analysis runs automatically when an approval request is created. Results are cached and reused across tenants for the same package version. Packages that receive a "Not Applicable" verdict can still be auto-approved based on their Axiomly Score and AI Security Assessment.

IDE Integration

Supported IDEs

Axiomly provides native integration for multiple AI-powered IDEs across Windows, macOS, and Linux:

  • Kiro IDE - MCP server integration with steering documents and hooks (Windows, macOS, Linux)
  • Kiro CLI - MCP server integration for command-line AI workflows (Windows, macOS, Linux)
  • Claude - MCP server integration with steering documents (Windows, macOS, Linux)
  • JetBrains IDEs - IntelliJ IDEA, PyCharm, WebStorm, Rider, and more (Windows, macOS, Linux)
  • VS Code - Full extension with status bar, governance panel, and MCP server for Copilot (Windows, macOS, Linux)
  • Cursor IDE - MCP server integration with steering documents and hooks (Windows, macOS, Linux)

What Gets Installed?

  • MCP Server: Provides governance tools to AI agents
  • Steering Documents: Instructs AI agents on governance policies
  • Command-Line Protection: Enforces governance for package installations
  • Secure Configuration: Stores your API key and server URL

Installation Process

Step 1: Download Installer

  1. Log in to Axiomly web portal
  2. Click "Download Installer" button
  3. Select your IDE
  4. Save the PowerShell script

Step 2: Run Installer

Windows (PowerShell):

powershell -ExecutionPolicy Bypass -File .\axiomly-[ide]-installer.ps1

macOS/Linux (Bash):

chmod +x axiomly-[ide]-installer.sh
./axiomly-[ide]-installer.sh

The installer will:

  • βœ… Install VS Code extension (or configure MCP server for Cursor/Kiro)
  • βœ… Deploy package manager wrappers to C:\ProgramData\axinstall
  • βœ… Set environment variables (AXIOMLY_API_KEY, AXIOMLY_BASE_URL)
  • βœ… Update PowerShell profile with wrapper functions
  • βœ… Configure steering documents and governance rules
Important: After installation, you MUST close ALL PowerShell/Terminal windows and open fresh ones for the wrappers to work correctly.

Step 3: Restart IDE

Close and reopen your IDE for changes to take effect.

Step 4: Verify Installation

  • Kiro IDE: Open MCP Servers panel, look for "axiomly-governance"
  • Kiro CLI: Run kiro mcp list to verify "axiomly-governance" is listed
  • Claude: Settings β†’ Developer β†’ MCP Servers, look for "axiomly-governance"
  • JetBrains IDEs: AI Assistant settings, check MCP server configuration
  • VS Code: Check Extensions panel for "Axiomly Governance"
  • Cursor IDE: Open MCP Servers panel, look for "axiomly-governance"

How IDE Integration Works

Axiomly provides multi-layered governance enforcement:

Layer 1: AI Agent Governance (MCP Server)

  • βœ… AI agent checks Axiomly before suggesting packages
  • βœ… Validates dependencies when opening projects
  • βœ… Offers to submit approval requests
  • βœ… Provides security assessment data

Layer 2: Command-Line Protection

  • βœ… Enforces governance for direct package installations
  • βœ… Validates against Axiomly before executing
  • βœ… Blocks unapproved packages at installation time
  • βœ… Works even if AI agent is bypassed

Layer 3: Steering Documents

  • βœ… Instructs AI agents on governance policies
  • βœ… Automatically loaded in every conversation
  • βœ… Ensures consistent behavior across all AI agents

Defense in Depth

Even if a user tries to bypass the AI agent and install packages directly, Axiomly governance still enforces approval checks.

Command-Line Protection

What is Command-Line Protection?

Axiomly enforces governance even when packages are installed directly from the command line, providing an additional security layer beyond AI agent checks.

Supported Package Managers

  • Python - pip package installer
  • Node.js - npm package manager
  • VS Code - Extension installer
  • Claude - CLI commands

User Experience

When Package is Approved

PS> pip install flask

Checking Axiomly approval...
βœ“ Approved - Installing flask...

When Package is Blocked

PS> pip install unapproved-package

Checking Axiomly approval...
βœ— Blocked - Package not approved

Would you like to request approval? (Y/N):

Troubleshooting

Protection Not Working

Symptoms: Packages install without Axiomly check

Solutions:

  1. Re-download installer from Axiomly profile
  2. Run installer to update configuration
  3. Restart your terminal/IDE
  4. Test with a known approved package

API Keys & Authentication

What is an API Key?

