---
title: "AI Agent Execution Firewall"
canonical: "https://helm.docs.mindburn.org/helm-ai-kernel/use-cases/ai-agent-security"
source: "helm-ai-kernel/docs/use-cases/ai-agent-security.md"
edit: "https://github.com/Mindburn-Labs/helm-ai-kernel/edit/main/docs/use-cases/ai-agent-security.md"
section: "use-cases"
access: "public"
sensitivity: "public"
last_reviewed: "2026-06-11"
checksum_sha256: "sha256:b7ed00c85024161bbf06f63410f88649ddf1f29f72545dee49becea60149dea0"
build_timestamp: "2026-06-10T22:15:26.620Z"
---
# AI Agent Execution Firewall

Prompt injection, poisoned context, and compromised tools all end the same way: an agent attempting an action it should never run. An execution firewall assumes the model can be manipulated and enforces the boundary at the only reliable place, the moment a side effect is about to leave the process.

HELM AI Kernel interposes between the agent and real systems. Every consequential proposal is checked against policy, identity, and egress rules in a fail-closed pipeline: anything unknown or unapproved is denied by default, and high-risk actions escalate to a human. Network egress is allowlist-only; an empty allowlist means deny-all.

The result of every decision is a signed receipt you can verify offline. If an attack made it through, the receipt chain shows exactly what ran, under which policy, and why.

## Security Boundary

```mermaid
flowchart LR
    Prompt["Agent prompt"] --> Proposal["Tool proposal"]
    Proposal --> Kernel["HELM execution firewall"]
    Kernel --> Decision["Fail-closed decision"]
    Decision --> Receipt["Receipt"]
    Receipt --> Verify["Offline verify"]
```

```bash
git clone https://github.com/Mindburn-Labs/helm-ai-kernel.git
cd helm-ai-kernel
make build
bash scripts/launch/demo-proof.sh
```

## Source Truth

- [Quickstart](/helm-ai-kernel/quickstart)
- [Execution security model](/helm-ai-kernel/execution-security-model)
- [MCP integration](/helm-ai-kernel/integrations/mcp)
- [Verification](/helm-ai-kernel/verification)