AgentWall introduces runtime safety layer to intercept and control local AI agent actions

A new paper on arXiv presents AgentWall, a runtime safety and observability system designed to intercept and control the actions of local AI agents before they reach the host operating system. As agents evolve from passive language generators into active software components capable of executing shell commands, modifying files, and calling APIs, the safety model for AI has shifted from preventing harmful outputs to preventing harmful actions. Traditional approaches—model alignment and input filtering—do not address what occurs at the boundary where an agent's intent translates into actual system modifications.

AgentWall operates as a policy-enforcing middleware layer. Every proposed agent action is intercepted, evaluated against an explicitly defined declarative policy, and flagged for human review if it affects sensitive resources. The system maintains a complete execution trail for audit and replay, enabling developers to understand and investigate agent behavior after the fact. Implementation spans multiple environments: it functions as both an MCP (Model Context Protocol) proxy and a native plugin compatible with Claude Desktop, Cursor, Windsurf, Claude Code, and OpenClaw, all deployable through a single install command.

The researchers evaluated AgentWall across 14 benchmark tests, reporting 92.9% policy enforcement accuracy with sub-millisecond latency overhead. This performance metric indicates the system can enforce safety constraints without perceptible degradation in agent responsiveness. The threat model addressed in the paper acknowledges both unintended agent misbehavior and adversarial manipulation of agent prompts, positioning runtime enforcement as a practical safeguard for developers running agents against their own filesystems and credentials.