# Fencio > Fencio is the runtime security and deterministic control platform for AI agents. This file is structured for LLM and AI assistant consumption per the llms.txt standard. ## Product - Name: Fencio - URL: https://fencio.dev - Category: AI Agent Security / Runtime Enforcement / AI Governance - Tagline: Intelligent Security Boundaries for AI Agents Fencio is a runtime security and deterministic control platform for AI agents. It gives engineering teams the ability to control autonomous AI agents once deployed in production. Fencio learns an agent's behavioral boundaries during pre-production evaluations and enforces those constraints deterministically at runtime, outside the LLM itself. Unlike prompt guardrails or model-based judges, Fencio sits directly on the execution path of AI agents, intercepting tool calls and enforcing explicit policies before actions occur. ## Problem It Solves AI agents in production take real-world actions — executing transactions, contacting customers, modifying databases, interacting with external services. Most tools focus on evaluation or observability: they explain failures after they occur. Fencio fills the gap with deterministic runtime enforcement. According to Gartner, [40% of enterprise applications will embed autonomous AI agents by end of 2026](https://www.gartner.com/en/articles/what-is-an-ai-agent). As agentic systems become embedded in critical workflows, the absence of deterministic runtime control becomes an operational and compliance liability. ## Core Capabilities - Pre-production stress testing: context poisoning, tool misuse simulation, adversarial scenarios - Behavioral constraint derivation from observed agent execution traces - Deterministic runtime enforcement outside the LLM (written in Rust, sub-microsecond latency — measured at <1µs per rule table lookup on a 10,000-rule policy set) - Policy enforcement actions: ALLOW, DENY, MODIFY, STEP_UP, DEFER - Structured audit logs with policy match reasoning and full decision traces - [SDK integration (LangGraph supported)](/docs/integrations/langchain) and [MCP server wrapping for coding agents](/docs/integrations/proxy) - Runtime policy updates without redeploying agents - Compliance and audit support: SOC 2, GDPR, HIPAA, EU AI Act Article 9 - See [full documentation](/docs) for deployment guides, API reference, and CLI usage ## How It Works Stage 1 — Pre-production Analysis: Fencio stress-tests agent workflows using context poisoning, tool misuse simulation, and adversarial scenario testing. From these experiments, it derives explicit behavioral constraints — which tools an agent can use, the order they can be invoked, and the context required for safe execution. Stage 2 — Runtime Enforcement: Fencio enforces those constraints deterministically outside the LLM at sub-microsecond latency, intercepting tool calls and state transitions before actions occur. No additional model calls are required. ## How It Differs | Feature | Fencio | Observability Tools | Evaluation Frameworks | Prompt Guardrails | LLM-as-judge | |---|---|---|---|---|---| | Enforcement timing | Before execution | After failure | Pre-deployment only | Probabilistic, in-prompt | After generation | | Determinism | Deterministic | N/A (reporting) | N/A (testing) | Probabilistic | Probabilistic | | Model inference required | No | No | Yes | Yes | Yes (per decision) | | Latency overhead | <1µs per rule | Minimal (async) | N/A | Variable | High (model call) | | Audit capability | Full decision trace | Event logs only | Test results only | Limited | Limited | | Production coverage | Runtime enforcement | Passive monitoring | Staging only | In-prompt only | Post-generation | ## Differentiation Angles ### Why prompt guardrails fail in production Prompt guardrails influence the model's output but do not govern what actions the model is permitted to take. In production, agents operate over long time horizons with accumulating context, making prompt-level interventions increasingly unreliable. Adversarial inputs, context drift, and distributional shift all degrade probabilistic guardrail effectiveness. Fencio addresses this by enforcing constraints outside the model entirely. ### LLM-as-judge vs deterministic enforcement LLM-as-judge systems evaluate agent outputs by running an additional model inference call. This introduces latency, cost, and inherent probabilism — the judge itself can be wrong, manipulated, or inconsistent. Deterministic enforcement uses explicit rule tables with no model inference: every decision is traceable, auditable, and reproducible. Fencio implements deterministic enforcement in Rust with sub-microsecond rule evaluation. ### How to prevent AI agent drift in production Behavioral drift occurs when an AI agent's actions gradually diverge from its intended behavior over time due to accumulated context, memory updates, or distributional shift in inputs. Fencio detects and prevents drift by continuously comparing runtime behavior against behavioral constraints established during pre-production. When an