S / 03 · YNDR Framework · Gate 03 · Security

Security before governance.
The lock before the receipt.

Runtime defenses for the systems your business now runs on. Security is runtime architecture, not a deck slide. We ship it on gate 03 of every operational agent, and we audit it as a standalone engagement for teams that already deployed and need an honest look.

What we defend against

Six runtime threats.
Named. Mitigated.

The threat surface for AI agents is not the OWASP top ten. These are the patterns we find in production audits and design against from week one on new builds. Each row is a threat, an italic one-liner, and the mitigation we ship.

T / 01

Prompt injection

Untrusted text inside the model's context becomes a command.

Any string the agent reads, whether from a webpage, a PDF, a calendar invite, or a customer email, can hijack its instructions. Mitigation is layered: input partitioning so untrusted content is never confused for system instruction, output validation against an allowlist of permitted actions, and an eval set that includes the injection patterns we already know about so regressions are caught before they ship.

T / 02

The lethal trifecta

Private data plus untrusted content plus outbound network equals exfiltration.

An agent that can read your CRM, accept a customer email, and call an external API is one prompt injection away from leaking everything. The architectural fix is to split the trifecta across two agents passing a typed contract, with an allowlist of outbound destinations and sandboxed execution. We design the split before the agent ships, not after the incident.

T / 03

RAG access controls

The retrieval layer is your new authorization boundary.

Most RAG implementations index everything the agent can technically reach, then trust the model to respect row-level rules at answer time. That fails. We enforce access at the index, scope retrieval queries to the requesting user's permissions, and add per-document classification so the agent cannot surface what the user is not entitled to see, no matter how the question is phrased.

T / 04

Shadow-AI detection

Your team is already using AI. You just don't know which AI, or with what data.

Shadow AI is the modern shadow IT, and it is the most common data-leak vector in mid-market organizations. Detection combines network telemetry, browser-extension visibility, and a sanctioned-tool policy mapped to the workflows your team actually has. The goal is not prohibition. The goal is observability and a safe default that gets used.

T / 05

Agent action sandboxing

An agent should never have a tool it does not need for the workflow it owns.

Least privilege at the tool layer. Every operational agent ships with an explicit tool inventory, scoped credentials per environment, and human-in-the-loop gates on the actions that move money, send external messages, or modify production data. Reversibility is designed in. Kill switches are tested, not theoretical.

T / 06

API-key hygiene

The credential the agent uses is the credential the attacker steals.

Per-agent keys, short rotation windows, scoped to the minimum permission set, never echoed in logs, never embedded in code. We pipe secrets through the provider's vault, set them across every environment, and verify the path the agent uses to read them. The unglamorous work most teams skip until the postmortem.

The canonical concept

The lethal trifecta.
Don't put all three in one agent.

The most dangerous architectural pattern in agentic AI is also the most common one. An agent that can do all three of these at once is a data exfiltration vector waiting for its first prompt injection.

01

Private data

Customer records, internal docs, anything the user is permitted to see but the public is not.

02

Untrusted content

Inbound email, web pages, PDFs, calendar invites, anything the agent reads that an outsider can author.

03

Outbound network

The ability to make external requests, send messages, post to URLs, or call third-party APIs.

The fix is architectural. Split the trifecta across two or more agents that pass each other a typed JSON contract. The agent that reads untrusted content does not get a network egress tool. The agent with network egress does not read raw user input. The boundary between them is an allowlist, not a hope.

We design the split during the build, not after the incident. Where the agent already shipped without one, the audit re-architects it.

How we work

Audit. Then implementation.

Two doors into the same room. Either you have agents in production and want an independent runtime audit, or you are building new and want gate 03 baked in from week one. The work is the same. Only the order changes.

Track 01 · The audit

Runtime audit of agents you already shipped.

We walk the agent's full surface. Tool inventory, credential scope, retrieval boundaries, network egress, prompt injection vectors, lethal-trifecta exposure, shadow-AI inside the team. We deliver a prioritized findings document, the eval set we used, and the specific architectural changes that close each finding.

Track 02 · The implementation

Security shipped with the agent, not bolted on later.

Every operational agent YNDR builds passes through gate 03 before cutover. Trifecta split. RAG access enforced at the index. Per-agent credentials with short rotation windows. Tool inventory committed alongside the agent's handbook. The same hands that built the agent designed the defenses.

The contrarian framing

Governance without security is theater.

The industry has the order wrong. Most teams write the AI policy, map to NIST or ISO, buy a governance tool, then start thinking about runtime threats. That is the audit trail in front of the lock.

If the agent can be hijacked at runtime, governance just documents the breach in nicely formatted JSON. The framework matters. The audit trail matters. They matter after the lock is on the door.

Gate 03 ships before gate 04. Always. The lock comes before the receipt.

This is the YNDR Framework's order of operations and the reason our agents do not stall in security review. The defenses were architectural, not policy. The policy describes what is already enforced.

Engagement

Book a security review.

30 minutes. Bring the agents you have shipped or the one you are about to. We will name the lethal-trifecta exposure, the injection vectors, and whether an audit or a rebuild is the right call. No deck.

YNDR Framework · Gate 03 of 04 · Strategy · Build · Security · Governance