New capability extends Arcjet’s runtime security model into agent workflows, enforcing policy inside tool calls, queues, and long-running pipelines
Arcjet announced Guards, a new way to enforce security inside AI agent workflows, queue consumers, and other application code that doesn’t run behind an HTTP request. As more application logic moves into long-running agentic systems, the security tools built around the request boundary – proxies, web application firewalls, HTTP middleware – can no longer see where untrusted input arrives. Guards extends Arcjet’s runtime protection into those code paths.
Modern AI systems don’t run through a single request anymore. Agents call tools, pull in external data, and pass state across long-running workflows. Most of that execution never touches an HTTP boundary, which means traditional security controls never see it.
Developers apply rules directly where untrusted input enters the application, whether that input comes from a tool call, a queue message, or a workflow step.
This puts enforcement where the application’s real context lives – identity, session state, prior tool outputs, business logic – rather than at a network boundary that can’t see any of it.
“Security has to live where the code lives. For agentic systems, that means inside the tool calls and workflow steps where untrusted input actually arrives, not at a perimeter that no longer exists,” said David Mytton, CEO at Arcjet. “Guards give developers a way to enforce policy inside the code paths agents use every day – the same place the threat model now lives.”
Also Read:ย CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
What developers can do with Guards
Guards integrate directly into Arcjet’s application-layer security model. Developers define rules in the same codebase as the feature itself, so protection ships with the code and gets reviewed in the same pull request. There is no separate system to manage.
With Guards, teams can:
- Detect prompt injection in tool results before they re-enter model context
- Block PII in tool inputs and queue messages before they reach third-party models
- Enforce per-userย tokenย budgets and spend limits inside agent loops
- Validate untrusted input in workflow steps, background jobs, and other non-HTTP code paths
Guards work alongside existing capabilities such as Arcjet Shield for public endpoints, sensitive data detection before model context is built, and bot detection for high-cost AI routes. Together, these protections cover both the boundary and the execution layer inside the application.
Guards is available today through the Arcjet JS and Python SDKs. Existing customers can enable it immediately; new developers can get started with a f*********.
Catch more CIO Insights:ย CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write toย psen@itechseries.com ]
