When AI Agents Slip Past Proxies and WAFs
AI agents are rapidly taking over application logic, from reading files and fetching web pages to processing queue messages and orchestrating multi-step workflows. This shift breaks the classic assumption that all untrusted input arrives through an HTTP request that a proxy or web application firewall can inspect. Agent tool handlers receive data as function arguments, queue consumers pull messages directly from brokers, and multi-agent pipelines pass state through shared memory or workflow engines instead of network boundaries. As a result, traditional WAFs, AI gateways, and middleware never see these interactions and cannot enforce policy or detect attacks. The attack surface has effectively moved inside the agent loop, where prompt injection, hidden instructions in retrieved content, and unexpected tool calls can all occur out of sight. Protecting AI agent security now means instrumenting the internal code paths where untrusted input actually lands.
New Internal Guardrails for the Agent Attack Surface
Because the agent attack surface lives inside application logic, security enforcement has to move there as well. Arcjet’s Guards exemplify this approach by embedding policy directly into AI agent tool handlers, queue consumers, and workflow steps. Instead of inspecting only incoming HTTP traffic, Guards run alongside the code, where they can see identity, session context, business rules, and token budgets in real time. This enables prompt injection detection on tool results before they re-enter model context, blocking of sensitive personal data in tool inputs and queue messages before it reaches third-party models, and enforcement of per-user token limits to prevent runaway loops from consuming excessive resources. In multi-agent systems, Guards carry session context across the pipeline, analyzing both what goes into and comes out of each tool call. The core principle is agent-first security: protection that resides where agents operate, not at a perimeter that no longer exists.
Why Emails, Code, and Finance Tasks Need Agent-Specific Security
Modern AI agents are no longer just chatbots; they can read and respond to emails, manage financial workflows, execute code, and access sensitive online accounts. Each of these capabilities introduces internal security threats that differ from traditional malware or phishing. Agents can be manipulated through malicious prompts embedded in web content, directed to unsafe websites, or granted access to tools and data beyond what a user intended. Because these actions often never traverse a visible network boundary, standard device, network, and identity protections fall short. Attackers can trick agents into exfiltrating data, running unsafe scripts, or interacting with hostile services while the upstream interface appears secure. As people delegate more of their digital lives to agents, the risk grows that these systems will autonomously process confidential information without adequate oversight. Effective AI agent security must focus on the internal workflows where decisions are made and executed.
VPN for Agents and Norton 360: Protecting Agent Workloads from Within
Alongside developer-focused tools, consumer security platforms are beginning to address AI agents directly. Gen’s VPN for Agents is designed specifically for autonomous agents rather than human users, separating an agent’s traffic from the user’s and controlling which destinations agents can reach. Its multi-tunnel technology allows agents to operate across different countries simultaneously while shielding identity and location details to reduce tracking and profiling, all without requiring software downloads or client setup. Norton AI Agent Protection, built into Norton 360, monitors what supported agents do and where they connect, inserting blocking tools and prompts between an agent’s decision and execution. It adds checks before plugins, skills, and tools are invoked, defends against prompt injection attacks, and scans code and files that agents access or generate to detect malware and unsafe scripts before they run. Together, these capabilities act as an internal control plane for agent workloads, closing gaps that traditional VPNs and endpoint tools were never designed to handle.