frontpage.

Show HN: Runtime security for AI agents(injection,tool abuse, data exfiltration)

1•dshapi•1h ago

Hi HN

I’ve been working on an open-source project to explore a problem I keep running into with LLM systems in production:

We give models the ability to call tools, access data, and make decisions… but we don’t have a real runtime security layer around them.

So I built a system that acts as a control plane for AI behavior, not just infrastructure.

GitHub: https://github.com/dshapi/AI-SPM

What it does

The system sits around an LLM pipeline and enforces decisions in real time:

Detects and blocks prompt injection (including obfuscation attempts) Forces structured tool calls (no direct execution from the model) Validates tool usage against policies Prevents data leakage (PII / sensitive outputs) Streams all activity for detection + audit Architecture (high-level) Gateway layer for request control Context inspection (prompt analysis + normalization) Policy engine (using Open Policy Agent) Runtime enforcement (tool validation + sandboxing) Streaming pipeline (Apache Kafka + Apache Flink) Output filtering before response leaves the system

The key idea is:

Treat the LLM as untrusted, and enforce everything externally

What broke during testing

Some things that surprised me:

Simple pattern-based prompt injection detection is easy to bypass Obfuscated inputs (base64, unicode tricks) are much more common than expected Tool misuse is the biggest real risk (not the model itself) Most “guardrails” don’t actually enforce anything at runtime What I’m unsure about

Would really appreciate feedback from people who’ve worked on similar systems:

Is a general-purpose policy engine like OPA the right abstraction here? How are people handling prompt injection detection beyond heuristics? Where should enforcement actually live (gateway vs execution layer)? What am I missing in terms of attack surface? Why I’m sharing

This space feels a bit underdeveloped compared to traditional security.

We have CSPM, KSPM, etc… but nothing equivalent for AI systems yet.

Trying to explore what that should look like in practice.

Would love any feedback — especially critical takes.

Planning and Monitoring Indoor Vertical Green Living Walls with Remote Sensing

George Orwell Predicted the Rise of "AI Slop" in Nineteen Eighty-Four (1949)

Show HN: 70% → 100% LLM accuracy by changing the representation, not the model

Ne, the Nice Editor

Everything we like is a psyop

North Korea targets macOS users in latest heist

Google Chrome lacks fingerprinting protection

QUIC will soon be as important as TCP – but it's vastly different

Frank Dudley Beane's Experience with Ergot and Cannabis Indica (1884)

The Book News Isn't All Bad

Claude Opus 4.7 System Prompt Leaked

The cover of C++ The Programming Language raises questions not answered by cover

Isolating AI Coding Agents on Bare Metal

Cave under castle with prehistoric hippo bones 'once in a lifetime' find

How customer lists and trademarks help companies borrow

Parcae: Doing More with Fewer Parameters Using Stable Looped Models

Runway CEO: AI could help Hollywood make 50 films instead of 1 $100M blockbuster

Resuming ZFS Send (2019)

Why is a delay between a thread exiting and Wait­For­Single­Object returning?

You have to rank 5 projects before you can post your own

The juggling act

Show HN: A free Instagram email downloader

Opus 4.7 Became Better at Web Design

Write broken commits for better review

Ask HN: How did you get your first users with zero audience?

I built send/links to stop losing links across tabs, bookmarks, and chats

Characterizing the Impact of Congestion in Modern HPC Interconnects

Stop Using JWTs

Shipfast.py – SaaS Starter Kit for Python Devs (FastAPI and Supabase and Stripe)

The Long Hunt for China's Vanishing Elephant Slides