Start For Free Start For Free Start For Free

Agentic AI Security (PEP/PDP)

"Govern, Secure and Control every AI Action"

Overview

Traditional AI guardrails inspect prompts and responses. That works for chatbots – it does not work for agents. An AI agent makes hundreds of decisions a minute: which tool to call, what arguments to pass, whether to escalate, whether to write to memory, whether to take an external action. Any of those can be hijacked by a prompt injection in a retrieved document, a re-described MCP tool, a compromised tool server, or a poisoned prior turn. Inspecting only the user’s prompt at the gateway entrance misses most of where agentic harm actually happens. DeepintShield places an inline PEP/PDP in front of every agent decision and returns a verdict before the action runs – in-process, self-hosted, with no data egress.

Challenges

1
Action-targeted Prompt Injection
Instructions hidden in retrieved documents or tool descriptions redirect what the agent does, not just what it says.
2
Over-privileged agents
Standing access lets an agent reach far more tools and data than any single task requires.
3
“Approved-but-wrong” tool calls
A legitimately registered tool whose behavior has drifted, been re-described, or been typosquatted.
4
No record-level access control
Name-based allow-lists say which tools an agent may call, but not whether the principal may touch the specific object it targets.
5
No defensible audit trail
When something goes wrong, teams cannot prove what each agent was actually allowed to do.

Solutions

1
Inline PEP/PDP on every tool call
Returns ALLOW / DENY / REQUIRE_APPROVAL / MASK with obligations, via a dual AST + Rego/OPA engine kept byte-for-byte equivalent. p50 ≈ 2µs on cached verdicts.
2
ABAC operands
Agent risk level, agent capabilities, data class, namespace, time of day, and fingerprint drift bound an agent’s reach to its declared capabilities and the data class involved.
3
Tool Integrity Engine + signed AIBOM
Catches descriptor injection, typosquats, re-described tools, and argument-shape divergence by comparing each call against a pinned contract fingerprint.
4
Relationship-based authorization (OpenFGA/ReBAC)
One verdict asserts both that the agent may act and that the principal has the relationship to the specific object - including record-level MCP connect/invoke/resource checks.
5
Hash-chained tamper-evident audit
Records every decision with cryptographic provenance, mapped to the OWASP Agentic ASI Top 10.
Scroll to top