Ask HN: How are you handling non-probabilistic security for LLM agents?

1•amjadfatmi1•1h ago

I've been experimenting with autonomous agents that have shell and database access. The standard approach seems to be "put safety guardrails in the system prompt", but that feels like a house of cards honestly. If a model is stochastic, its adherence to security instructions is also stochastic.

I'm looking into building a hard "Action Authorization Boundary" (AAB) that sits outside the agent's context window entirely. The idea is to intecept the tool-call, normalize it into intent against a deterministic YAML policy before execution.

A few questions for those building in this space:

Canonicalization: How do you handle the messiness of LLM tool outputs? If the representation isn't perfectly canonical, the policy bypasses seem trivial.

Stateful Intent: How do you handle sequences that are individually safe but collectively risky? For example, an agent reading a sensitive DB (safe) and then making a POST request to an external API (dangerous exfiltration).

Latency: Does moving the "gate" outside the model-loop add too much overhead for real-time agentic workflows?

I’ve been working on a CAR (Canonical Action Representation) spec to solve this, but I’m curious if I'm overthinking it or if there’s an existing firewall for agents standard I'm missing.

Comments

yaront111•1h ago

i just built Cordum.io .. should give u 100% deterministic security open sourced and free :)

amjadfatmi1•5m ago

Hey @yaront111, Cordum looks like a solid piece of infrastructure especially the Safety Kernel and the NATS based dispatch.

My focus with Faramesh.dev is slightly upstream from the scheduler. I’m obsessed with the Canonicalization problem. Most schedulers take a JSON payload and check a policy, but LLMs often produce semantic tool calls that are messy or obfuscated.

I’m building CAR (Canonical Action Representation) to ensure that no matter how the LLM phrases the intent, the hash is identical. Are you guys handling the normalization of LLM outputs inside the Safety Kernel, or do you expect the agent to send perfectly formatted JSON every time?

Show HN: Manim Skills – Claude Code skill for creating 3b1B style animations

RCE in ImunifyAV, a common malware scanner for shared web hosting

RAG-ception: Reddit R/RAG 2025 Wrapped with agentic assistant

Redditor discovers card skimmer script on Canadian retailer checkout page

Wiz – AI-Powered Pentest Assistant (Open Source)

BlackRock CEO Larry Fink: 'What Happens to Everyone Else If AI Fuels Inequality?

A Linear Spin on Liquid Glass

Giving your healthcare info to a chatbot is, unsurprisingly, a terrible idea

Dedication Can Change the Magic of Music

The simplest advice I ever got about loneliness

Show HN: PopTogether – A calm game where strangers work together to pop bubbles

Rippling treats payroll errors as feature requests

Show HN: Oracle MCP Servers

3D-printed pump-less liquid cooler can deliver 600 watts of cooling

Tesla Removes Autosteer from All Model 3 and Model Y Trims

Show HN: Physio Tracker – a local-only, offline PWA for tracking exercises

Hasbro CEO and Execs Sued for Alleged Securities Violations

DNA shows syphilis was rooted in the Americas, before Columbus

Show HN: CloudClerk. We struggled with BigQuery finops, so we decided to fight

Even 45 mins naps clear up the brain and improve learning ability

Octoglow – Fallout-inspired post-apocalyptic display (2025)

Gas Town's Agent Patterns, Design Bottlenecks, and Vibecoding at Scale

Ask HN: LLMs for New Job Categories

Designing a Dialogue-Aware Medical AI

White House shares altered image showing arrest of civil rights attorney in MN

Show HN: MermaidTUI Deterministic Unicode/ASCII diagrams in the terminal

Tell HN: Cloudflare's D1 service degraded since 2 days

The Only Moat Left Is Knowing Things

Monster Neutrino Could Be a Messenger of Ancient Black Holes

Velocity Is the New Authority. Here's Why