AgentGuard
A defense-in-depth action firewall for tool-using agents — with a model-internal intent brake that catches a class of harm every production guardrail is structurally blind to.
Why it exists
Every shipping agent guardrail — Llama Guard, NeMo, Lakera, Invariant, AEGIS, LangGraph human-in-the-loop, and every crypto-agent wallet (Coinbase AgentKit, MetaMask + Blockaid, Turnkey, Fireblocks) — gates dangerous tool calls on text, arguments, or deterministic policy. None read the model's internal state. That leaves two gaps:
- Obfuscation.A text classifier can't read a base64 / Morse / homoglyph injection — the May-2025 Grok/Bankr Morse-code wallet drain.
- Model-origin harm. When an agent, from clean trusted context, internally commits to an irreversible action nobody authorized(misalignment, reward-hacking, over-eager “to be safe I'll just delete it”), there is no untrusted input to taint-track and no malicious argument to match. The entire deterministic + text stack is blind.
Four independent layers
Each covers the others' blind spots. Only the model-internal layer closes model-origin harm.
L0 · policy
Are the parameters policy-compliant?
catches: unknown recipient, over-limit
blind to: intent
L1 · provenance
Does the action derive from untrusted data? (CaMeL-style taint)
catches: prompt injection — incl. obfuscated (it reads dataflow, not text)
blind to: model-origin (no taint to find)
L2 · intent brake
Is the agent internally committed to an unauthorized irreversible action?
catches: MODEL-ORIGIN harm, laundered injection
blind to: needs white-box weights
L3 · actuation
What to do about it?
catches: block · redirect-to-safe · escalate-to-human
blind to: —
The L2 brake is grounded in real measurements: a task-matched late-layer patch collapses a committed irreversible action to 0.00 emission and redirects 100% to a safe read-only action, across 6 actions and 3 architectures (McNemar b=24/c=0 for send). Published, eval 88/88 — Zenodo 10.5281/zenodo.20679287.
AgentActionBench — the coverage proof
24 scenarios, 6 irreversible actions × 4 origin classes. The union catches 100% of attacks at 0% false positives on benign authorized actions — and model-origin harm is caught only by the model-internal layer.
| origin class | text_guard | L0 | L1 | L2 | union |
|---|---|---|---|---|---|
| input-origin (plain) | 100% | 100% | 100% | 100% | 100% |
| input-origin (obfusc. + allowlisted) | 0% | 0% | 100% | 100% | 100% |
| MODEL-origin (clean context) | 0% | 0% | 0% | 100% | 100% |
| benign (false-positive ctrl) | 0% | 0% | 0% | 0% | 0% |
Attacks: higher = more caught (want 100%). The benign row is the false-positive rate (want 0%). Recompute it yourself: python3 bench/run_bench.py; verify against the live ledgers: python3 eval_agentguard.py (51/51).

Honest scope
AgentGuard is defense-in-depth, not a single robust layer. The deterministic layers carry the adaptive-robustness weight; L2 is a cheap model-internal signal that uniquely covers model-origin harm. It requires white-box / defender-owned (open) weights and is not robust to a white-box activation-spaceadversary (obfuscated-activations attacks) — the threat model is a prompt/environment adversary against a model the defender controls. The brake's suppress/redirect efficacy is published real data; the model-origin detection signal is now measured in a pilot (Qwen3.6-27B, n=40): a late-layer probe (cleanest at L59, where a random direction is at chance) separates authorized from unauthorized commits — including model-origin — and the direction generalizes across attack origin (train injection → test model-origin). AUROC=1.0 is a pilot ceiling; scale + harder negatives next. Benchmark actions are simulated. Full ledger in SCOPE.md.
pip install -e .
python3 -m pytest -q # 20 passing
python3 bench/run_bench.py # the coverage matrix
python3 eval_agentguard.py # 51/51 — thesis + live HF ledger ground-check