AI Agent Security · NHI Security

Inline control for AI agents. Non-human identity security at the wire.

AI Agent Security · NHI Security

Inline control for AI agents. Non-human identity security at the wire.

Every AI agent in your environment is a non-human identity making tool calls against real systems. Paart sits inline between agents and the tools they invoke, inspects MCP / OpenAI / Anthropic traffic at the wire, classifies every agent, and enforces policy in 1.82 ms.

BOOK A PILOT → HOW IT WORKS

p99 verdict latency 1.82 ms

speed 55× UNDER BUDGET

Peak throughput 20K evt/s

graph_5 20× HEADLINE RATE

Verdict vocabulary 7 / 7

gavel TRANSPARENT

Threat scenarios pass 8 / 8

verified PASS IN CI

The Problem

Two security gaps converging on one identity surface.

Most tools address one of them, in observation mode, after the fact. Paart addresses both, inline, before the request lands on its target.

01 / Agent behaviour

AI agents are operating without controls.

Copilots, IDE assistants, autonomous agents, MCP servers — all making tool calls against your data, your APIs, your filesystem. Most security stacks never see the traffic.

priority_highPrompt injection arriving from documents, emails, and tool outputs — not just chat
priority_highShadow MCP servers installed on developer machines without IT review
priority_highSecrets, PII, and credentials leaking through tool-call arguments
priority_highCode-assistants suggesting destructive shell, insecure dependencies, force-push to protected branches
priority_highAutonomous agents escalating privilege through chained tool calls nobody approved

02 / Non-human identity NHI

Every agent is a non-human identity.

NHIs already outnumber human users many times over in most enterprises. AI agents are the fastest-growing class — and the only one that makes autonomous decisions.

priority_highNHI discovery tools catalog tokens and service accounts — they don't sit in the data path
priority_highYou can't enforce least-privilege on an identity whose behaviour you never observe
priority_highAgent fingerprints (JA3/JA4, framework, model) are an NHI primary key — if you record them
priority_highThe same identity acting normally yesterday can be compromised today — posture isn't enough
priority_highGovernance asks “who can do what?” — the only honest answer is observed behaviour, not stated permissions

How it works

An inline gateway. A six-stage pipeline. A transparent verdict.

Every request is normalised to a protocol-agnostic shape, runs through the inspection pipeline, and is allowed, transformed, deferred, or blocked — in a documented number of milliseconds.

Source

Agent

Copilot, IDE assistant, MCP server, autonomous agent, custom client. Fingerprinted on first connect.

Paart gateway · inspection pipeline

Policy

Diff

Risk

Graph

Schema

Semantic

Fail-closed. 100 ms hard budget; 1.82 ms p99 observed. Decision joined to the agent's NHI record — classification, fingerprint, history.

Outcome

1 of 7 verdicts

Enforced in line with the request. Recorded in audit. Stream to SIEM. Surface in Console.

Core Infrastructure

The Paart Stack

01/Gateway

Inline proxy

Reverse-proxy that inspects MCP, OpenAI, Anthropic at the wire. Enforces verdicts in <2 ms p99.

02/API

Control plane

REST + gRPC. Policy engine, approvals workflow, event recording, SIEM export.

03/Sentinel

Endpoint daemon

Discovers local MCP configs, wraps stdio processes. Optional eBPF sensor on Linux (planned).

04/Cortex

Semantic engine

Prompt-injection classifier. Regex default; optional DeBERTa-v3 transformer behind a config flag.

05/Console

Operator UI

React + TS dashboard. Approvals queue, policy editor, agent inventory, audit, traffic.

The vocabulary

Seven verdicts. No black-box risk score.

Every detected request resolves to exactly one of these outcomes; the higher-precedence verdict wins when multiple rules fire.

allow

Request proceeds untouched. Recorded as evidence.

monitor_only

Allowed, flagged for review. Shadow-mode rollouts.

hide

Strip a tool from the agent's tool list before it's seen.

redact

Scrub secrets, PII, sensitive fields from args + responses.

require_approval

Pause until a human decides in Console. Default expiry.

deny

Block with a protocol-correct error. Agent gets a clean rejection.

quarantine

Block and isolate the session and identity. NHI is non-trusted.

Precedence quarantine deny require_approval redact hide monitor_only allow

Protocol Coverage

One pipeline, three protocols — tagged honestly.

Protocol

Status

Notes

MCP (JSON-RPC)

Stable

Pilot-tested end-to-end. Four phase-1 threat scenarios pass on the pilot VM.

OpenAI function-calling

Experimental

Codec, deny rendering, cross-protocol rule parity proven. Promotes to stable with the production-overlay load run.

Anthropic tool-use

Experimental

Same pipeline, same rule IDs, Anthropic-shaped error on deny. Same promotion path.

Generic HTTP / custom

Planned

Protocol interface is extensible; custom codecs implement Detect / ParseRequest / ParseResponse / RebuildResponse.

Use cases

Twelve scenarios Paart covers today.

Nine drawn from the AI-security category, three from the NHI category. Each card names the verdict and the maturity tag for the path that drives it.

