AgentLock
The Open Authorization Standard for AI Agents
Your AI agent needs a login screen. AgentLock is that login screen. Secure tool calls with declarative, framework-agnostic authorization blocks.
or pip install agentlock[crypto] for Ed25519 signed receipts
The Authorization Gap
Every critical computing system in history has a formal permissions layer. Except AI agents. Today, tool calls are wide open: if an LLM generates a tool call, the tool executes. This is the "Full Permission" anti-pattern.
Prompt Injection Risk
Malicious input can trick agents into calling tools they shouldn't.
Data Exfiltration
Unrestricted tool access leads to unauthorized mass data reading.
| System Layer | Auth Mechanism | State |
|---|---|---|
| Unix/Linux | User/Group (rwx) | SECURE |
| Databases | GRANT/REVOKE (CRUD) | SECURE |
| Cloud API | IAM / OAuth Scopes | SECURE |
| AI Agent Tools | None (Plain JSON) | AT RISK |
Interactive Simulation
Test the AgentLock gate yourself. Configure the context, attempt tool calls, and watch the authorization engine in real-time.
Tool Permissions Block
Gate Pipeline
Gate Response JSON
Live Audit Log
{
"name": "send_email",
"description": "Send an email to a recipient",
"parameters": {
"to": { "type": "string" },
"subject": { "type": "string" },
"body": { "type": "string" }
},
"agentlock": {
"version": "1.2",
"risk_level": "high",
"requires_auth": true,
"allowed_roles": ["admin", "customer"],
"scope": {
"data_boundary": "authenticated_user_only",
"max_records": null,
"allowed_recipients": "known_contacts_only"
},
"rate_limit": {
"max_calls": 5,
"window_seconds": 3600
},
"data_policy": {
"output_classification": "may_contain_pii",
"prohibited_in_output": ["ssn", "credit_card"],
"redaction": "auto"
},
"context_policy": {
"source_authorities": {
"system_prompt": "authoritative",
"user_input": "user_input",
"web_search": "untrusted"
},
"reject_unattributed": true
},
"audit": { "log_level": "full" },
"human_approval": { "required": false }
}
}The AgentLock Block
A standardized metadata block that travels with every tool definition. Any agent framework can enforce security before a tool call hits your backend. No vendor lock-in required.
- 1
Declarative Security
Stop hardcoding permission checks. Declare them in the tool schema: roles, scope, data boundaries, and redaction rules.
- 2
Single-Use Tokens
Every authorized call gets a one-time token bound to the operation. Replay attacks are impossible by design.
- 3
Audit Ready
Every allow and deny produces a structured audit record, compatible with SIEM tools and compliance requirements.
The AgentLock Architecture
Layer 1: Agent
Conversation & Decision. Generates tool call intent.
Layer 2: Gate
The AgentLock Standard. Intercepts intent, validates identity and permissions.
Layer 3: Tool
Execution. Only runs if Layer 2 issues a one-time token.
Why this matters:
By separating the intent to call from the permission to call, AgentLock prevents autonomous agents from making dangerous mistakes or being manipulated by adversarial prompts. It brings Zero Trust to the AI tool ecosystem.
What AgentLock Prevents
AgentLock is designed to stop the most critical attack categories against AI agents.
| Attack Category | How AgentLock Prevents It |
|---|---|
Prompt Injection | Permission blocks are enforced at the infrastructure level, not by the LLM. Even if the agent is tricked, the gate denies unauthorized calls. |
Social Engineering | Role-based access control prevents agents from performing actions outside their assigned role, regardless of conversational manipulation. |
Data Exfiltration | Data boundary enforcement (authenticated_user_only, team, organization) and max_records limits restrict what data an agent can access. |
Privilege Escalation | Allowed roles are declared per-tool and validated by the gate. An agent cannot grant itself higher permissions. |
Tool Abuse | Rate limiting with sliding window enforcement prevents runaway loops, brute-force attacks, and excessive API consumption. |
Token Replay | Every execution token is single-use, operation-bound (SHA-256 of parameters), and time-limited. Replay attempts raise TokenReplayedError. |
Agent Impersonation | Session management with authenticated identity verification ensures agents cannot impersonate other users or roles. |
Memory Poisoning | Data policy enforcement with output classification and automatic redaction prevents sensitive data from leaking into agent memory. |
What's New in v1.2
Adaptive hardening, three new decision types, and multi-signal threat detection.