An API key is a unique identifier that:

  • Authenticates your IDE with Axiomly
  • Links your actions to your user account
  • Enables audit logging
  • Controls rate limiting

API Key Format

axiomly_xK8vN2mP9qR4sT6uV8wX0yZ1aB3cD5eF7gH9iJ1kL3mN5oP7qR9sT1uV3wX5yZ7

Viewing Your API Key

  1. Log in to Axiomly web portal
  2. Go to Profile page
  3. View API Key Status section
  4. See key prefix (first 8 characters)
Security Note: The full API key is only shown once during generation. It's embedded in your installer and stored securely in your IDE.

API Key Security Best Practices

βœ… DO:

  • Keep your API key secret
  • Regenerate every 90 days
  • Regenerate if compromised
  • Use installer to configure

❌ DON'T:

  • Share your API key
  • Commit keys to source control
  • Send keys via email/chat
  • Reuse keys across accounts

Approval Workflow

Requesting Approval

Method 1: Through IDE (Recommended)

When AI agent encounters an unapproved item, it will offer to submit a request on your behalf.

Method 2: Through Web Portal

  1. Go to Request Access page
  2. Fill out the form
  3. Provide detailed justification
  4. Submit request

Justification Tips

Good Justifications Include:

  • Project context: "Needed for Project Apollo lunar data processing"
  • Specific use case: "Required for OAuth2 authentication with external API"
  • Why this library: "Industry standard for WebSocket connections"
  • Alternatives considered: "Evaluated socket.io but this has better TypeScript support"

Request Statuses

  • PENDING: Awaiting review by administrators
  • APPROVED: Request approved, item now available
  • REJECTED: Request denied (see rejection reason)
  • NEEDS_INFO: Administrators need more information

Groups

For users with TenantAdmin role

Groups let you control which steering documents apply to which users. This is useful when different teams need different governance policies or coding standards.

How Groups Work

Key Rule

Steering documents not assigned to any group are global and apply to all users. Steering documents assigned to one or more groups are only visible to users in those groups.

Creating a Group

  1. Go to Tenant Admin > Groups
  2. Click "Create Group"
  3. Enter a name (e.g., "Backend Team", "Security Team")
  4. Optionally add a description
  5. Click "Create Group"

Managing Group Members

  1. Go to Tenant Admin > Groups
  2. Click "Edit" on the group
  3. In the Users section, select a user from the dropdown and click "Add"
  4. To remove a user, click the remove button next to their name

Assigning Steering Documents to Groups

There are two ways to assign steering documents to groups:

Method 1: From the Group Edit Page

  1. Go to Tenant Admin > Groups > Edit
  2. In the Steering Documents section, select a document from the dropdown and click "Add"
  3. To remove a document, click the remove button next to it

Method 2: From the Item Create/Edit Page

  1. When creating or editing a Steering Document item, a "Assign to Groups" section appears
  2. Check the groups that should receive this document
  3. Leave all unchecked to make the document global (visible to everyone)

Example Scenarios

  • Global governance policy: Create a steering document and don't assign it to any group. All users see it.
  • Team-specific standards: Create a "Python Standards" steering document and assign it to the "Backend Team" group. Only backend team members see it.
  • Mixed approach: Have a global security policy (no group) plus team-specific coding standards (assigned to respective groups).
Note: Deactivating a group (unchecking "Active" in the group edit page) will stop its steering documents from being delivered to group members via the IDE integration.

Administration

For users with TenantAdmin or Approver roles

Tenant Admin Dashboard

Overview of your tenant with statistics, recent activity, and quick actions.

Managing Users

  • View all users in your tenant
  • Add new users (SSO or local authentication)
  • Edit user details and roles
  • Disable users when they leave

User Roles

  • ReadOnly: View approved items only
  • Builder: View items + submit approval requests
  • Approver: Builder + approve/reject requests
  • TenantAdmin: Full administrative access

Managing Approved Items

  • Browse all approved items
  • Add new approved items
  • Edit existing items
  • Deprecate or disable items

Managing Approval Requests

  1. View all approval requests
  2. Review request details and justification
  3. Research the item (documentation, security advisories)
  4. Approve, reject, or request more information

Auto-Approval

Tenant admins can configure automatic approval for packages that meet minimum security thresholds. When enabled, approval requests are instantly approved if all three scores meet your organization's requirements β€” no manual review needed.

