AI
The Inversion: Protecting From the Agent, Not the Outside
Traditional security protects resources from external intruders. Denied flips that model. The agent sits inside a boundary perimeter, and the enforcement point moves into the host layer. This shift provides three advantages: global visibility of every tool call, content-aware inspection of payloads, and isolation of the evaluation decision from the agent’s reasoning. Anthropic’s AutoMod uses the same pattern — a separate model evaluates actions without being polluted by the agent’s logic.
Why Sandboxes and Gateways Miss Agent Behavior
Sandboxes like Docker control network connections but lose control once a connection opens. OAuth and scopes protect resource access but not what the agent does with that access. Server-side gateways offer fine-grained control but lack visibility into actions outside the gateway — an intern downloading a CLI tool bypasses the gateway entirely. The email example shows the gap: the agent has permission to send email, but the content, timing, or recipient may violate policy.
Three Evaluation Strategies for Tool Calls
Denied intercepts each tool call through a pre-tool hook, evaluates it, and returns an effect: allow, deny, or force an obligation like human escalation. The evaluation uses three strategies. Rego policies handle 100% deterministic rules. LLMs add content classification for cases Rego cannot inspect, like email payloads. For complex cases, a model evaluates the entire policy against the request. The system escalates automatically from deterministic to model-based as complexity increases.
Policy Authoring Through Observation
Writing policies for autonomous agents is hard because developers do not know how the agent will call external tools. Denied solves this by observing the agent in action. The product logs every tool call, clusters actions by schema, and suggests policies based on actual usage. A screenshot showed OpenClaw performing competitor analysis with calls clustered by type — allowed, denied, and pending. Developers can move policies from model-based evaluation to deterministic Rego as they understand the agent’s behavior.
Q&A
Can you plug in custom models for evaluation? Yes, any model can be plugged in for tasks like PII or credit card number detection. ▶ Watch (16:54)
How do you handle false positives and iterate on policies? The system logs all denied and allowed calls. Developers tweak policies and see regressions or improvements immediately. ▶ Watch (18:59)
Does the system automatically enforce suggested policies? Not yet. It recommends policies and provides templates. Automatic enforcement is a future goal. ▶ Watch (19:40)
Notable Quotes
So, from a security perspective you know we are used to like protect the resource uh sit in front of that and whether it’s a database or an API the main goal was always you know to protect uh from external intruders. So, that’s the the main approach that we are all used to and from a security perspective was uh absolutely fine. But the problems that we encountered while building agents in the past years was actually uh the other way around. Pietro Valfrè · ▶ Watch (3:10)
So, what we were missing in this case was yeah we can control access but we cannot control what the agent is doing with this access. Pietro Valfrè · ▶ Watch (6:33)
So, if we put like the decisions inside the agent close to the like execution of the agent we may have the agent to convince the decision node to actually authorize the action. So, it’s super important to always decouple the actual performance of the agent and the actual evaluation of the agent. Pietro Valfrè · ▶ Watch (9:04)
Key Takeaways
- Shift enforcement from the server to the agent host layer.
- Intercept every tool call before execution for full visibility.
- Combine deterministic Rego policies with LLM content classification.
- Observe agent behavior to suggest and refine policies iteratively.
About the Speaker(s)
Lorenzo Verna (Math & CS) is Co-Founder & CPO at Denied.dev. A former CTO and founder with 3 startups and 2 exits, he has 15+ years building and scaling software products and AI platforms. His current work focuses on securing agentic systems, including MCP tool execution and policy…
Pietro, CEO and Co-founder of Denied, previously served as the first employee of a mid-size Italian venture studio. During his time there, he ultimately headed R&D and contributed to the successful development of several ventures. Having thoroughly explored the field of Auth, he is…