Loading…
Agentic systems introduce a new attack surface: compromised agents, privilege escalation between agents, and opaque tool use that bypasses existing controls. We don't bolt security on after the fact — we engineer it in as the enforcement plane. Cryptographic identity, least-privilege permissions, sandboxed execution, and an append-only audit trail that exists before the agent does anything.
In the systems we build, security is not a post-hoc check. Each layer is evaluated before an agent can act, and all layers are active for every agent, every time.
Read the security docs ↗The identity is scoped to the agent's deployment — not the operator, not the host process. It is used to sign every action the agent takes and to verify every capability claim the agent presents to other agents or to the A2A policy layer. Self-signed or ambient identities are not accepted.
Every tool an agent may call is declared in its permission manifest at registration. The enforcement layer intercepts tool calls and checks the manifest before allowing execution. An agent that tries to call a tool not in its manifest is denied and the attempt is logged — no exceptions based on prompt reasoning.
Operations that involve executing code, calling external services, or processing untrusted inputs run in a sandbox: no outbound network access (unless explicitly declared), read-only filesystem, and a resource cap. The sandbox is the default; trusted execution is the opt-in, not the other way around.
Every tool call, every delegation, every permission check — allowed or denied — is written to the audit log with full context: agent identity, action type, target, inputs (redacted where policy requires), outcome, and timestamp. The log is append-only and cryptographically signed. Nothing is overwritten. Nothing is deleted.
A compromised agent cannot access tools, data, or other agents outside its declared permission manifest. The damage is bounded by design — not by hoping the agent prompt holds up under adversarial conditions. Permission manifests are code, not text.
Agents cannot grant themselves permissions they don't have. Delegation tokens are scoped to the permissions of the delegating agent — you cannot delegate what you don't own. The enforcement layer checks the entire chain, not just the terminal request.
The audit log is always on, always complete, and always tamper-evident. There is no configuration that turns it off and no retention window shorter than your declared policy. When an incident occurs, the full record exists — you are not reconstructing from application logs.
Container isolation is a runtime boundary. The security layer we build operates at the agent semantic level — it enforces what a specific agent is allowed to do with specific tools, regardless of the container boundary. An agent in a container with ambient cloud credentials is still a security risk; we remove the ambient credentials and replace them with a scoped identity and permission manifest.
No. Permission manifests are declared at registration and can only be updated by a human operator with the appropriate role. An agent cannot modify its own manifest, request an expansion at runtime, or work around the enforcement layer via tool calling. Attempted escalations are denied and logged.
PII redaction rules are declared in the agent's manifest. The audit system redacts the declared fields from log payloads before writing — the event is still logged with full metadata (agent, action, outcome, timestamp) but the sensitive field values are replaced with a redacted marker. The redaction rule is itself versioned and audited.
Yes. The entire security layer — identity issuance, permission enforcement, sandbox execution, and audit log — runs on-prem with no dependency on any cloud service. The Darvico AI Document Analyzer we built runs this configuration in a data-sovereign, air-gap-capable environment with RBAC + scoped ABAC on top.
The audit log's append-only, tamper-evident design satisfies the immutability requirements in SOC 2, ISO 27001, and similar frameworks. Structured event output maps directly to SIEM ingestion pipelines. For regulated industries — financial services, healthcare, oil and gas — the log provides the agent-action traceability that those frameworks require but that general-purpose agent frameworks do not provide.
Tell us what you're building. A real engineer replies.