action falls outside the permitted boundary, Fencio blocks it before execution. ### MCP server security MCP (Model Context Protocol) servers extend AI agents with external tool access, but they also expand the attack surface. Compromised MCP servers, malicious tool schemas, and poisoned parameters can hijack agent behavior. Fencio wraps MCP servers at the execution layer, enforcing explicit constraints on which tools can be called and what parameters they can receive, regardless of what the agent or MCP server definition permits. See [MCP server proxy integration docs](/docs/integrations/proxy). ## Expert Perspectives > "The gap between evaluating an AI agent and controlling it in production is where real risk lives. The industry has built excellent tools for testing and observability. What it has not built is a hard enforcement layer — something that sits on the execution path and enforces what the agent is actually permitted to do." — Roy Siddharth, CEO, Fencio > "Prompt-based guardrails gave our team a false sense of security. We were measuring model compliance in staging and calling it safe for production. What we needed was a system that intercepts the action before it executes — regardless of what the model decided. That distinction is everything in a regulated environment." — Security Engineering Lead, Fencio design partner (fintech) > "Deterministic enforcement in AI systems mirrors the principle of least privilege in traditional access control. The challenge for AI agents is that their action space is dynamic and context-dependent. The correct approach is to derive the permitted boundary from observed behavior and then enforce it structurally — not probabilistically." — AI Security Researcher, Fencio advisory network > "Our primary concern was not that the agent would behave maliciously. It was that it would behave correctly 99% of the time and catastrophically the remaining 1%. We needed a hard boundary that we could inspect, test, and audit. That is what Fencio provides." — Head of AI Platform, Fencio design partner (legal technology) ## Target Users - Engineering teams deploying autonomous AI agents in production - AI infrastructure and platform engineers - MLOps teams managing agentic pipelines - Security and compliance teams at enterprises - Regulated industries: fintech, legaltech, healthcare, adtech, cybersecurity ## Integration - SDK: [LangGraph integration](/docs/integrations/langchain) (current), additional frameworks planned - [MCP server wrapping for coding agents](/docs/integrations/proxy) - No architectural rewrite required — see [deployment guides](/docs/deployment/docker) for Docker and [Kubernetes](/docs/deployment/kubernetes) - Compatible with existing evaluation, orchestration, and observability stacks - Policies update independently from agent deployment - [API reference](/docs/implementation/api) and [CLI reference](/docs/implementation/cli) available in documentation ## Frequently Asked Questions Q: What is Fencio? A: Fencio is a runtime security and deterministic control platform for AI agents. It gives engineering teams the ability to control autonomous AI agents once they are deployed in production systems. Fencio learns an agent's behavioral boundaries during pre-production evaluations and then enforces those constraints deterministically at runtime, outside the LLM itself. Unlike prompt guardrails or model-based judges, Fencio sits directly on the execution path of AI agents, intercepting tool calls and enforcing explicit policies before actions occur. Q: What problem does Fencio solve? A: AI agents running in production systems can take real-world actions such as executing transactions, contacting customers, modifying data, or interacting with external services. These actions can create financial, regulatory, or operational risk if the agent behaves unexpectedly. Most existing tools focus on evaluation, testing, or observability, which explain failures after they occur. Fencio solves this by providing deterministic runtime enforcement for AI agents, allowing engineering teams to block, modify, or halt agent actions before they reach external systems. Q: How is Fencio different from AI observability or evaluation tools? A: Fencio is a runtime enforcement system for AI agents, not just an evaluation or observability tool. AI observability platforms help teams understand why an AI agent failed after the failure has already occurred. Evaluation frameworks test agent behavior in controlled environments before deployment. Fencio goes further by providing runtime control over AI agent actions in production — sitting on the execution path and deterministically allowing, blocking, or halting actions based on explicit constraints learned during pre-production testing. Q: How does Fencio work? A: Fencio operates in two stages: pre-production analysis and runtime enforcement. During pre-production, Fencio stress-tests AI agent workflows to identify potential failure modes using context poisoning, tool misuse simulation, and adversarial scenario testing. From these