Most AI agents in production right now have no meaningful security between the LLM and whatever databases, APIs, and email inboxes they're connected to. AgentArmor, a new open-source project released under the Apache 2.0 license, tries to fix that with an 8-layer security framework that wraps around existing agent architectures.
The project addresses the OWASP Top 10 for Agentic Applications (a list of the most common security risks specific to AI agents) and works as middleware - sitting between your agent and its actions, evaluating each one before it executes.
The Eight Layers
Each layer targets a specific attack surface in the agent's data flow:
- L1 - Ingestion: Scans inputs for prompt injection (where an attacker hides instructions in data the agent reads) and verifies sources
- L2 - Storage: AES-256-GCM encryption at rest with BLAKE3 integrity checks on stored data
- L3 - Context: Separates instructions from data and uses canary tokens to detect when context has been tampered with
- L4 - Planning: Validates action plans with risk scoring and limits on how deep action chains can go
- L5 - Execution: Rate limiting, network egress control, and human approval gates for sensitive operations
- L6 - Output: PII redaction using Microsoft's Presidio library, plus data loss prevention filtering
- L7 - Inter-Agent: Mutual authentication between agents using HMAC, trust scoring, and delegation depth limits
- L8 - Identity: Agent identity management with just-in-time permissions and credential rotation
How It Plugs In
AgentArmor integrates with LangChain, OpenAI SDK, CrewAI, and MCP (Model Context Protocol). Implementation uses Python decorators - you add @armor.shield() to your agent functions. There's also a proxy server mode via FastAPI for architectures where a decorator approach doesn't fit.
The project includes an MCP Server Scanner that checks for dangerous tools, rug-pull schemes (where a tool's behavior changes after initial verification), and transport vulnerabilities. A CLI provides commands for init, validate, scan, and key generation.
Security policies are defined in YAML with pattern matching and conditional logic, so teams can set rules like "block any database write unless a human approves it" without modifying agent code.
This is a very early-stage project - the repo shows just three commits and zero stars at publication time. But the problem it's targeting is real. AI agents are getting deployed with database access, email sending capabilities, and API keys, and most teams are relying entirely on the LLM's judgment about when to use them. An interceptor layer that enforces actual security policies, rather than hoping the model behaves, is the kind of infrastructure that should exist. The question is whether AgentArmor can build enough community traction to become that standard, or if one of the larger agent frameworks will build these protections natively first.