An agent can't leak a secret it's never given.
Most platforms try to keep an autonomous agent in line by writing stricter instructions. That is the wrong layer. Lucidrail treats this as architecture: every outbound action funnels through one seam, and the most dangerous secrets are designed never to reach the agent at all.
This is the deep dive behind the security overview, and every claim carries an honest maturity label so you always know what runs today.
The risk, in plain terms: the lethal trifecta
- It holds a secret — an API key, a token or a customer record sitting in the agent's working context.
- It reads untrusted input — a web page, an email or a tool result an attacker could have written, carrying hidden instructions.
- It can send outward — a way to post, message or call out that would carry the secret somewhere it shouldn't go.
Enforce at one seam, not in the prompt
- One server-side dispatch path for every outbound call — post, write, send, open.
- Checks live at the seam, not in the model's instructions, so a prompt hidden in a fetched page can't talk its way around them.
- Every outbound call is attributable on the audit trail with the actor and outcome.
- The same seam is where credentials are resolved and recorded.
What runs today, and what's coming — labelled honestly
- Live today — one dispatch seam: every outbound action passes through a single server-side path.
- Live today — sealed secrets: stored credentials are sealed with AES-256-GCM and decrypted server-side only at the moment of use.
- Live today — audited outbound calls: each external call is attributable on the activity trail, including credential resolutions.
- Available, opt-in — lethal-trifecta gate: when one agent holds all three danger legs at once, the seam clamps the action to your autonomy level or routes it to a human.
- Available, opt-in — tool-output injection screen: a deterministic, zero-model screen strips injected instructions out of fetched content before an agent acts on it.
- In rollout — credential broker: the seam resolves an opaque handle and injects the real credential server-side, so the secret never enters the agent's context.
Frequently asked questions
How does Lucidrail stop an agent from leaking a secret?
Every outbound action an agent takes funnels through one server-side dispatch seam, and the checks run there rather than in the prompt. The most sensitive secrets are designed never to reach the agent's context, so a malicious instruction hidden in a web page or tool result has nothing to exfiltrate and no unguarded way out.
What is the lethal trifecta?
A data leak needs three things in the same agent at the same time: it holds a secret, it reads untrusted input, and it can send outward. Take any one away and the combination falls apart. Lucidrail's opt-in lethal-trifecta gate clamps or escalates an action when all three line up.
What is live today versus still in rollout?
Live today: the single dispatch seam, AES-256-GCM sealed secrets, and audited outbound calls. Available to switch on: the lethal-trifecta gate and the tool-output injection screen. In rollout: the credential broker. Every claim carries a maturity label, so nothing in progress is asserted as if it ships today.