← All posts

Securing AI Agents by Their Intent

AI agents are now writing code, calling internal APIs, and moving money. The permissions model we use to govern them, however, hasn’t kept up. We hand an agent a broad token, hope its prompt keeps it on task, and find out after the fact when it doesn’t.

PledgeSec takes a different position: an agent should be judged by whether its actions match what it was asked to do.

The problem with static permissions

Traditional access control answers one question — is this principal allowed to perform this action? That works when the principal is a human with a stable role. It breaks down for an agent whose legitimate scope changes with every task.

  • Grant too little, and the agent fails at its job.
  • Grant too much, and a single bad instruction becomes a breach.

There is no static permission set that is simultaneously safe and useful across every task an agent might be handed.

Intent as the unit of security

Every agent run starts with an intent — the goal it was given in plain language. That intent already encodes what access is reasonable. So we compile it into a pledge: an auditable, enforceable description of what the agent is permitted to do for this task.

At runtime, every tool call is checked against the pledge. Actions that fit the declared intent pass through. Actions that don’t are blocked and reported.

compile_intent("Summarize today's support tickets and email me a report")

# allowed: read tickets, send the report email
# blocked: deleting tickets, emailing customers, touching billing

What’s next

This is the first of many posts on how we build behavioral security in practice — the compiler, the runtime, and what we learn from real agent traffic.

If you’re running agents in production and any of this resonates, we’d love to talk.