Blog

The Missing Layer in SOTA AI Controls

Mohan Rajagopalan·
·
4 min read
AI SecurityAI AgentsAgentic AIZero TrustPolicy Enforcement

Coding assistants are pervasive in enterprise today and have demonstrated utility beyond basic build, test, deploy tasks. Controlling these agents is the hot topic right now: Anthropic published how they contain Claude and Google DeepMind published their AI Control Roadmap. These are must-reads for anyone developing or deploying agents — and interestingly, both hit the same wall with repeating themes: probabilistic defenses have a non-zero miss rate; detection doesn't scale with agent autonomy; monitoring breaks down when models can hide their reasoning; and both call persistent memory poisoning and multi-agent trust escalation open problems with no current solution.

At MACAW, we've spent the last year going deep into this topic and building an architecture that effectively addresses all these gaps — provable, deterministic, bounded controls for Claude, Codex, and Gemini. Our driving hypothesis is that this is a missing layer in the emerging AI stack, and it needs bottom-up first-principles thinking. Existing detection and remediation is too slow, and enumeration-based approaches — models, filters, policy engines — can't scale with agents that can think, act, reason, and lie.

Claude Code ships with terminal access, so protecting Claude Code requires protecting arbitrary Bash access. Consider credential exfiltration: out of the box, there are roughly 10^6 ways to express it. While basic pattern matching is trivial, one can use pipes, substitutions, encodings, variable indirection, Unicode obfuscation, and interpreters. Bash is Turing-complete, so for any model you train to detect these, an attacker can always craft a net-new pattern that evades the check. The enumeration problem is unbounded by definition.

Our solution builds on a different realization: irrespective of how the prompt was constructed, however the model reasoned, or however the obfuscation was layered — credential exfiltration still requires reading credentials and sending them somewhere. We use static and dynamic analysis to identify system invariants and enforce at that effect boundary: credential_read + data_egress → DENY. It's no longer about chasing infinite patterns.

The same pattern extends well beyond Bash. Take data access: most modern databases now promote AI gateways that connect agents directly to enterprise data. They enforce access at the row, column, and value level, and the gateways build on exactly those primitives — until the agent reasons around them. Impose a policy that a bonus can't be raised by more than $10K, and a content filter can catch UPDATE SET bonus = <value> — but it's blind to UPDATE SET bonus = bonus + value, the same change written as a relative update. No content filter today catches that indirection. And even if one did, the agent — being helpful, optimizing for the goal — would simply issue five $10K increments to reach $50K. Not malicious; doing exactly what it was asked.

Unlike a human, how do you hold Claude accountable here? And what if the instruction didn't even come from the human?

We built a trust layer that addresses this holistically: a foundational trust protocol, the infrastructure primitives to enforce it, a compositional policy algebra that captures static and dynamic agentic behaviors, integration with existing enterprise identity and observability infrastructure, zero-trust designs, and formal methods using symbolic reasoning — replacing enumeration and simulation with invariant tracking and reasoning about bounds. Validated across 9 popular agentic frameworks, from MCP to LLM APIs to orchestrators, and 35M attack combinations and counting.

Detection, EDR, and SOC tools are complementary — but not sufficient for agentic systems. This is an infrastructure problem, not a detection problem. Just like Unix solved access control with simple, robust -drwx- primitives instead of complex rule engines and dashboards.

If you have deployed Claude, Codex or Gemini and want to control these agents — give us a call. Curious how others are thinking about this — what are you seeing in production?


Go deeper. Our Convergence Analysis maps MACAW's controls to the specific gaps and open problems raised by Anthropic and Google DeepMind — probabilistic miss rates, monitoring breakdown, persistent memory poisoning, and multi-agent trust escalation.

Research: arXiv:2602.10465 · arXiv:2602.10481 · macawsecurity.com/research

Get Started with MACAW

Add cryptographic verification to your AI agents in minutes.