The firewall for AI agents.
Aegis is an open-source firewall for AI agents. It sits on the execution path between agents and tools, classifies tool calls, enforces policies before execution, supports human approval flows, and keeps a tamper-evident audit trail for later review.
I contributed to Aegis and feature it here because it is closely aligned with our work on agent safety, guardrails, AI auditing, and accountable deployment of agentic systems.
This project sits mainly in our AI Safety & Security direction, while its audit trails and approval records also support AI Auditing & Assurance.
GitHub Repository | Star on GitHub | Paper (arXiv) | Demo | Back to Open Source
If this project is useful in your workflow, please star the GitHub repository to help more practitioners discover it.
Agent systems make high-speed tool decisions without a human in the loop by default. That creates practical risks around unsafe commands, prompt injection, sensitive file access, unintended data exfiltration, and weak auditability. Aegis is designed as a runtime control layer for these deployment-time risks and for checkable policy enforcement during execution.
Aegis complements model-side safety work with runtime enforcement. It is relevant when teams need guardrails not only at the prompt layer, but also at the tool invocation and policy enforcement layers for real deployments.
A lighter, developer-facing version of pre-execution blocking for destructive Git and GitHub commands ships in anywhere-agents; Aegis is the full firewall for tool-call flows inside agent systems, while anywhere-agents applies the same pattern at the coding-workflow layer.
A quick visual walkthrough is available in the repository: Aegis demo GIF.