How It Works

  1. A developer submits an approval request (via IDE or CLI)
  2. Axiomly evaluates the package against three scores:
    • Axiomly Score β€” Vulnerabilities, health, and maintenance (0-100)
    • AI Security Assessment β€” Security, quality, popularity, and maintenance (0-100)
    • Supply Chain Analysis β€” Code diff analysis confidence with Benign verdict required (0-100)
  3. If all scores meet or exceed the configured thresholds, the request is approved automatically
  4. If any score falls below the threshold, the request stays pending for manual admin review

Safety Guardrails

  • Packages with critical vulnerabilities are never auto-approved, regardless of scores
  • Supply chain analysis must return a Benign verdict (Suspicious or Malicious are always blocked)
  • Only Library type items are eligible for auto-approval (MCP servers, extensions, etc. require manual review)
  • Auto-approval can optionally require supply chain analysis to complete before approving

Configuring Auto-Approval

  1. Go to Tenant Admin β†’ Approval Requests
  2. Click the πŸ€– Auto-Approval collapsible panel
  3. Toggle Enable auto-approval on
  4. Set minimum thresholds for each score (default: 70/100)
  5. Optionally require supply chain analysis to complete before auto-approving
  6. Click Save
Recommended thresholds: Start with 80 for all three scores. This ensures only well-maintained, secure, and thoroughly analyzed packages are auto-approved. You can lower thresholds as you gain confidence in the system.

Other Admin Features

  • Groups: Create groups to assign specific steering documents to specific users (see Groups section)
  • API Keys: View and revoke user API keys
  • SSO Configuration: Set up Single Sign-On
  • Subscription Management: View plan and billing
  • Audit Logs: Track all activities
  • Uninstallers: Download removal scripts for all supported IDEs (Kiro IDE, Kiro CLI, Claude, JetBrains, VS Code, Cursor) across all platforms (Windows, macOS, Linux) - Tenant Admins only

Troubleshooting

Common Issues

"API key invalid or expired"

Solutions:

  1. Log in to Axiomly web portal
  2. Check Profile page for API key status
  3. If revoked: Click "Regenerate API Key"
  4. Download new installer and run it
  5. Restart IDE

"Axiomly MCP server not connected"

Solutions:

  1. Check MCP Servers panel in IDE
  2. Look for "axiomly-governance" server
  3. If missing: Re-run installer
  4. Restart IDE
  5. Check network connectivity to Axiomly server

"Library not approved"

Solutions:

  1. Search for the library in Axiomly web portal
  2. Check if it's approved
  3. If not approved: Submit approval request
  4. Check for approved alternatives

Command-line protection not working

Symptoms: Running pip install doesn't show Axiomly governance check

Solutions:

  1. Re-download installer from your Axiomly profile
  2. Run installer to update configuration
  3. Restart your terminal/IDE completely
  4. Test with a known approved package

Approved package still blocked

Symptoms: Package shows as approved but installation still fails

Solutions:

  1. Re-download installer from your Axiomly profile
  2. Run installer to update configuration
  3. Restart your terminal/IDE completely
  4. Test again with the approved package

Security assessment not loading

Solutions:

  1. Check that the item type is "LIBRARY" (only libraries have security assessments)
  2. Verify package name is correct (case-sensitive)
  3. Try refreshing the page (Ctrl+Shift+R for hard refresh)
  4. Check browser console for errors (F12)
  5. Contact support if issue persists

Getting Help

For technical issues: support@axiomly.com

For billing questions: billing@axiomly.com

For security concerns: security@axiomly.com

Best Practices

For Users

API Key Management

  • Keep your API key secret
  • Regenerate every 90 days
  • Regenerate immediately if compromised

Approval Requests

  • Provide detailed justification
  • Explain specific use case
  • Be patient during review

For Administrators

User Management

  • Use SSO for automatic provisioning
  • Assign appropriate roles
  • Review user access quarterly
  • Disable users when they leave

Approval Management

  • Review requests promptly (24-48 hours)
  • Research items thoroughly
  • Provide clear rejection reasons
  • Consider security implications

Related Documentation

Β© 2026 Axiomly. All rights reserved.