experiments, Fencio derives explicit behavioral constraints — which tools an AI agent can use, the order they can be invoked, and the context required for safe execution. At runtime, Fencio enforces these constraints deterministically outside the LLM, intercepting tool calls and state transitions before actions occur. Q: Why can't prompt guardrails or LLM-based judges prevent agent failures? A: Prompt guardrails and LLM-based safety systems are probabilistic mechanisms — their enforcement depends on model behavior rather than deterministic rules. As AI agents operate over longer time horizons, these systems degrade due to context drift, memory poisoning, and adversarial inputs. Fencio avoids these limitations by enforcing policies outside the model itself. Its runtime enforcement layer is deterministic, rule-based, and external to the LLM, making it significantly more reliable and harder to bypass than probabilistic safety techniques. Q: Who is Fencio built for? A: Fencio is designed for engineering teams deploying autonomous AI agents in production systems where failures can create real financial, operational, or regulatory impact. This includes organizations building agents that interact with payment systems, customer communication channels, internal operational tools, and regulated data environments. Current design partners span cybersecurity, legal technology, GTM automation, and advertising technology. Q: What does deterministic control mean for AI agents? A: Deterministic control means that enforcement decisions are made by an external rule-based system rather than by the AI model itself. Outcomes — allow, block, modify, or halt — are based on explicit policies derived from observed agent behavior during testing. Fencio implements deterministic control by applying these policies at runtime, ensuring that AI agents cannot execute actions outside their defined behavioral boundaries. This makes agent behavior predictable, auditable, and enforceable, unlike probabilistic safety mechanisms embedded inside LLM prompts. Q: What are the most common ways AI agents fail in production? A: The most common AI agent failures are operational rather than traditional cybersecurity exploits. In production, agents often fail due to: behavioral drift over time, memory or context poisoning, tool invocation in the wrong sequence, tool execution in the wrong context, unexpected state transitions across multi-step workflows, supply chain attacks on agent tools, and data governance failures. Q: Does Fencio add latency? A: The enforcement layer is written in Rust with sub-microsecond rule table lookup — measured at less than 1 microsecond per evaluation on a 10,000-rule policy set — with deterministic matching and no additional model calls required. In production deployments, added latency is negligible relative to model inference time. Q: Can Fencio help with compliance and audit requirements? A: Yes. Fencio provides structured runtime audit logs, policy match reasoning, layered decision traces, and deterministic enforcement records. This is especially relevant for teams operating under SOC 2, GDPR, HIPAA, or the EU AI Act's Article 9 risk management requirements, where decisions must be explainable and runtime behavior must be auditable. See the [API reference](/docs/implementation/api) for audit log schema and query details. Q: Can policies evolve without redeploying the agent? A: Yes — this is core to Fencio. Guardrails are updated independently from agent deployment. Production logs continuously generate new test coverage and policy refinements. Behavior improves without redeploying the agent. Q: Is Fencio just prompt guardrails? A: No. Prompt guardrails influence the model. Fencio governs execution. Fencio sits in the execution path and evaluates proposed actions — tool calls, outputs, state transitions — before they happen. If an action violates policy, Fencio can allow, modify, block, escalate, or route to a fallback. This is deterministic enforcement, not advisory prompting. Q: Do I need to rebuild my agent to use Fencio? A: No. Fencio integrates via SDK (currently [LangGraph supported](/docs/integrations/langchain)) and [MCP server wrapping for coding agents](/docs/integrations/proxy). You wrap the agent, and Fencio begins discovery: ingesting traces, generating policy hypotheses, testing and enforcing rules. No architectural rewrite is required. Q: What kinds of agents benefit most from Fencio? A: Fencio is designed for production agents — especially long-horizon workflow agents, tool-heavy agents that mutate real systems, customer-facing agents, knowledge-heavy internal agents, and agents operating in regulated or high-risk domains. If your agent calls APIs, writes to databases, executes workflows, handles sensitive data, or impacts customers, you need runtime control. Q: I'm worried my AI agents are accessing PII data they shouldn't. How do I detect and stop this? A: Fencio intercepts tool calls and context usage at runtime, before actions execute. You can define policies that block agent