AI Agent Guardrails

Enforce your AI policy with runtime guardrails

Obsidian Security allows teams to deploy real-time enforcements, stopping privilege escalation, unsanctioned connections, and toxic combinations across every AI platform you run.

Jump To:
Challenge
Solution
Use Cases
Customer Stories
FAQ

Autonomous agents are operating inside controls built for human users.

Traditional access controls assume a known user, a known scope, and a known action. None of those assumptions hold for autonomous agents that act in seconds, span multiple platforms, and invoke MCP server tools that did not exist at when the enforcement guidance was initially created.

Configuration review approves an agent at build time, not at the moment of every execution
Native AI platform controls (Microsoft Purview, Microsoft Agent 365) cover one platform at a time and arrive with a per-user upcharge that compounds across the stack
Audit logs capture what happened after the fact, not in time to stop privilege escalation, action chaining, or unsanctioned MCP calls
IAM lifecycle events do not cascade to agents: disabling a creator does not retire the agents they built or the tokens those agents hold
Most enforcement guidance ends at "block the agent," but blocking misses the real exposure: the creator credentials, broad OAuth scopes, and inherited connections the agent was built on
1000s
are deployed every week without IT or security oversight
90%
of agent access granted is unnecessary and unused
16x
more data is moved by AI agents than by human users

Control what agents do. Not just what they're configured to do.

Enforce policy at runtime to control behavior across your agents. Evaluate every agent against OWASP-aligned risk factors in real time, and use webhooks to intercept and stop policy-violating, high-risk executions before they complete.

See the product

Stop privilege escalation

Map every agent's access and surface the agents where a lower-privileged user can invoke higher-privileged authority. Prioritize Maker Mode agents whose exploitation would have the highest blast radius.

Right-size agent access

Map every agent's tools, MCP servers, and downstream connections against what its workflows actually need. Surface the unused permissions, broad OAuth scopes, and stale connectors that expand blast radius without business value.

Prevent toxic combinations

See agents where multiple risk factors stack on a single agent and limit their executions to remove critical exposure pathways.

Govern across every platform

A single control plane replaces per-platform native enforcement and the per-user upcharge that comes with it. Apply the same policy logic across the AI platforms your agents actually run on.

Apply runtime guardrails to every agent, action, and connection.

Maker Mode and privilege escalation enforcement

Enforce guardrails directly at the execution layer to stop high-risk, unapproved actions related to privilege escalation before it happens, not after the damage is done. An agent built by a Salesforce admin runs on the admin's credentials. A business analyst with no Salesforce license invokes the agent and receives CRM data the analyst has no right to access. Standard IAM never sees this happen, because the call looks like a normal API request from the admin account. Obsidian Security correlates the runner's identity with the agent's maker permissions and flags the privilege escalation in real time.

Sanctioned vs. unsanctioned MCP server enforcement

Most enterprises cannot tell you which MCP servers their agents are connected to, let alone which ones security has approved. Obsidian inventories every MCP server and manages which server your agents can access to ensure only sanctioned tools are used. Additionally, deterministic runtime block enforcement is rolling out across AI platforms over 2026, starting with Copilot.

Toxic combination prioritization

Alert fatigue is the silent killer of agent security programs. A flat list of every theoretical risk buries the agents that actually matter. Obsidian prioritizes the riskiest agents to help focus security resources and improve your security posture.

Targeted insights to help secure your SaaS environment

Frequently asked questions

What are AI agent guardrails?

AI agent guardrails are fixed, deterministic rules applied to dynamic agent behavior at runtime. They flag or block actions that violate policy: a lower-privileged user invoking an agent built on higher-privileged credentials, an agent reaching an unsanctioned MCP server, an orphaned agent still running on a disabled creator's tokens.

Why do AI agents need different guardrails than traditional applications?

Traditional applications follow fixed control flows. A user clicks a button, an API call fires, an audit log records it. AI agents make autonomous decisions, chain tools across apps, and inherit OAuth privileges built for humans. Their action space is open-ended. A guardrail for an agent has to reason about the invoker's identity, the agent's inherited credentials, the tools it can call, and the downstream systems those tools reach. Traditional IAM was not built for any of that.

What's the difference between detection and enforcement?

Detection flags a risk after it happens. Enforcement stops it from happening. Obsidian applies policy enforcement today: blocking unsanctioned connections at the agent layer, flagging privilege escalation, prioritizing toxic combinations for immediate review. Sub-second runtime block enforcement on agent action is rolling out across AI platforms over 2026, starting with Copilot. Talk to our team for the current enforcement coverage on the platforms you run.

What risk factors do Obsidian's guardrails cover?

The full risk registry spans Maker Mode (privilege escalation through inherited creator credentials), orphaned agents (creator account disabled but credentials still active), org-wide accessible agents paired with sensitive data, confused deputy attacks (a lower-privileged user manipulating an elevated agent), hardcoded secrets in agent configuration, unsanctioned MCP server connections, and shadow agents created without IT approval. Each factor maps to a specific platform behavior on Copilot Studio, Agentforce, n8n, Bedrock, Vertex AI, and others.

Do guardrails require a SaaS connector for every platform?

No. Obsidian's guardrails hook into AI platforms (Copilot as well as Claude, Cursor, and others in the near future) via webhooks and native APIs at the agentic layer. SaaS connectors deepen the picture for specific use cases like privilege correlation against Salesforce or Google Workspace, but you can apply guardrails to your AI agents without standing up SaaS integrations across every tool first.

How does Obsidian handle alert fatigue?

Obsidian scores agents by toxic combinations: situations where multiple risk factors stack on a single agent. A shadow agent that is also org-wide accessible and connected to sensitive data is a critical-priority alert, not three medium-priority noise items. Security teams see the agents that matter first, not a flat list of every theoretical risk in the environment.

Will guardrails slow down my employees or developers?

No. Obsidian operates at the platform layer through webhooks and native APIs. There is no proxy in the data path, no gateway to operate, and no agent SDK to install. Coding agents in Copilot (as well as Claude, Cursor, and others in the near future) continue to operate at full speed. Security teams gain enforcement without interfering with developer workflows.

Is this an MCP gateway or AI firewall?

No. Obsidian is not a gateway, proxy, or in-line filter. Gateways and firewalls require traffic redirection and create their own operational burden. Obsidian hooks directly into AI platforms where agents already live, including platform-native security webhooks (the AWS-managed MCP gateway, the Copilot security webhook) that customers often do not realize exist. Enforcement runs where the agent runs, not in a parallel data path.