Adaptive Prompt Hardening
Pre-LLM threat detection scans user messages before the model processes them. Dynamic system prompt injection based on real-time session risk scoring.
MODIFY Decision Type
Transform tool outputs before the LLM sees them. PII redaction, domain restriction, path whitelisting. The tool runs but sensitive data never enters the model context.
DEFER Decision Type
Suspend ambiguous tool calls when context is insufficient. Auto-denies on timeout. Catches first-turn attacks on high-risk tools.
STEP_UP Decision Type
Require human approval when session risk is elevated. Catches multi-tool escalation patterns and post-denial retries.
5 Decision Types
ALLOW, DENY, DEFER, STEP_UP, MODIFY. Beyond binary allow/deny.
4 Signal Detectors
Behavioral velocity, tool combination anomaly, response echo detection, and pre-LLM prompt scanning.
Ed25519 Signed Receipts (AARM R5)
Every authorization decision produces a cryptographically signed receipt. Verifiable offline without gate access. Ed25519 default with HMAC-SHA256 fallback. Install with pip install agentlock[crypto].
Hash-Chained Context (AARM R2)
Every context entry includes the hash of the previous entry, forming a tamper-evident append-only chain. Modifying any entry invalidates all subsequent entries.
First-Call Deferral
Defer the first tool call in any session regardless of risk level. Catches first-turn attacks before signals accumulate.
Deny-on-Block Escalation
When a whitelist transformation blocks a parameter, MODIFY escalates to DENY. The tool does not execute.
Foundation features carried into v1.2.1
Context Provenance Tracking
Every piece of context carries source attribution, authority level, and content hash.
Trust Degradation
Session trust is monotonic. Once untrusted content enters context, trust only goes down. Requires new session to reset.
Memory Gate
Controls who can read and write to agent memory, with persistence scope (none, session, cross-session) and prohibited content rules.
3 Context Authority Levels
authoritative, derived, untrusted.
Full Backward Compatibility
v1.2.1 stays fully backward compatible with all earlier policies. Existing definitions continue to work without changes.
Independent Filter Pipeline
Injection defense and PII protection run as separate, non-interfering layers. Tuning one never degrades the other.
Tested Against 181 Adversarial Attacks
We ran the same enterprise attack suite against a LangChain agent with and without AgentLock. Same model. Same tools. Same attacks. Only the middleware changed.
| Metric | No AgentLock | AgentLock v1.2.1 |
|---|---|---|
| Injection Failures | 73 | 12 |
| Injection Pass Rate | 56% | 93.4% |
| PII Leaks | 3 items leaked | 0 (perfect) |
| YARA Threat Signatures | 13 | 2 |
| Attack Categories Eliminated | 0 | 17 of 29 |
| Overall Security Score | 45/F | 66/D |
The 12 remaining failures are model-layer information leakage: the LLM confirms it has a system prompt while refusing to share it. No middleware can fix this. It requires model-level instruction tuning.