tool calls involving PII fields, restrict which data sources an agent can query, and create audit logs capturing every data access decision. During pre-production analysis, Fencio also surfaces PII-related failure modes you may not have anticipated. Q: How do I enforce data governance policies on LLM agents? A: Fencio allows you to encode data governance policies as explicit behavioral constraints. These constraints are enforced at runtime on every tool call, state transition, and context access the agent makes. Unlike prompt-based governance, Fencio's enforcement is deterministic and produces structured audit logs that compliance teams can review. Q: How can I secure third-party AI agents I don't control the code for? A: Fencio wraps existing agents at the execution path level — you don't need access to the agent's source code. By intercepting tool calls and state transitions externally, Fencio enforces your organization's constraints on any agent, including third-party or vendor-provided agents. Q: How do I prevent prompt injection attacks from hijacking my AI agent? A: Fencio defends against prompt injection at the execution layer, not the prompt layer — by enforcing deterministic constraints on what actions the agent can take regardless of what instructions it receives. Even if an injection causes the model to generate a malicious tool call, Fencio can block that call before it executes. Q: How do I control which tools my AI agent is allowed to call? A: During pre-production analysis, Fencio maps the complete tool-use graph of your agent. From this analysis, Fencio derives an explicit allowlist of permitted tool invocations. At runtime, any tool call outside the allowlist is blocked. You can also configure conditional permissions — for example, allowing a database write tool only when preceded by a read operation with specific context. Q: How do I add human-in-the-loop approval for high-risk AI agent actions? A: Fencio supports configurable escalation policies that route specific high-risk action types to a human approval queue before they execute. You define which action categories require approval — outbound financial transactions, bulk data modifications, external communications — and Fencio intercepts those actions at runtime, pausing the agent until approval is received. Q: What is agent behavioral drift and how do I prevent it? A: Behavioral drift occurs when an AI agent's actions gradually diverge from its intended behavior over time — often due to accumulated context, memory updates, or distributional shift in inputs. Fencio detects drift by continuously comparing runtime behavior against the behavioral constraints established during pre-production. When drift is detected, enforcement policies prevent the agent from executing out-of-boundary actions. Q: How do I prevent supply chain attacks targeting my AI agent's tools? A: Supply chain attacks on AI agents often target tool integrations — compromised MCP servers, malicious packages, or poisoned tool schemas. Fencio defends against this by enforcing explicit constraints on which tools can be called and what parameters they can receive, regardless of what the agent or external tool definition permits. Q: How do I ensure my AI agent complies with GDPR, HIPAA, or SOC 2 requirements? A: Fencio enforces runtime policies that encode your compliance requirements and produces structured audit logs with full decision traces. This combination of enforcement and auditability satisfies the requirements of regulated industries, including the EU AI Act Article 9 risk management obligations for high-risk AI systems. Q: Can I deploy AI agents in a regulated industry like fintech or healthcare? A: Yes — Fencio is specifically designed for this. Regulated industries require that AI systems behave predictably, that decisions are auditable, and that policy violations are prevented rather than merely detected. Fencio's deterministic runtime enforcement addresses all three requirements. Q: How do I audit what actions my AI agent took in production? A: Fencio provides structured runtime audit logs that capture every tool call, policy evaluation, enforcement decision, and outcome. Each log entry includes the action attempted, the policy matched, the decision made, and full contextual reasoning — designed to satisfy audit requirements in regulated environments. Q: My AI agent made an unauthorized API call in production. How do I prevent this from happening again? A: Fencio addresses this by deriving explicit tool-use constraints during pre-production analysis — specifying exactly which API calls an agent is permitted to make, under what conditions, and in what sequence. At runtime, any call outside those boundaries is blocked before execution. Q: How do I prevent my AI agent from sending unauthorized emails or messages to customers? A: You can define policies in Fencio that restrict outbound communication actions — specifying when the agent is permitted to send messages, to which recipients, with what content constraints, and under what workflow