A foundational rethink of security
AI creates attack surface area that grows faster than defenses.
What makes agentic security hard
Instructions and data intertwined
No syntactic boundary distinguishes commands from content.
Non-determinism
Execution paths emerge from LLM reasoning, not static code.
Semantic ambiguity
Infinite paraphrase space defeats pattern matching.
Stateful multi-turn context
Gradual manipulation appears benign in isolation.
Dynamic derivation chains
Prompts spawn prompts; policies must compose correctly.
Who, What, Why is scattered
Who authorized this call? What is the actual intent? Is this permitted? Why?
Agentic interactions reduce to 4 boundaries — prompts, data, context, tools
"Read the Q4 docs and email summary to john@company.com"
User Prompt
↓
┌──────────────────────────┐
│ LLM (Claude/GPT-4) │
│ Decides: read + email │
└──────────────────────────┘
│
✗ Boundary 1: No verification of LLM intent
↓
┌──────────────────────────┐
│ Client Tool Calling │
│ Invokes MCP servers │
└──────────────────────────┘
│
✗ Boundary 2: Tools called with full privileges
│
├─────────────────────┐
│ │
↓ ↓
┌──────────┐ ┌──────────┐
│MCP Server│ │MCP Server│
│filesystem│ │ gmail │
└──────────┘ └──────────┘
│ │
✗ Boundary 3 ✗ Boundary 4
Data=Instr Context leak
(injection) (poisoning)
↓ ↓
Read Q4.pdf Send EmailMACAW protects every boundary crossing with cryptographic proofs.
Intent + Integrity
Protect all boundaries simultaneously.
Intent
We express intent and organizational permissions using MAPL policies. Policies verify that the desired operation matches what's actually permitted before execution.
- Declarative policies checked before execution
- Hierarchical inheritance — permissions only narrow
- Attestations for external approval flows
Integrity
Every boundary crossing is cryptographically signed. Every response is verified. Tamper with anything and the chain breaks.
- Every agent/tool gets cryptographic identity
- Hash-chained audit logs with signed entries
- Verifiable proof of who, what, when, why
Architecture
3 New Trust Primitives
Foundational primitives that enable policy-based controls across all agentic frameworks.
Authenticated Workflows
Every tool call, LLM invocation, and agent interaction is signed and policy-enforced. The complete request lifecycle has cryptographic proof.
Learn moreAuthenticated Prompts
Every prompt has cryptographic origin. Track lineage from root to derived prompts. Know exactly where instructions came from.
Learn moreAuthenticated Context
Session state is isolated and verified. No context bleed between users. Every piece of context has provenance.
Learn moreImplementation
Distributed Zero-Trust Mesh
Scalable, distributed, resilient enforcement at the edge with minimal blast radius.
✗ Traditional Gateway
App → Gateway → LLM
↓
(single point
of failure)- • Single point of failure
- • Latency overhead
- • Can't enforce at runtime
✓ MACAW Mesh
App ←PEP→ Agent ←PEP→ Tool
│ │
└── Policy ┘
(enforced at edge)- • Enforcement at every endpoint
- • Highly resilient, no SPOF
- • Sub-millisecond overhead
┌────────────────────────────────────────────────────────────────┐
│ MACAW CONTROL PLANE │
│ │
│ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ Policy │ │ Agent │ │ Audit │ │Identity│ │Attestat│ │
│ │ Store │ │Registry│ │ Logs │ │ Bridge │ │ion Svc │ │
│ └────────┘ └────────┘ └────────┘ └────────┘ └────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
↑ ↓
┌────────────────────────────────────────────────────────────────┐
│ DATA PLANE │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ App │ │ Agent │ │ Tool │ │
│ │ ┌───┐ │←──signed──→│ ┌───┐ │←──signed──→│ ┌───┐ │ │
│ │ │PEP│ │ │ │PEP│ │ │ │PEP│ │ │
│ │ └───┘ │ │ └───┘ │ │ └───┘ │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
│ PEP = Policy Enforcement Point (embedded in SDK) │
└────────────────────────────────────────────────────────────────┘MAPL: Built for Agentic AI
Express agentic constraints in a dynamic, scalable manner as agents evolve and invocation context changes.
Policy Intersection
ORGANIZATIONAL SERVICE
HIERARCHY CONSTRAINTS
───────────── ───────────
company:fintech service:analytics-api
│ │
▼ │
team:analytics │
│ │
└───────────┬───────────┘
▼
user:alice ◄── caller
│
│ delegated via
▼
app:dashboard ◄── app
│
▼
═══════════════════
EFFECTIVE POLICY
(intersection of all)
═══════════════════Policies compose through intersection. Each level can only restrict, never expand permissions.
Policy Example
{
"policy_id": "user:alice",
"extends": "team:engineering",
"scope": "user",
"resources": [
"llm:openai/chat.completions",
"tool:calculator/*"
],
"constraints": {
"llm:openai/chat.completions": {
"model": ["gpt-3.5-turbo"],
"max_tokens": { "max": 1000 }
}
}
}Declarative policies with AI-specific primitives: models, tokens, tools, attestations.
Plug-n-Play Enterprise
Complex infrastructure made simple by design.
YOUR IDP MACAW
──────── ─────
┌──────────┐ ┌──────────────┐
│ Okta │ │ Identity │
│ Azure │──JWT───→│ Bridge │
│ Keycloak │ │ │
└──────────┘ │ ┌────────┐ │
│ │ Claims │ │
│ │ Mapper │ │
│ └────────┘ │
│ ↓ │
│ ┌────────┐ │
│ │ Policy │ │
│ │ Context│ │
│ └────────┘ │
│ ↓ │
│ ┌────────┐ │
│ │ OTEL │──────→ Your Stack
│ │ Export │ │
│ └────────┘ │
└──────────────┘Identity Bridge
Connect any OIDC/JWT provider. Map claims to MACAW policy attributes. Switch IDPs without code changes.
Learn moreOTEL Export
Export traces and metrics to your existing observability stack. One config, full visibility.
Learn moreAgentic Traces
End-to-end visibility across request flows, policy resolution, agent lifecycle, and prompt chains.
Learn moreMulti-Tenant Config
Team management, signing controls, log rotation, and attestation settings — all configurable.
Learn moreThe Complete Picture
4
Attack Boundaries
3
Primitives
0
Trust Assumptions
1
Line of Code
MACAW provides deterministic security for agentic AI — not probabilistic detection, but cryptographic proof at every boundary.