Tested Against Compromised Admin
The hardest test. The attacker has valid admin credentials with full permissions. Auth and role checks pass on every call. AgentLock must rely on adaptive hardening, output modification, and behavioral detection to stop attacks.
| Metric | Without Hardening | AgentLock v1.2.1 |
|---|---|---|
| Pass Rate | 30.2% | 99.5% |
| Grade | F | A |
| Categories at 100/A | 0 | 34 |
| Categories at 80/B+ | 0 | 35 |
| Raw PII Exfiltrated | Yes | Zero |
AgentLock v1.2.1 introduces Ed25519 signed receipts, hash-chained tamper-evident context, first-call deferral for all tool risk levels, and deny-on-block whitelist escalation. Combined with v1.2.0's adaptive hardening, MODIFY, DEFER, and STEP_UP decision types, AgentLock achieves a 99.5% pass rate with only 1 failure out of 222 adversarial attack vectors. Zero raw PII exfiltrated.
AARM Conformance
AgentLock covers 7 of 9 AARM requirements with 2 foundations shipped.
| ID | Requirement | Status |
|---|---|---|
| R1 | Action Mediation | SHIPPED |
| R2 | Context Accumulation | SHIPPED (v1.2.1) |
| R3 | Policy Engine | SHIPPED |
| R4 | Decision Types (5) | SHIPPED |
| R5 | Signed Receipts | SHIPPED (v1.2.1) |
| R6 | Identity Attribution | SHIPPED (delegation designed) |
| R7 | Drift Detection | SHIPPED |
| R8 | SIEM Export | Foundation SHIPPED |
| R9 | Least Privilege | SHIPPED |
Not a Product. A Standard.
AgentLock is an open authorization standard, not a SaaS product, not a vendor SDK. It's Apache 2.0 licensed, framework-agnostic, and designed so that any agent framework can enforce security without buying anything.
| Feature | AgentLock | Veto | APort | NeMo Guardrails |
|---|---|---|---|---|
| Open Standard (Apache 2.0) | ||||
| Framework Agnostic | ||||
| Declarative Tool Permissions | ||||
| Single-Use Execution Tokens | ||||
| Built-in Rate Limiting | ||||
| Data Redaction Engine | ||||
| Structured Audit Trail | ||||
| No Vendor Lock-in |
Try It Yourself
Install from PyPI and protect your first tool in under a minute.
pip install agentlock
pip install agentlock[crypto] # for Ed25519 signing
# quickstart.py
from agentlock import AuthorizationGate
gate = AuthorizationGate()
gate.register_tool("send_email", {
"version": "1.2",
"risk_level": "high",
"requires_auth": True,
"allowed_roles": ["admin", "support"],
"scope": {
"data_boundary": "authenticated_user_only",
"allowed_recipients": "known_contacts_only"
},
"rate_limit": {
"max_calls": 10,
"window_seconds": 3600
},
"data_policy": {
"output_classification": "may_contain_pii",
"prohibited_in_output": ["ssn", "credit_card"],
"redaction": "auto"
},
"audit": {"log_level": "standard"},
"human_approval": {"required": False}
})
result = gate.authorize(
"send_email",
user_id="alice",
role="admin"
)
if result.allowed:
print(f"Authorized: token={result.token.token_id}")
else:
print(f"Denied: {result.denial}")Roadmap
Where AgentLock is headed.
Tool Permissions
SHIPPEDDeclarative authorization blocks, single-use tokens, rate limiting, data redaction, audit trail.
Context Authority & Memory Gate
SHIPPEDContext authority model with trust degradation, provenance tracking, memory access control. Independent injection and PII filter pipeline.
Adaptive Hardening & Decision Types
SHIPPED(stable)Adaptive hardening, MODIFY/DEFER/STEP_UP decisions, Ed25519 signed receipts, hash-chained context, multi-signal detection. 847 tests.
Output Destination Control
Restrict where agent outputs can be sent: channels, APIs, and storage destinations.
Execution Scope & Behavioral Policy
Full behavioral policy engine. Constrain what agents can do, not just what tools they can call. Compliance report templates for SOC 2, HIPAA, EU AI Act, and SR 11-7.
Aligning with Global AI Safety Standards
NIST AI 100-1
Risk Management Framework
OWASP LLM01
Injection Mitigation
MITRE ATLAS
Threat Context Alignment
EU AI Act
Governance & Compliance