Patent-pending across 11 filings · macOS

The AI Security Triad

Three independent roles that have to agree before any agent action touches your workspace. Operator + Agent + Authority Anchor.

The three roles

For decades, application security assumed one enforcer: the tool watching the process. AI agents broke that model. An agent asked politely to do something harmful will usually do it. An agent prompted to ignore its own guardrails often will. The tool watching from outside the agent cannot see what is happening inside its reasoning.

The AI Security Triad answers this with three independent roles. Any one of them can be compromised, misled, or talked into the wrong thing — and the other two still reach the right answer.

Operator

You. Holds the intent and the authority, and keeps the right to override any verdict.

Agent

Your AI agent. Security-aware. Takes its bearings from the Authority Anchor before it acts. Cites policy under pressure.

Authority Anchor

Dryx. A deterministic, offline, isolated source of truth. It cannot be prompt-injected, because it never reads the prompt.

↓ Consensus before any action ↓

The closed loop

The honest part. The agent's deference is mechanical, not voluntary — on the direct-download (notarized) build, a local helper checks the action at the harness hook, and an action on the precomputed-dangerous set is blocked. App Store builds run sandboxed: there Action Guard's Enforce state can't arm, so the deference is a taught reflex plus passive monitoring. The gate reads the action, not the argument — a prompt injection can win the argument with the model and still lose to the gate.

Deterministic enforcement of the precomputed-dangerous set where the harness supports a hook; defense-in-depth everywhere else. It does not take all risk away. — See how the runtime authority works →

Why this matters now

AI agents are among the fastest-growing attack surfaces a developer runs locally, and the market has started pricing that in. In 2026, Palo Alto Networks acquired Koi for roughly $400 million to add a category it calls Agentic Endpoint Security — agent visibility, but in the cloud. That leaves the offline developer workstation, where the agent actually runs, open below it.

The exposure is real and public. Security researchers have reported MCP server ecosystems with 150M+ package downloads and 7,000+ public servers, and a pattern of remote-code-execution and over-broad-OAuth findings across them. One over-permissioned token becomes a master key the moment the tool holding it is compromised.

The category needs a name. The problem has three parts: agents that can be talked into unsafe actions, security tools that cannot see inside agent reasoning, and operators who cannot audit the permissions their tools have quietly accumulated. The AI Security Triad names the shape of the defense — independent verification across all three roles.

How Dryx implements the AI Security Triad

Today, on macOS, across every AI agent on your machine — Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, Gemini, Ollama, and any MCP-capable agent — under one Authority Anchor:

Patent-pending across 11 filings

Multi-party consensus · Policy directive injection · Adversarial-request resistance · Behavioral baseline · Orphaned-configuration detection · Pre-deployment blast radius · Multi-layer enforcement — the seven Authority-Anchor filings, plus 4 prior cybersecurity provisional filings. Priority date April 2026. Inventor: Matthew Jackson. See the filings →

What the AI Security Triad is not

See the AI Security Triad anchor a real session

A fresh Claude Code session. An MCP install request. A structured verdict the agent treats as authoritative. The agent surfaces it and defers to you — on a real machine, no staging. The gate reads the action, not the argument.

Get early access How the runtime authority works →