AI Agent Security
Comprehensive security for AI agent tool calls - validation, policies, and human-in-the-loop approvals.
AI Agent Security
Bastio provides comprehensive security for AI agents that use tools. As AI agents become more autonomous and capable, they gain access to powerful capabilities - executing shell commands, accessing files, making HTTP requests, and interacting with databases. Without proper guardrails, these capabilities become security vulnerabilities.
The Challenge
Modern AI agents face several security challenges:
- Autonomous Tool Execution: Agents can execute dangerous operations without human oversight
- Prompt Injection Attacks: Malicious inputs can hijack agent behavior and tool usage
- Data Exfiltration Risks: Agents with network access can leak sensitive information
- Privilege Escalation: Tool chains can be exploited to gain unauthorized access
- Compliance Requirements: Regulated industries need audit trails and approval workflows
How Bastio Protects Your Agents
Bastio provides a three-layer security model for AI agent tool calls:
Layer 1: Policy Engine (Primary Enforcement)
Define rules for how tool calls should be handled:
- Allow: Permit tool execution
- Block: Prevent tool execution
- Require Approval: Route to human reviewers
- Rate Limit: Prevent abuse through request throttling
- Sanitize: Clean dangerous content from arguments
- Warn: Allow but flag for monitoring
Policies can match tools by name pattern, evaluate argument content, consider risk scores, and apply time-based conditions.
Layer 2: Real-Time Threat Scanning
Every tool call is scanned in real-time for threats:
- Shell Injection: Commands like
; rm -rf /or| cat /etc/passwd - File Access Attacks: Attempts to read sensitive files (
~/.ssh,.env) - Network Abuse: Data exfiltration URLs, reverse shells
- Prompt Injection: Attempts to manipulate agent behavior
- Privilege Escalation:
sudo,chmod 777, admin tool calls - Credential Exposure: API keys, passwords, tokens in arguments
Risk scoring (0.0 - 1.0) influences policy decisions.
Layer 3: Agent Identity & Authentication
Cryptographic identity for your AI agents:
- Ed25519 Key Pairs: Strong cryptographic authentication
- Trust Levels: Differentiate development vs production agents
- Session Management: Track agent activity over time
- Key Rotation: Security best practice support
- Allowed/Blocked Tools: Per-agent tool restrictions
Quick Start
Get started in under 5 minutes. See Tool Validation for the complete API reference.
1. Get Your API Key
Create a Gateway API key from your Bastio Dashboard.
2. Validate Tool Calls
Before executing any tool, send it to Bastio for validation:
curl -X POST https://api.bastio.com/v1/guard/{proxyId}/agent/validate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"session_id": "session_123",
"tool_calls": [
{
"id": "call_abc",
"name": "execute_shell",
"type": "function",
"arguments": {"command": "ls -la"}
}
]
}'3. Handle the Response
{
"allowed": true,
"tool_results": [
{
"tool_id": "call_abc",
"allowed": true,
"action": "allowed",
"risk_score": 0.15,
"threats": []
}
],
"blocked_count": 0,
"risk_score": 0.15,
"request_id": "req_xyz789"
}Possible actions per tool:
allowed- Safe to execute the toolblocked- Do not execute, return error to agentpending_approval- Wait for human approval before executingwarned- Execute but flag for reviewsanitized- Execute with cleaned arguments
Key Capabilities
| Capability | Description |
|---|---|
| Tool Validation | Real-time threat scanning of tool calls |
| Policy Engine | Flexible rules for tool call handling |
| Human-in-the-Loop | Approval workflows for sensitive operations |
| Chain Analysis | Multi-tool attack pattern detection |
| Anomaly Detection | Behavioral baseline and deviation alerts |
| Agent Identity | Cryptographic agent authentication |
| Content Scanning | Scan tool outputs for indirect injection |
Supported Formats
Bastio supports multiple tool call formats:
The main /agent/validate endpoint uses a unified format with tool_calls array:
{
"tool_calls": [
{
"id": "call_abc123",
"name": "get_weather",
"type": "function",
"arguments": {"location": "San Francisco"}
}
]
}Note: arguments is an object (not a JSON string).
Use the /agent/openai-tools endpoint for native OpenAI format:
{
"tool_calls": [
{
"id": "call_abc123",
"type": "function",
"function": {
"name": "get_weather",
"arguments": "{\"location\": \"San Francisco\"}"
}
}
]
}Note: arguments is a JSON string (as returned by OpenAI API).
Use the /agent/openai-tools endpoint for native Claude format:
{
"tool_use": [
{
"type": "tool_use",
"id": "toolu_01abc",
"name": "get_weather",
"input": {"location": "San Francisco"}
}
]
}Note: Uses tool_use array and input field (as returned by Claude API).
SDK (Beta)
TypeScript and Python SDKs are in beta. Join the waitlist for early access.
We're developing official SDKs to make integration even easier:
- TypeScript SDK:
@bastio/agent-security(coming soon) - Python SDK:
bastio-agent-security(coming soon)
Beta testers receive direct engineering support and free Pro tier access during the beta period.
Next Steps
- Tool Validation - Learn the complete validation API
- Policies - Configure custom security rules
- Human-in-the-Loop - Set up approval workflows
- Agent Identity - Register and authenticate agents