Product
IntentFrame sits between your AI agent and the systems it can change. It checks every proposed action against deterministic limits and plain-English policy before anything touches money, data, customers, files, infrastructure, or APIs.
IntentFrame is a runtime enforcement layer. It receives proposed actions from an agent, evaluates each action against your policy, and returns a clear allow or block decision before the action can affect a real system.
IntentFrame does not make the agent smarter, write better responses, or guarantee the agent always makes the best business decision. It makes sure an unsafe or unauthorized action does not execute.
IntentFrame's job is to protect your business, not the agent.
We are a veto engine, not an optimization engine.
How it Works
The agent proposes what it wants to do and why. IntentFrame checks that proposal against your policy before the action runs. Sensitive actions are carried out through a governed path the agent does not control, so a tricked or confused agent cannot move money, change customer data, or mutate a system on its own say-so.
If the agent is tricked, confused, or malicious, the action still has to pass an external boundary first.
Intent vs. Permission
Every attempted action is evaluated for:
Does this action actually match the request?
Is the agent operating where it is allowed?
Does this resemble injection or manipulation?
Are the consequences acceptable?
If validation fails, the action does not execute.
If anything is unclear, execution stops.
Nothing passes silently.
Security is the default state.
Prevention First
Agents cannot act directly on sensitive systems. Every action must pass validation before it touches your money, data, customers, files, or APIs.
Watch agents as they act. Detect problems. Alert. Respond.
The agent already has capability when you notice something wrong.
Agents cannot act directly. Every action must pass validation before execution.
Unauthorized actions stop before they reach production systems.
| Structural prevention | Surveillance (monitoring) | |
|---|---|---|
| Credential access | Only the validated execution path has credentials | Agents have credentials |
| Attack timing | Prevents execution capability from being misused | Detects attacks after capability exists |
| Defense type | Architectural — novel attacks still hit the boundary | Pattern-based — can miss novel attacks |
| Response model | Proactive enforcement before execution | Reactive alerting |
| Security outcome | Stops what should not happen | Logs what happened |
Monitoring tells you what happened.
IntentFrame controls what is allowed to happen.
Amount caps, allowed recipients and accounts, allowed action types, and obviously unsafe actions are checked instantly, with no AI involved.
IntentFrame looks at what the action would actually do, including whether the stated reason matches the real details of the request.
Rules that depend on meaning are checked against your written policy. Example: "Refund only genuine manufacturing defects under $100."
Allowed actions are carried out through the governed path. Blocked actions never run.
Every allow or block result can be recorded with context, policy version, rationale, and timestamp.
Hard limits are checked first, with no AI. When a decision depends on meaning, IntentFrame separates understanding from authority: one step works out what the action really does, and a separate step decides it against your policy. The agent's words are treated as evidence, never as instructions.
Fixed rules like amounts, recipients, and allowed actions are enforced before any AI runs.
Works out what the proposed action would actually do. No authority to approve.
Decides against your policy. No reason to obey the agent's request.
Everything from the agent is treated as untrusted evidence, not authority.
Judgment only matters if something enforces it. Sensitive actions run through a governed path that the agent cannot bypass, so a compromised agent still cannot directly spend money, leak data, or change production systems on its own.
Scope
IntentFrame does not try to make your agent more charming, more creative, or more profitable. It makes sure a bad, confused, or compromised agent cannot cross the boundaries you set.
Making the agent good is the developer's job. Making sure a bad agent cannot hurt the business is ours.
IntentFrame is developed through the IntentFrame GitHub organization. The core runtime, SDKs, policy model, Hermes Agent plugin, tests, and documentation are open for review.
Core runtime, policy model, packages, tests, and documentation.
Hermes Agent plugin, TypeScript client, bridge patterns, and control plane work.
Neutral by Design
IntentFrame is designed to sit between agents and actions across stacks. Use the SDK, an HTTPS authorization endpoint, a tool gateway, or a custom adapter. The enforcement boundary stays independent of the agent framework.
For Python agents that can import IntentFrame directly.
For non-Python stacks. Send proposed tool calls over HTTP and receive allow/block decisions.
Install IntentFrame as a security plugin for Nous Research's Hermes Agent, the self-improving AI agent. Govern terminal, code, file, patch, and scheduled actions before they run.
Apply IntentFrame between an agent and the tools it can call.
Integrate with in-house frameworks by wrapping the action path.
Security Invariant
Any ambiguity results in a block or a route to human review — never silent approval. IntentFrame is designed to overblock when uncertain rather than let unauthorized actions through.
Any ambiguity results in rejection or escalation — never silent approval.
Security is the default state.
We do not claim to stop prompt injection. We stop the resulting action at the boundary.
Tell us what your agents can do today and what systems they can touch. We will help map the enforcement path.