Three independent roles that have to agree before any agent action touches your workspace. Operator + Agent + Authority Anchor.
For decades, application security assumed one enforcer: the tool watching the process. AI agents broke that model. An agent asked politely to do something harmful will usually do it. An agent prompted to ignore its own guardrails often will. The tool watching from outside the agent cannot see what is happening inside its reasoning.
The AI Security Triad answers this with three independent roles. Any one of them can be compromised, misled, or talked into the wrong thing — and the other two still reach the right answer.
You. Holds the intent and the authority, and keeps the right to override any verdict.
Your AI agent. Security-aware. Takes its bearings from the Authority Anchor before it acts. Cites policy under pressure.
Dryx. A deterministic, offline, isolated source of truth. It cannot be prompt-injected, because it never reads the prompt.
Deterministic enforcement of the precomputed-dangerous set where the harness supports a hook; defense-in-depth everywhere else. It does not take all risk away. — See how the runtime authority works →
AI agents are among the fastest-growing attack surfaces a developer runs locally, and the market has started pricing that in. In 2026, Palo Alto Networks acquired Koi for roughly $400 million to add a category it calls Agentic Endpoint Security — agent visibility, but in the cloud. That leaves the offline developer workstation, where the agent actually runs, open below it.
The exposure is real and public. Security researchers have reported MCP server ecosystems with 150M+ package downloads and 7,000+ public servers, and a pattern of remote-code-execution and over-broad-OAuth findings across them. One over-permissioned token becomes a master key the moment the tool holding it is compromised.
The category needs a name. The problem has three parts: agents that can be talked into unsafe actions, security tools that cannot see inside agent reasoning, and operators who cannot audit the permissions their tools have quietly accumulated. The AI Security Triad names the shape of the defense — independent verification across all three roles.
Today, on macOS, across every AI agent on your machine — Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, Gemini, Ollama, and any MCP-capable agent — under one Authority Anchor:
Multi-party consensus · Policy directive injection · Adversarial-request resistance · Behavioral baseline · Orphaned-configuration detection · Pre-deployment blast radius · Multi-layer enforcement — the seven Authority-Anchor filings, plus 4 prior cybersecurity provisional filings. Priority date April 2026. Inventor: Matthew Jackson. See the filings →
A fresh Claude Code session. An MCP install request. A structured verdict the agent treats as authoritative. The agent surfaces it and defers to you — on a real machine, no staging. The gate reads the action, not the argument.
Get early access How the runtime authority works →