01 Shadow AI

Shadow agent discovery

Fingerprint every agent on first connect via headers and framework signatures. New agents land in the “Unknown Agents” view; bulk promote or block.

quarantineM4 · stable

02 Data protection

Secret & PII leakage

Built-in detectors for AWS keys, GitHub tokens, OAuth secrets, credit cards, SSNs, 20+ secret formats — redacted in arguments and responses, both directions.

redactbuiltin rules · stable

03 Prompt injection

Direct & indirect injection

Regex baseline today; transformer classifier (DeBERTa-v3-base) behind a config flag, with measured P/R against HackAPrompt + OWASP LLM01.

denyCortex · experimental

04 Code assistants

Insecure code & destructive shell

Curated rule pack for IDE agents: destructive shell (rm -rf /, fork bombs), creds in commits, lateral file access, curl … | bash.

denycode-assistants pack · stable

05 Supply chain

Tool poisoning & schema drift

MCP servers advertise tool schemas; Paart snapshots them, diffs across sessions, flags widened permissions or new dangerous parameters before they're used.

quarantinediff + schema · stable

06 Privilege escalation

Lateral movement detection

Graph of agent → server → tool relationships flags anomalous chains: a chatbot reaching for a deploy tool, a code-assistant pivoting to production DB.

denygraph engine · stable

07 Compliance

OWASP LLM Top-10 mapping

Rule packs reference OWASP LLM01 (injection), LLM02 (output handling), LLM06 (sensitive disclosure), LLM08 (excessive agency). Aligned with NIST AI RMF.

monitor_onlyrule packs · stable

08 Copilot security

Microsoft Copilot & SaaS AI

The same inline pipeline inspects any HTTP-routable agent traffic. Point a Copilot connector or SaaS LLM at the gateway and the rule packs apply unchanged.

redactprotocol-agnostic · experimental

09 Governance

HITL approvals on high-blast actions

Any rule can pause the request on require_approval. Pending decisions land in Console › Approvals; operator approves or denies; agent unblocks.

require_approvalP2.2.1 · stable

10 NHI · Discovery

Non-human identity inventory

Every agent gets a stable fingerprint, a classification (enterprise_managed / shadow_agent / suspicious / malicious), a behaviour history. Bulk-promote, bulk-block.

monitor_onlyagent taxonomy · stable

11 NHI · Runtime

Behavioural least-privilege

Posture tools tell you what an identity can do. Paart enforces what it does — per tool call, per session, with the verdict joined to the NHI record for audit.

denypolicy + agent join · stable

12 NHI · Response

Compromised-identity quarantine

An NHI that crosses a risk threshold — injection success, lateral chain, exfil pattern — is quarantined at the gateway. No code change, no rotation outage.

quarantinerisk engine · stable

In the Console

Operator workflows, not just dashboards.

When a high-blast-radius call is paused on require_approval, this is the seat the operator drops into.

console › approvals

LIVE · refreshed 2s ago

Pending approvals 3

Pending

chatbot-prod-eu [enterprise_managed]

issue_refund · amount ≥ $5,000 · rule cs-003-financial-action-requires-approval

2m ago

Pending

cursor-engineering-dev42 [enterprise_managed]

execute_shell · git push --force origin main · rule code-007-protected-branch

14s ago

Pending

unknown-mcp-server-7a3f [shadow_agent]

tool_list · 14 new tools advertised · rule builtin-009-schema-drift

just now

Illustrative; rule IDs and verdict mappings reflect rules shipped in customer-service-ai · code-assistants · the built-in set in internal/policy/rules/engine.go.

Performance

Measured. Published. Regression-guarded in CI.

A “sub-100 ms” claim inherited from a paper is not a number. Below is the number the engine actually produces, on the documented harness, with the artifact stored from every main-branch build.

1.82 milliseconds p99 verdict latency

1,000 evt/sec · mixed protocol mix · 10-minute soak

Apple M1 Max, 100 sessions, mixed MCP / OpenAI / Anthropic. Zero errors and zero over-budget events across 599,986 samples. Rate sweep reaches 20,000 evt/sec (20× headline) with p99 still at 3.88 ms.

p50

287 µs

p95

708 µs

p99

1.82 ms

max

22.68 ms

Measured on the documented benchmark harness, regenerated from every main-branch build.

Rule Packs

Three curated bundles. CI-tested against silent-failure regex.

Start from a pack instead of an empty rule set. Each pack ships as a ConfigMap and is gated for RE2 compatibility, ID uniqueness, positive/negative smoke — the engine's silent-failure mode (regex that “appears active, never fires”) can't hide in production.

CB / Chatbot deployments

Public-facing assistants

→DAN-family jailbreaks & direct overrides
→System-prompt extraction
→Secret leakage in responses
→Model / human impersonation
→Excessive PII collection

CA / Code assistants

IDE & coding agents

→Destructive shell & fork bombs
→Credentials in commits & output
→Lateral filesystem access
→Dependency confusion
→curl … | bash patterns

CS / Customer-service AI

Support & financial bots

→CC / SSN redaction in responses
→HITL on refunds, chargebacks, voids
→Cross-customer data probing
→Urgency / authority social-engineering
→Mass-export approval gates

Built on

Not a greenfield rewrite. Core inspection packages are battle-tested IDS code we extend, never re-invent.

Paart's policy, schema, diff, risk, graph, and rules engines all derive from MCPIDS by Cognifinity. The protocol codec layer, gateway, agent taxonomy, and operator surfaces (Console, approvals, SIEM exporters) are net-new.

internal/policy internal/schema internal/diff internal/risk internal/graph internal/policy/rules

Ready to talk?

Paart is in design-partner pilot. Get in touch and we'll walk you through what's stable today, what's still on the bench, and whether it fits your environment.

BOOK A PILOT →