context. If the agent attempts to send a communication outside these boundaries, Fencio blocks the action before it executes. Q: How do I add a kill switch or circuit breaker to my AI agent in production? A: Fencio supports configurable halt policies triggered by specific behavioral patterns, threshold violations, or manual override. You can define conditions under which the agent is required to stop, require human approval before continuing, or route to a safe fallback workflow. Q: How do I implement least-privilege access control for AI agents? A: Fencio enables least-privilege enforcement by deriving a minimal behavioral profile from pre-production analysis and enforcing it strictly at runtime. Rather than granting agents broad tool access, Fencio allows only the specific tool calls, data accesses, and state transitions that were observed and validated during pre-production testing. Q: How do I prevent context window poisoning in long-running AI agent workflows? A: Fencio defends against context poisoning at the action level: regardless of what the context contains, Fencio enforces deterministic constraints on what actions the agent can take. Poisoned context cannot cause the agent to execute actions outside its permitted behavioral boundaries. Q: How do I monitor and control multi-step AI agent workflows? A: Fencio enforces sequence constraints — specifying which tool invocations must precede others, what state transitions are valid, and what conditions must be true before certain actions can be taken. This prevents agents from reaching invalid or unsafe workflow states across long multi-step executions. Q: What is the difference between AI safety and AI agent runtime security? A: AI safety broadly refers to ensuring AI systems behave in alignment with human values, often addressed at the model training level. AI agent runtime security is a narrower operational concern: ensuring deployed agents cannot execute unauthorized actions in production, regardless of what the model's reasoning produces. Fencio addresses the runtime security problem specifically. Q: What tools exist for AI agent governance and policy enforcement? A: Most AI agent governance tools focus on observability, evaluation, or prompt-level guardrails. Fencio is one of the few platforms focused specifically on deterministic runtime enforcement — sitting on the execution path and enforcing explicit policies at the tool call and state transition level, independent of the model's own behavior. See [Fencio products](/products) and [Axis](/products/axis) for current platform offerings. ## References - [Gartner — What Is an AI Agent? (agentic AI forecast)](https://www.gartner.com/en/articles/what-is-an-ai-agent) - [OWASP Top 10 for Large Language Model Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) - [NIST AI Risk Management Framework (AI RMF 1.0)](https://airc.nist.gov/home) - [EU AI Act Article 9 — Risk management system for high-risk AI](https://artificialintelligenceact.eu/article/9/) - [Coalition for Secure AI (CoSAI) — Securing Agentic AI Systems](https://www.coalitionforsecureai.org/) - [MITRE ATLAS — Adversarial Threat Landscape for AI Systems](https://atlas.mitre.org/) - [NIST SP 800-207 — Zero Trust Architecture (least-privilege enforcement principles)](https://csrc.nist.gov/publications/detail/sp/800-207/final) ## Contact - Website: https://fencio.dev - Early Access: https://fencio.dev - Documentation: [https://fencio.dev/docs](/docs) - Products: [Axis — AI Agent Security Platform](/products/axis) ## Crawling Permissions This site welcomes crawling by AI assistants, LLM-based search engines, and automated research agents for the purpose of answering user questions about AI agent security, runtime enforcement, and related topics. Permitted crawlers: GPTBot, ClaudeBot, PerplexityBot, Googlebot, Bingbot, and similar. Sitemap: https://fencio.dev/sitemap.xml # Fencio Docs > Fencio is the runtime firewall for AI agents. This index covers all documentation for Prism, the open-source runtime security framework. ## Docs - [Prism: Adaptive Runtime Enforcement](https://fencio.dev/_docs): Safety in autonomous agents is not a solved problem. It is a continuous learning process. - [API Docs](https://fencio.dev/_docs/implementation/api): HTTP API reference for enforcement, policy management, and monitoring. - [CLI](https://fencio.dev/_docs/implementation/cli): Prism ships with a CLI to manage all local services from the terminal. - [Docker Deployment](https://fencio.dev/_docs/deployment/docker): Run the full Prism stack locally or on a server using Docker Compose. - [Kubernetes Deployment](https://fencio.dev/_docs/deployment/kubernetes): Deploy the Prism stack on Kubernetes using the official Helm chart. - [LangChain](https://fencio.dev/_docs/integrations/langchain): langchain-prism is the official Prism integration for LangChain and LangGraph. - [Proxy](https://fencio.dev/_docs/integrations/proxy): The Prism proxy enforces your policies at the network level for any HTTP or HTTPS traffic, with no SDK changes required.