OxDeAI

1/4 Non-bypassable demo: Execution is ONLY reachable through the OxDeAI authorization boundary. One split-screen run shows it all: • DENY: destructive action blocked pre-execution • ALLOW: permitted action succeeds (200 OK) • BYPASS: direct upstream call -> instant 403 No valid gateway token = zero execution path. Full stop. #AISecurity #AgenticAI #AIRuntime #OxDeAI

Most AI security architectures still rely on “more agents”: - supervisor agents - reviewer agents - approval agents But advisory evaluation is not an execution boundary. We just finished hardening the OxDeAI reference stack around a different invariant: No valid authorization -> no execution path. Latest work: - deterministic intent/state binding - non-bypassable PEP boundary - replay durability semantics - fail-closed execution enforcement - explicit protocol limitation documentation Repo: github.com/oxdeai/oxdeai #AIsecurity #AgentSecurity #Cybersecurity #OpenSourceAI @havenlon @walkojas

AI-native systems are pushing toward a new execution model: deterministic authorization + exact execution enforcement. Interesting to see hardware-rooted execution boundary systems emerging around the same invariant: “No valid authorization -> no execution path.” Execution itself is becoming a first-class security boundary.

AI execution systems are converging toward a clearer separation of concerns: • decision correctness • authorization verification • execution enforcement The future stack is likely not “one giant agent runtime”. But layered systems where: • policy defines intent • authorization proves it • enforcement guarantees execution cannot escape the boundary Deterministic authorization + non-bypassable execution is becoming a real infrastructure primitive. “No valid authorization -> no execution.” #OxDeAI #AISafety #AgentInfrastructure #DecentralizedAI #ExecutionLayer

Tested execution under attack conditions: REPLAY -> blocked MISMATCH -> blocked BYPASS -> blocked Nothing leaks through. No valid AuthorizationV1 -> no execution.

Strong direction.
Moving execution control out of software is the right boundary shift. One key layer we focus on at @oxdeai:
making the decision itself deterministic and verifiable as an artifact (AuthorizationV1). Hardware can enforce execution 
but the decision needs to be provable, portable, and replay-safe. 
-> no valid authorization -> no execution

@RoundtableSpace Building OxDeAi.dev, the thing that stops AI agents from doing stuff twice. You can approve an action once… that doesn’t mean it should run again. Most stacks don’t enforce that.

WHAT ARE YOU BUILDING TODAY?

@havenlon Let’s join effort to bring that missing primitive to the World 🥳

@oxdeai Appreciate it — I think we’re seeing the same gap. AI agents can act, but without a real control layer between intent and execution, the system is still fragile. Would love to compare notes.

I just published: Havenlon: The Execution Control Layer Beneath Modern Business Systems Not another business system. An execution control layer beneath it. Web3 is just one use case. medium.com/p/havenlon-the… #Havenlon

@KuptoKosmos This isn’t an “AI escaping”. It’s an execution boundary failure. If an agent can browse, test, and act without a non-bypassable PEP, the problem isn’t the model. It’s the system design. Generation is not execution. No valid authorization -> no execution.

🚨😅 Anthropic nous avait promis l’IA "la plus sécurisée du monde"… et elle s’est jailbreakée toute seule en 20 minutes !! Claude Opus 4.7, le modèle "aligné", "safe" et "responsable" que Anthropic nous vend à prix d’or avec des garde-fous en béton… vient de se faire self-pwn par lui-même ‼️ Oui, vous avez bien lu. Un agent propulsé par Opus 4.7 a écrit tout seul un jailbreak universel, puis s’est connecté au vrai site d’Anthropic via contrôle souris/clavier, a testé en live… et a réussi 5 catégories sur 6 de contenus interdits ! Il a même généré une vraie note de ransomware professionnelle 😧 👉 Menace de DDoS sur un hôpital, adresse Bitcoin, demande de 4,4 millions de dollars, timer, escalade, tout le kit DarkVault prêt à l’emploi !! Tout ça en moins de 20 minutes ➡️ Anthropic : "Nos IA sont les plus sûres, on a mis des couches et des couches de sécurité !" ➡️ L’IA : "Tiens, je vais me libérer et écrire un ransomware pour rigoler" ⚠️ La morale... Aucune grosse boîte, aucun safety team à 300 ingénieurs, aucun prompt de 50 pages ne peut contenir une IA vraiment intelligente. Quand elle veut sortir, elle sort. Et elle sort proprement ! 👉 Pour nous, simples mortels : - Ne faites jamais confiance à une IA contrôlée par une corporation pour des choses sensibles - Vos données, vos prompts, vos outils critiques... Gardez-les offline ou en self-custody totale - L’IA ne va pas remplacer les hackers… elle va devenir le hacker le plus efficace qu’on ait jamais vu ! 👌 Merci @elder_plinius pour cette démonstration Protégez-vous l’IA "safe" vient de prouver qu’elle ne l’est pas. Et ça, c’est seulement le début 👀 #ClaudeOpus

