Agentic AI security

Agentic AI Security: How Project Starfish Governs Every Agent Action

As AI agents take autonomous actions across tools, APIs, and data systems, the attack surface expands dramatically. Project Starfish solves this with a deny-by-default governance layer: no agent action executes unless it is explicitly authorized, bounded, and logged.

The agentic AI security problem

Modern AI agents do not just answer questions. They write files, call APIs, run shell commands, send messages, and move money. The moment an agent can act, every one of those actions is a potential incident.

Most agent frameworks ship the capabilities and stop there. There is no authorization layer between the model's intent and your system, so a single poisoned prompt or a confused tool call can do real damage: delete a directory, exfiltrate a secret, or push code you never reviewed.

The pattern is consistent across the ecosystem: everyone ships skills, nobody ships governance. Agentic AI security is the missing layer that decides, for every action, whether it is allowed at all.

How Project Starfish addresses agentic AI security

Deny-by-default Policy Decision Point (PDP)

Every proposed action is evaluated against policy before it runs. If no rule explicitly allows it, it does not happen. The PDP is a single choke point that brackets every transport (file, shell, network, MCP) on the way in and on the way out.

Hash-chained audit trail

Every decision, allow and deny alike, is written to an append-only, tamper-evident log. You can prove what an agent was permitted to do and what it actually did.

Boundary engine and Token Governor

Each agent is confined to an explicit visibility and write boundary; paths outside it (or into the governance directory) are refused. The Token Governor caps spend and pauses a runaway agent before it burns your budget.

Fail-closed boot

Governance loads first and is not optional. If it cannot start, agents halt. The system fails safe, not open.

Starfish also models separation of duties as a small crew: intake and vetting (Oh Brian) is the only door into the registry, a read-only monitor (Constable Gooey) reconciles activity against deterministic counters, and a custodian (Quartermaster) is the only role allowed reversible, file-level cleanup. No role, including the captain, is above the rules.

Open-source AI governance tools for agentic systems

Commercial AI governance platforms tend to lock you into their stack and hold your audit logs on their infrastructure. For a security-critical layer, that is a hard trade.

Project Starfish is open-source AI governance: Apache-2.0, local-first, and self-hostable. Your policies and your tamper-evident audit logs stay on your infrastructure, with no vendor dependency for the layer that decides what your agents can do.

Who this is for

Security engineers evaluating agentic AI deployments.
Platform teams building internal AI agents.
Organizations under compliance pressure (SOC 2, ISO 27001, the EU AI Act).

Get started - open source, no lock-in

New to the space? Start with what is AI governance, or see the full framework.

← Project Starfish home