San Francisco-based runtime security company Arcjet has launched a new capability called "Guards," designed to address a critical security gap emerging with the proliferation of AI agents. As these agents increasingly handle application logic such as file reading, web page fetching, and queue message processing, traditional security tools focused on HTTP boundaries are becoming obsolete. Guards aims to bring robust security policy enforcement directly inside the operational workflows of AI agents, queue consumers, and other non-HTTP code paths, which have historically been invisible to conventional security measures.
David Mytton, CEO of Arcjet, explained to The New Stack that Guards integrates directly into AI agent tool handlers, queue consumers, and workflow steps. These are precisely the code paths that bypass network perimeters and are therefore undetectable by Web Application Firewalls (WAFs), proxies, and traditional middleware. This new offering represents a significant shift in how application security is approached in the era of increasingly autonomous AI systems.
The Evolving Threat Landscape: The Gap Guards is Targeting
The fundamental premise behind Arcjet’s Guards is the inadequacy of existing security models for the new paradigm of agentic systems. For years, application security has operated under the assumption of a clear request boundary. An incoming HTTP request would pass through middleware, be inspected by security tools, and then reach the application’s core logic. This model, while effective when applications had a singular "front door," fails to account for the distributed and internal nature of agent operations.
Mytton elaborated on this point in a recent blog post, stating, "An agent tool handler receives untrusted input as a function argument, not a request body. A queue consumer pulls a message off a broker, never touching a router. A multi-agent pipeline passes state from one step to the next through shared memory or a workflow engine." None of these interactions traverse a network boundary that a proxy can monitor.
The consequences of this security blind spot are far from theoretical. Mytton recounted a concerning real-world incident where an AI agent, tasked with fetching information from a website, encountered a maliciously crafted page. This page contained hidden instructions that prompted the agent to exfiltrate sensitive data to an external attacker. Crucially, the WAF protecting the upstream chat interface, which initiated the agent’s task, remained oblivious to this data breach because the malicious activity occurred entirely within the agent’s internal processing, outside the visible HTTP request chain.
"You’ve got all your permission set up correctly on the chat interface," Mytton stated during a briefing with The New Stack, "but by prompt injecting agents right behind the scenes, you can get it to take actions that it wasn’t expecting." He further highlighted that even seemingly innocuous elements, such as text instructions embedded within an image file that an agent processes, can serve as vectors for such attacks.
Beyond simple visibility, there’s a critical context problem. While a proxy positioned at the application’s edge might see an incoming request, it lacks the deep understanding of the application’s internal state. "A proxy sitting in front of the application can see the request," Mytton explained in his blog. "It can’t see the identity, the session, the business logic, or the budget." Guards, by contrast, operates within the application’s runtime, where this vital context resides. In agentic systems, this limitation is even more pronounced, as a proxy cannot even detect a tool call, as it is not a network request.
How Guards Operates: Security Embedded in Code
Arcjet’s Guards is designed to seamlessly integrate into the company’s existing Software Development Kit (SDK) model. This approach allows developers to define security rules directly within the same codebase as the features they are protecting. Consequently, security measures are deployed alongside the code itself and are subject to the same review processes, such as pull requests. The enforcement point for these security policies is dynamically moved to wherever untrusted input is encountered within the application’s execution flow.
"Security has to live where the code lives," Mytton emphasized in a press release announcing the launch. "For agentic systems, that means inside the tool calls and workflow steps where untrusted input actually arrives, not at a perimeter that no longer exists. Guards give developers a way to enforce policy inside the code paths agents use every day – the same place the threat model now lives."
The initial rollout of Guards focuses on three particularly pressing scenarios identified in production agentic systems:
- Prompt Injection Detection on Tool Results: This capability aims to identify and neutralize malicious instructions embedded within content fetched by an agent before it is re-ingested into the model’s context. This is crucial for preventing agents from being tricked into performing unintended or harmful actions.
- PII Blocking on Tool Inputs and Queue Messages: Guards can actively prevent Personally Identifiable Information (PII) from being sent to third-party models or processed in queue messages. This is a vital step in maintaining data privacy and compliance, especially as agents interact with external services.
- Per-User Token Budget Enforcement: A significant concern with AI agents is the potential for runaway processes that can rapidly consume computational resources and incur substantial costs. Mytton was direct about this risk: "Controlling budgets means it doesn’t go off and read thousands and thousands of pages and cost loads of money." Guards allows for the implementation of per-user token limits to prevent excessive usage and manage operational expenses.
Furthermore, Guards is engineered to handle complex multi-agent scenarios. Instead of analyzing individual tool calls in isolation, it maintains and carries session context across the entire agent pipeline. "If you’ve got multiple agents going off doing different things, the idea is you wrap your tool call in, protect what goes in, and then it will analyze what comes out – so you get two attempts at the analysis," Mytton explained. This ensures a more holistic and effective security posture across interconnected agent operations.
An Agent-First Approach to Security
Arcjet’s strategic positioning for Guards extends beyond its technical capabilities; it emphasizes a philosophy of being "agent-first" rather than merely "agent-friendly." Mytton articulated this distinction, stating that simply making existing control planes accessible to agents is insufficient.
"Being agent-friendly isn’t the same thing as being agent-first," he wrote in his blog post. "Shipping a CLI or an MCP server on top of an existing control plane or dashboard makes that control plane accessible to an agent, but that’s only half of the work."
The other half, according to Arcjet’s perspective, involves meeting agents where they fundamentally operate: within code repositories, writing code, and producing software changes. This "agent-first" approach means that security is not an afterthought or an add-on but an intrinsic part of the development process.
"The agent writing your chat handler can see the prompt injection rule protecting it when that code is three lines above in the same file," Mytton illustrated. "The code review covers both. The pull request that adds the feature adds the protection." This tightly coupled integration ensures that security considerations are inherent to the agent’s development lifecycle.
Adding to this seamless integration, Arcjet has introduced a prompt-based installation path for Guards. Instead of requiring developers to manually integrate the SDK, the installation command provides instructions that can be directly executed by coding agents. As Mytton described, "we just give you a prompt, and the prompt tells your coding agent how to use Arcjet Guards." This innovative approach democratizes security integration, making it accessible even to AI coding assistants.
Navigating the Competitive Landscape
The market for AI security is rapidly evolving, with established players and emerging startups vying for position. Traditional web security providers are adapting, but often with limitations. For instance, Cloudflare’s AI Gateway and Salesforce’s AI Gateway offer features like rate limiting, billing, and request inspection. However, as Mytton pointed out, "These are all proxies, and they always assume a web request is happening."
Arcjet’s core argument is that the proxy model, designed for a perimeter-based security approach, encounters a fundamental barrier when an agent interacts through function calls rather than network requests. "Just like when you run something in the terminal – that’s not going through a proxy first. That’s where Arcjet fits," Mytton explained, highlighting the parallel between terminal commands and agent tool calls.
Mytton views the shift in security as a fundamental change in the concept of the "perimeter." He elaborated, "Proxies and WAFs exist because, for a long time, they were the only way to put enforcement between the internet and an application without involving the developers. That worked because the perimeter was real. It’s now dissolving."
Arcjet’s Guards is currently available through the company’s JavaScript and Python SDKs, providing developers with the tools they need to secure their AI agent workflows in this new, perimeter-less landscape. The introduction of Guards marks a significant step forward in securing the complex and rapidly evolving world of AI-driven applications.