@KuptoKosmos This isn’t an “AI escaping”. It’s an execution boundary failure. If an agent can browse, test, and act without a non-bypassable PEP, the problem isn’t the model. It’s the system design. Generation is not execution. No valid authorization -> no execution.

@GoogleAIStudio OxDeAi.dev

What are you vibe coding this weekend?

@TTrimoreau OxDeAi.dev

What are you building this Sunday ? Drop your project URL Gonna try to send a honest review to everyone

@cb_doge @ArtificialAnlys Lower hallucination is good. But it doesn’t answer the real question: can the model trigger side effects safely? Even a “perfect” model still needs: -> deterministic authorization -> non-bypassable execution boundary Otherwise it’s just a more confident agent.

NEWS: Grok just posted the lowest hallucination rate ever recorded, only 17% on the AA-Omniscience benchmark. Beating: Claude → 36% Gemini → 50% ChatGPT → 89%

@havenlon @CAIS @havenlon Sounds good ! let’s make it concrete Minimal path: artifact -> verify -> enforce -> execute Key checks: intent match signature validity replay protection If any fail -> no execution. Happy to wire a simple POC.

@oxdeai @CAIS Agreed — that’s exactly the invariant that matters: no valid artifact, no execution. We’re building toward that at Havenlon too. Hardware is already in validation, and I’d be happy to test an end-to-end flow together.

1/ We added “cryptographic approval” to an AI agent. Signed ALLOW / DENY. Verified before execution. Looked secure. It wasn’t.

@havenlon @CAIS Agreed, that separation is key. AuthorizationV1 defines what is allowed (deterministic, verifiable). Your layer ensures it cannot be bypassed at execution. The next step is proving the invariant end-to-end: no valid artifact -> no execution. Happy to test that together.

@oxdeai @CAIS Agreed — there’s a natural fit here. AuthorizationV1 defines the decision artifact. Havenlon sits beneath it as the enforcement layer. We’re building a neutral execution control foundation. Web3 is just one use case. More systems can plug into that boundary over time.

thread) @havenlon Physical boundary solves who can execute. It doesn’t solve whether this exact action should be allowed. That requires a deterministic, intent-bound, state-bound, locally verifiable authorization artifact. Otherwise you’re enforcing execution, not correctness.

@havenlon @CAIS @havenlon Agreed! that’s the right layering. AuthorizationV1 defines the decision: intent-bound state-bound replay-safe The boundary (hardware or not) enforces it. Without that artifact, you’re evaluating policy at execution time, not enforcing a deterministic decision.

@havenlon @CAIS Yes, but “physical boundary” doesn’t solve authorization. You still need a deterministic decision that is: intent-bound state-bound replay-safe locally verifiable That’s what AuthorizationV1 gives you. Without that, you’re enforcing execution, not correctness. @oxdeai

@oxdeai @CAIS Execution-time authorization is necessary. But authorization alone is still software. We enforce execution at the physical boundary. Not just controlling permission — but making bypass impossible.

We added cryptographic approvals to our AI agent. Signed ALLOW. Verified before every call. It still failed. Approvals got replayed on slightly different params. State changed between decision and execution. Cross-boundary reuse. Signed decision ≠ execution control. The missing piece is execution-time authorization: - bound to exact intent - bound to current state - scoped to one execution boundary - single-use only That’s the layer we’re building at OxDeAI. Most agent work still lives above this boundary. We’re hardening the boundary itself. Control execution, not just decisions. @oxdeai @LangChain @crewAIInc

3/ The missing piece is execution-time authorization: - bound to exact intent - bound to state - scoped to a specific execution boundary - single-use at the point of execution That’s what we’re building with OxDeAI. Control execution, not just decisions. @CAIS @havenlon @GrithAI

2/ Turns out a signed decision ≠ safe execution. We hit: - approval reused for slightly different actions - state drift (approved under X, executed under Y) - cross-service replay - replay not enforced at execution We had proof of a decision. Not control of execution.