How to securely deploy agents that make sensitive decisions autonomously
Joshua Saxe
AI security engineering @ Meta
Agent security doesn’t reduce to traditional security, or traditional AI alignment
AI security does not reduce to the alignment problem
The alignment problem
There’s a philosophical ceiling on our ability to solve the alignment problem that’s too low
Fortunately, in security, we’ve spent decades building controls that assume misalignment, malice, and human error
But AI agent security doesn’t reduce to traditional security either
The thesis of this talk
is that AI agent security requires a novel fusion of cybersecurity, which assumes misalignment, and alignment, which maximizes p(aligned)
Real life photos of maximizing p(alignment) while integrating security
AI agent
2. Agent operates within ‘trust zone’ granting least necessary privilege; fine tuning and guardrails provide ‘best effort’ protection within this zone
1. AI agent we align through fine tuning, scaffolding, and guardrails
3. Security controls like identity, access management, and taint analysis, guarantee agent has no freedom outside of ‘trust zone’
Coarse model for how alignment and cybersecurity work together here
We need to manage dialing up the size of the trusted region over time with the help of red teaming, evals, and real-world experience
Security is the bigger, older discipline; what are the security lessons for agent security?
We built PCs to run arbitrary code from misaligned humans and then incrementally patched the problem with imperfect guardrails
We built the Internet on memory unsafe code and then incrementally patched the problem with partial defenses
Too often the barrier between the untrusted world and our most trusted assets was a series of probabilistic coin flips
Of course there’s no risk we’re doing this today
Of course there’s no risk we’re doing this today
Lessons for AI agent security
AI agent
2. Agent operates in a trusted region in which we allow it freedom of operation
1. AI agent we align through fine tuning, scaffolding, and guardrails
We need to execute well on building this
3. Security ensures its actions never affect this untrusted region
And we’ll need to elegantly manage the risks in dialing up trust
On what we will need to build
The linkages between alignment and security components are shown on the right
Agents need to integrate with traditional security systems in tool calling auth, identity systems, PKI, etc
How the new security stack will fuse AI- and security-native concepts
Guardrails should use ML methods but also security tools like static and taint analyzers
How the new security stack will fuse AI- and security-native concepts
Deterministic controls should use context window data provenance as part of decisions
How the new security stack will fuse AI- and security-native concepts
Detection and response operations should add understanding of objects like chains of thoughts, context windows, and instruction hierarchies
How the new security stack will fuse AI- and security-native concepts
Fusing elements of machine learning safety and alignment and security is a long-term project
Work that steps us towards fusing security with AI alignment
”The Camel paper” (Debenedetti et al., Google Deepmind))
https://arxiv.org/pdf/2503.18813
Work around security infrastructure for AI agents
Work around developing chains of thought as useful security objects
Work around applying static code analysis tools to LLM code outputs
Wrapping up
The thesis of this talk
is that AI agent security requires a novel fusion of cybersecurity, which assumes misalignment, and alignment, which maximizes p(aligned)
We need to manage dialing up the size of the trusted region over time with the help of red teaming, evals, and real-world experience
AI agent security will be a rollercoaster, but this time can be different