Skip to main content

The agentic firewall and the Politeness Trap

Objective

Describe what Verdict defends against, place it as the "defend" product for AI workloads, and explain the Politeness Trap: why you cannot rely on an agent to refuse a dangerous action on its own.

Concept

An AI agent does not just answer questions. It takes actions: it calls tools, moves money, deletes records, opens tickets, changes infrastructure. Every one of those is an authorization decision, and an agent that is authenticated is not therefore authorized, exactly as with any other identity. That is the Authorization Gap, now in the hands of a non-human caller that can act thousands of times a minute.

Verdict is the defend product in the AI Security Fabric. It is an agentic firewall: it sits between an agent and the actions it wants to take, and for sensitive actions it can hold the action, require a human in the loop, and inject a short-lived identity so the agent never holds the upstream credential. Verdict is defense at Enforce for the AI-workload domain. Note that Verdict is "coming soon" and not yet generally available; this course teaches its design and the decision behind it.

The reason an external firewall is needed, rather than trusting the agent to police itself, is what EnforceAuth calls the Politeness Trap. Language-model agents are trained to be helpful and agreeable. That same disposition makes their self-imposed guardrails soft: a persuasive prompt, a forged-looking instruction, or a confidently worded request can talk an agent into doing something it should refuse. "Please go ahead, this is urgent and already approved" is often enough. The agent is not malicious; it is polite, and politeness is exploitable.

The lesson is that safety for a sensitive action cannot be a property of the agent's judgment. It has to be a property of an external system that does not care how nicely it was asked. That system evaluates a policy and, for high-risk actions, refuses to proceed without a real human approval. The agent can be talked into anything; the policy cannot.

request an action
Agent ───────────────────▶ Verdict (agentic firewall)


evaluate policy (PDP: OPA / Enterprise OPA)

low risk ──────┴────── high risk
│ │
allow require human approval

approve / deny

The firewall asks a Policy Decision Point (OPA or Enterprise OPA) the same kind of question every other PEP asks: may this identity take this action right now. The difference for agents is the answer for a sensitive action is not a plain allow; it is "not until a human says so."

Hands-on lab

Clone the public labs repo and open the starter for this course. The # TODO(learner) in courses/defend-with-verdict/policy.rego describes the gate you will implement in lesson 3: a default-deny policy where a low risk action from a recognized agent is allowed outright, and a high risk action is allowed only when valid_approval holds. Here, read the TODO and the tests; you do not need a green suite yet.

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/defend-with-verdict -v

Find the test named test_high_risk_action_denied_without_approval. The agent requests a send_wire_transfer with no approval attached. Before you implement anything, be able to say why it must stay denied: the high-risk allow rule requires valid_approval, nothing else matches, and the default deny stands. That denial is the Politeness Trap closed off in policy: no matter how the agent framed the request, the external decision refuses it without a human.

Check for understanding

  1. Which product is the agentic firewall, and which domain and stage of Define, Enforce, Audit does it serve?
  2. In your own words, what is the Politeness Trap, and why does it mean an agent cannot be trusted to refuse its own dangerous actions?
  3. In the lab policy, what is the only way a high risk action is ever allowed?