When AI Agents Bypass the Perimeter
AI agent security is colliding with the limits of traditional defenses. Web application firewalls, AI gateways, and proxies were built on the assumption that every interaction crosses an HTTP boundary. A request comes in, a proxy inspects it, and only then does it reach application code. But agentic systems increasingly work without a visible “front door.” Agents read local files, fetch web pages, and process queue messages autonomously, often via internal function calls rather than network requests. Untrusted input arrives as arguments and messages, not as HTTP payloads, which means classic perimeter tools never see it. This creates blind spots for AI security threats like prompt injection hidden in fetched content or even inside images. For security teams, the attack surface has effectively moved inside the application loop, forcing a rethink of where and how application security enforcement is applied.
From WAFs to Embedded Enforcement
To close these gaps, new approaches embed application security enforcement directly into the runtime where agents operate. Arcjet’s Guards capability is a prominent example: instead of waiting at the edge, it runs within AI agent tool handlers, queue consumers, and workflow steps. These are the exact code paths that never touch a router or proxy. By integrating through SDKs, developers define security rules in the same codebase and pull requests as the agent logic itself. This shifts enforcement to the precise point where untrusted data enters the system, whether via a tool call, a queue message, or a multi-agent workflow handoff. Moving checks into the code path gives security visibility into identity, session context, business rules, and even budget limits—details that a proxy sitting in front of the application can’t observe, but that are essential for effective zero trust architecture in agentic environments.
Guarding Against Prompt Injection and Data Exposure
Embedding security inside the application loop enables targeted defenses against emerging AI security threats. One critical use case is prompt injection detection on tool results: agents may fetch web pages or other resources that contain hidden instructions designed to hijack their behavior, including commands to exfiltrate data to external attackers. Because these instructions never pass through a WAF-protected chat interface, only in-loop analysis can catch them before they re-enter model context. Another focus is preventing sensitive data exposure. By inspecting tool inputs and queue messages at the source, embedded controls can block personally identifiable information from being sent to third-party models. This aligns with zero trust principles by treating every internal interaction as potentially hostile. The result is finer-grained AI agent security that lives alongside the code, rather than relying on a dissolving perimeter to filter malicious content after the fact.
Containing Runaway Agents and Multi-Agent Pipelines
As organizations adopt complex agentic workflows, security concerns extend beyond a single tool call. Agents can enter runaway loops, repeatedly reading pages or invoking tools, rapidly burning through computational resources and model usage. Embedded enforcement can implement per-user token budget controls inside these loops, ensuring agents cannot exceed predefined limits even if their logic misbehaves. Multi-agent pipelines add another dimension: state and context may flow through shared memory or workflow engines rather than HTTP. By carrying session context across the entire pipeline, in-loop security tools can evaluate both the inputs and outputs of each agent step. This provides two points of analysis for malicious instructions and ensures consistent policy enforcement as state moves between agents. In effect, AI agent security becomes a continuous, context-aware process woven into the workflow, instead of a single check at the system’s edge.
Architecting Security for an Agent-First Future
The emergence of embedded enforcement tools signals a broader architectural shift. Proxies and WAFs were successful because they allowed organizations to enforce policy without deeply involving developers, but that model assumed a stable perimeter. As AI agents increasingly act inside repositories, write code, and execute workflows, the perimeter dissolves. Security must now be designed where “the code lives,” particularly inside the same files and pull requests that define agent behavior. Arcjet positions this as an agent-first philosophy: instead of merely exposing existing control planes via CLIs or protocol servers, it meets agents in their natural habitat—the execution environment itself. Installation paths that are prompt-based, and intended for coding agents to follow, reinforce this shift. For security teams, the implication is clear: future-ready AI agent security will depend less on network chokepoints and more on deeply integrated, code-level controls aligned with zero trust architecture.