Arcjet Introduces Guards, Bringing Application Security Inside AI Agent Workflows

New capability extends Arcjet's runtime security model into agent workflows, enforcing policy inside tool calls, queues, and long-running pipelines

SAN FRANCISCO, April 30, 2026 /PRNewswire/ -- Arcjet today announced Guards, a new way to enforce security inside AI agent workflows, queue consumers, and other application code that doesn't run behind an HTTP request. As more application logic moves into long-running agentic systems, the security tools built around the request boundary - proxies, web application firewalls, HTTP middleware - can no longer see where untrusted input arrives. Guards extends Arcjet's runtime protection into those code paths.

Modern AI systems don't run through a single request anymore. Agents call tools, pull in external data, and pass state across long-running workflows. Most of that execution never touches an HTTP boundary, which means traditional security controls never see it.

Developers apply rules directly where untrusted input enters the application, whether that input comes from a tool call, a queue message, or a workflow step.

This puts enforcement where the application's real context lives - identity, session state, prior tool outputs, business logic - rather than at a network boundary that can't see any of it.

"Security has to live where the code lives. For agentic systems, that means inside the tool calls and workflow steps where untrusted input actually arrives, not at a perimeter that no longer exists," said David Mytton, CEO at Arcjet. "Guards give developers a way to enforce policy inside the code paths agents use every day - the same place the threat model now lives."

What developers can do with Guards

Guards integrate directly into Arcjet's application-layer security model. Developers define rules in the same codebase as the feature itself, so protection ships with the code and gets reviewed in the same pull request. There is no separate system to manage.

With Guards, teams can:

• Detect prompt injection in tool results before they re-enter model context
• Block PII in tool inputs and queue messages before they reach third-party models
• Enforce per-user token budgets and spend limits inside agent loops
• Validate untrusted input in workflow steps, background jobs, and other non-HTTP code paths

Guards work alongside existing capabilities such as Arcjet Shield for public endpoints, sensitive data detection before model context is built, and bot detection for high-cost AI routes. Together, these protections cover both the boundary and the execution layer inside the application.

Guards is available today through the Arcjet JS and Python SDKs. Existing customers can enable it immediately; new developers can get started with a free trial.

About Arcjet

Arcjet builds runtime security for the way modern applications are actually built - embedded directly in code, enforced wherever untrusted input arrives, and designed for both traditional web endpoints and the agentic systems that increasingly run alongside them. Founded in 2023 by David Mytton, Arcjet is already deployed in 500+ production apps and backed by Plural, Ott Kaukver, Andreessen Horowitz, Seedcamp, and 20+ leading devtools and security angels. https://arcjet.com/

SOURCE Arcjet