Security and Compliance
IntentFrame assumes the agent may be wrong, tricked, or compromised. The rules live outside the agent, sensitive actions run through a governed path the agent does not control, and every proposed action is checked before execution.
IntentFrame does not rely on the agent to follow instructions. The agent's request is treated as evidence for evaluation, not authority. It can propose an action, but it cannot approve the action or directly touch the real system.
The Core Distinction
Monitoring watches agents as they act. IntentFrame prevents them from acting without validation. The agent already has capability when surveillance notices something wrong.
| Structural prevention | Surveillance (monitoring) | |
|---|---|---|
| Credential access | Only the validated execution path has credentials | Agents have credentials |
| Attack timing | Prevents execution capability from being misused | Detects attacks after capability exists |
| Defense type | Architectural — novel attacks still hit the boundary | Pattern-based — can miss novel attacks |
| Response model | Proactive enforcement before execution | Reactive alerting |
| Security outcome | Stops what should not happen | Logs what happened |
Monitoring tells you what happened.
IntentFrame controls what is allowed to happen.
Zero Hopeful Trust
Most agent deployments still rely on hopeful trust: hope the developer scoped permissions correctly, hope the agent interprets instructions safely, hope prompt injection does not slip through, hope side effects were anticipated.
Hope is not a security model.
IntentFrame replaces hope with an enforced boundary.
We do not claim to stop the model from being tricked. We stop the unauthorized action that results from the trick.
Refunds, payments, account changes, or record updates that break your business rules are blocked before they run.
Agents acting outside approved accounts, recipients, targets, or action types are blocked.
An action whose stated reason does not match what it would actually do is caught by cross-checking the request against its own details.
Deleting or altering records and data — and, where an agent has system access, files and infrastructure — can be governed before execution.
Every decision can produce a record explaining what happened and why.
Prompt injection can still trick the model. IntentFrame's job is to prevent the agent from turning that compromised reasoning into an unauthorized action.
We cap damage at the boundary. We do not pretend to eliminate the cause.
Fail-Closed
Unclear means blocked or sent to human review — never silent approval. The safe default is to stop execution when validation cannot confidently allow an action.
Security is the default state.
For production agents, logs are not enough. Security and compliance teams need to reconstruct what the agent asked for, which rule applied, why a decision was made, and whether the action executed.
The audit trail should answer: what did the agent decide, what did IntentFrame allow, and on whose authority?
For Security Reviewers
The summary above is the honest version. This section adds the detail a security team needs to evaluate the model, including what runs without AI, where AI is involved, and what is explicitly out of scope.
We make one falsifiable claim: an action that violates your policy does not execute through the governed path, even if the agent is fully compromised. That claim is meant to be attacked. We publish adversarial test results rather than asking you to take it on faith.
Hard limits are checked deterministically before any model runs: amount caps, allowed recipients and accounts, allowed action types, required fields, and obviously dangerous operations. Execution side deterministic checks may also run immediately before an allowed action is carried out. If these checks fail, the action is blocked regardless of what any AI thinks.
Trusted: your written policy and the deterministic checks. Untrusted: the agent and anything it ingests, including its own reasoning and tool output. Partially trusted: the AI review steps, which can interpret an action but cannot grant authority — their output is still checked against deterministic policy before anything runs.
IntentFrame does not try to detect every injection. Instead, malicious text the agent absorbs can only ever become a proposed action, and every proposed action is checked against trusted policy that the agent cannot edit. The reason given for an action is also cross-checked against the action's real details, so 'process a routine refund' that actually wires money to a new account is caught.
In scope: blocking individual unauthorized actions, enforcing business limits, separating reasoning from authority, and producing per-action evidence. Out of scope: making the base model correct, stopping injection from changing the model's internal state, detecting abuse spread across many individually-allowed steps, and any action that bypasses the supported IntentFrame path entirely.
Shipped: deterministic limits, separated AI review, fail-closed defaults, and tamper-evident audit records. Known gaps we are honest about: policy quality is still your responsibility, multi-step 'slow' abuse is an active area of work, and AI review adds latency and inference cost on the actions that require it. We would rather tell you the edges than oversell them.
IntentFrame is not a compliance certificate. It is an enforcement and evidence layer that helps teams satisfy review requirements around policy, access, decisioning, and auditability — increasingly a hard requirement as agent regulation takes effect.
Per-action records, control evidence, and runtime governance for agent decisions as enforcement timelines arrive.
Enforcement and access controls that hold at the action layer, not just in a system prompt an agent can ignore.
Control evidence around authorization, change management, logging, policy, and review.
Evidence for AI governance, risk management, monitoring, and accountability.
Runtime control, decision evidence, and separation between recommendation and execution.
Compliance requirements vary by organization, jurisdiction, and deployment. IntentFrame provides controls and evidence that your team can evaluate as part of your compliance program.
IntentFrame supports multiple deployment profiles so teams can choose the right data boundary.
Dedicated managed deployment. Fastest path for teams that can use a managed endpoint.
Runs inside your cloud or VPC. Data and credentials stay in your environment.
Customer-operated runtime for maximum infrastructure control.
Scoped during architecture review for regulated or disconnected environments.
Where your data goes during a decision.
Hard-limit checks run locally/cloud and send nothing out. When an action needs AI review, the action details and relevant context are sent to the model provider configured for your deployment. In private, self-hosted, and air-gapped deployments, that review stays inside your environment, so sensitive data never has to leave your boundary to be governed.
For enterprise evaluations, we can support architecture review, deployment scoping, policy design, audit evidence mapping, and security documentation.