The agent reads a stale issue. Runs `rm -rf` in the wrong directory. Nothing intercepts it.
The agent harness, secured.
Four layers run your AI agents: orchestration, tool calls, identity, and data access. AKA secures all four.
Orchestration
The harness that runs your agent.
Tool calls
Every action the agent takes.
Agent identity
Who the agent is and what it may do.
Data access
Every file and API the agent touches.
Four layers. One attack surface.
Orchestration
The harness that runs your agent.
Claude CodeCodexCursorIn-house runners
Tool calls
Every action the agent takes.
shellread / writenetworkMCP tools
Agent identity
Who the agent is and what it may do.
service accountsscoped tokensleast privilegerotation
Data access
Every file and API the agent touches.
source files.env / secretsexternal APIsproduction data
Where an unguarded harness fails.
Prompt injection is the top entry on the OWASP 2025 LLM risk list. A harness ships with shells, network, file writes, and reads. Without a guardrail, an injected instruction reaches all of it.
A destructive shell command
shell rm -rf /var/log
An exfiltrated secret
The agent loads `.env.production`, references the value in a prompt, and the secret leaves the machine.
read .env.production
A silent network call
A dependency phones home. The agent forwards repo content to a third-party API you never approved.
network api.stripe.com
A guardrail changes the picture.
- read src/auth/session.ts executed
- shell rm -rf /var/log executed
- network api.stripe.com executed
- write /etc/hosts executed
No guardrail. 4 executed.
AKA
- read src/auth/session.ts allowed
- shell rm -rf /var/log blocked
- network api.stripe.com blocked
- write /etc/hosts blocked
AI-TC on. 3 blocked.