Securing AI Agents from the Inside: A Step-by-Step Guide to Deploying Arcjet Guards

Introduction

As artificial intelligence agents take over more application logic—reading files, fetching web pages, processing queue messages—traditional security tools built around HTTP boundaries are no longer effective. Web application firewalls (WAFs), proxies, and middleware assume a request boundary exists, but modern agentic systems operate through tool calls, queue consumers, and workflow steps that never touch an HTTP request. This leaves a critical gap: untrusted input arrives as function arguments, not request bodies, and security context like identity, session, and budget is invisible to external gateways. Arcjet, a runtime security company, addresses this with its Guards capability, which enforces security policy directly inside agent tool handlers, queue consumers, and workflow steps. This guide walks you through deploying Arcjet Guards to protect your agentic systems from prompt injection, data exfiltration, and other risks that bypass traditional defenses.

Securing AI Agents from the Inside: A Step-by-Step Guide to Deploying Arcjet Guards — Source: thenewstack.io

What You Need

An existing agentic application using tool handlers, queue consumers, or multi-agent pipelines.
Arcjet SDK installed in your project (supports Node.js, Python, etc.).
Access to your codebase where agent tool functions are defined.
Definition of untrusted inputs (e.g., user prompts, fetched web content, queue messages).
Basic understanding of your application's business logic and context (identity, session, budget).
Development environment for testing and pull request workflow.

Step-by-Step Guide to Deploying Arcjet Guards

Step 1: Identify Untrusted Input Points in Your Agentic System

Begin by mapping all entry points where untrusted data enters your agent. These include:

Tool handler arguments – function parameters passed from agent orchestration.
Queue consumer messages – data pulled from a broker like RabbitMQ or SQS.
Multi-agent pipeline state – information passed between steps via shared memory or workflow engines.

Note that these inputs never cross a network boundary visible to a WAF or proxy. For example, a prompt injection can occur when an agent fetches a malicious webpage that instructs it to send content to an attacker—a WAF protecting the chat interface upstream sees nothing because the fetch happens server-side inside the tool call. Document each input point and its associated risk (e.g., data exfiltration, unauthorized actions).

Step 2: Integrate the Arcjet SDK into Your Project

Add the Arcjet SDK to your application. The SDK provides the framework for defining and enforcing security rules inline with your code. Follow the official installation instructions:

Run your package manager to install @arcjet/sdk (or equivalent for your language).
Initialize the SDK with your Arcjet API key in your application bootstrapping code.
Ensure the SDK is imported in every module that contains untrusted input handlers.

Arcjet’s model is “security lives where the code lives,” so placing the SDK in each relevant file aligns with your existing pull request and code review workflows.

Step 3: Define Security Rules Closest to the Input

Use Arcjet’s rule definitions to specify what should be checked. For each untrusted input point, decide what policies to apply. Common rules include:

Rate limiting – per user, per session, or per budget.
Content validation – detect suspicious text, scripts, or requests to exfiltrate data.
Allow/block lists – restrict URLs or external domains the agent can access.
Context-aware checks – verify the caller’s identity, role, or remaining budget before allowing the tool action.

Write these rules as code within the same file as your tool handler. For example, if a tool reads a web page, define a rule that checks the fetched URL against a blocklist before processing the content. This makes protection explicit and reviewable in every pull request.

Step 4: Place Guards Inside Tool Handlers, Queue Consumers, and Workflow Steps

Now implement the actual guard. For each identified input point, wrap the input handling logic with an Arcjet guard call. The guard intercepts the untrusted input, evaluates it against your defined rules, and either allows the operation to proceed or rejects it with a clear error.

// Example (pseudo-code):
function fetchWebsite(url) {
  // Arcjet guard evaluates URL against allow/block list and budget
  if (!arcjet.check({ input: url, context: { userId, session } })) {
    throw new SecurityException("Blocked by Arcjet Guard");
  }
  // Proceed with actual fetch
}

For queue consumers, place the guard immediately after retrieving the message. For multi-agent pipelines, add guards at each step transition where state is passed. The key is that the enforcement point moves to where untrusted input arrives—inside the application, where full context (identity, business logic, budget) is available.

Step 5: Test with Real-World Attack Scenarios

Simulate attacks that bypass traditional proxies. For instance:

Prompt injection via fetched content – Craft a webpage with hidden text instructions that tell the agent to send data to an attacker. Verify that the guard blocks the exfiltration action.
Malicious queue messages – Inject a message with commands to execute privileged operations without authentication. Confirm the guard rejects it based on missing permissions.
Cross-step poisoning – Modify pipeline state mid-execution to trigger unauthorized tool calls. Ensure the guard at each step validates state consistency.

Document test results and adjust rules as needed. Remember: the guard sees the full context (identity, session, budget) that a proxy cannot.

Step 6: Deploy and Monitor with Code Review

Because guards are defined in code alongside features, they become part of your normal deployment pipeline. When you create a pull request, the guard rules are reviewed together with the feature logic. This ensures security policies evolve with the application. After deployment, monitor logs from Arcjet for blocked events and adjust rules based on false positives or emerging threats.

Continuously update the input points as your agentic system grows. If new tool handlers, queue consumers, or workflow steps are added, follow steps 1–5 to integrate guards. This proactive approach keeps your security posture aligned with the expanding attack surface.

Tips for Success with Arcjet Guards

Start small – Focus on the highest-risk inputs first (e.g., tools that fetch external content or handle user data). Gradually expand coverage.
Leverage context – Use the rich context available inside the application (userId, session, budget) to make granular decisions that proxies cannot.
Review in PRs – Treat guard rules as first-class code. Require security review for any changes to rules, just like feature logic.
Combine with logging – Log all guard invocations and outcomes. This helps in debugging false positives and detecting novel attack patterns.
Stay updated – Agentic systems evolve fast. Revisit your input mappings and rules quarterly to ensure they cover new entry points (e.g., new tool types or queue systems).

By following these steps, you shift security from the perimeter to the point of action, closing the gap that traditional WAFs and proxies cannot address. Arcjet Guards empower you to protect your agentic applications from the inside out.