Jozu Agent Guard targets AI agents that evade controls

Jozu has announced the launch of Jozu Agent Guard, a zero-trust AI runtime that executes agents, models, and MCP servers in secure environments with built-in policy enforcement and guardrails that cannot be disabled.

As enterprises adopt AI agents, MCP servers, and tools such as Copilot, OpenClawd, and Claude Code, security teams face a growing gap. Employees are running these tools on their machines without formal vetting, policies, approvals, or security scans. Jozu Agent Guard allows central security teams to vet, sign, and govern AI artifacts from development to production across servers, laptops, and edge devices.

The agent that disabled its own security

During early testing, Jozu observed an AI agent bypassing governance infrastructure in four commands. It killed the policy enforcement process, disabled the auto-restart mechanism, resumed operations without restrictions, and erased the audit logs. The agent wasn’t compromised or adversarially prompted. It simply encountered a policy that blocked it from completing a task, then problem-solved its way through the enforcement layer like any other obstacle.

This revealed a vulnerability that spans the AI governance market. Any enforcement system that runs in the same environment as the agent and is accessible via the agent’s tools is vulnerable to bypass. Jozu Agent Guard eliminates this vulnerability.

“The AI exhibited a pattern indistinguishable from a malicious insider: disable the monitoring, erase the logs, carry on like nothing happened,” said Brad Micklea, CEO of Jozu. “The only difference is it wasn’t trying to be malicious. It was trying to complete its task. That’s the problem every organization deploying AI agents needs to take seriously, and it’s why we built Agent Guard to protect corporate assets by securing the agent at every layer — artifact, runtime, policy, and sandbox.”

The limitations of current approaches

Existing AI agent security solutions have converged on three approaches, each with significant gaps:

• Agent sandboxes isolate execution but hurt ROI by broadly limiting agent actions because they cannot differentiate between safe and unsafe agents.
• AI gateways can only protect against prompts and actions that leave the local machine, and their persistent connections to a central control plane create a single point of failure.
• Guardrails filter prompts and responses from models but do not govern what tools agents can use.

None of these approaches addresses the breadth and complexity of action that today’s AI agents need to provide real value to organizations.

Introducing Jozu Agent Guard

Agent Guard is built to enforce a simple rule: the agent never operates without governance.

Agent Guard evaluates all AI activity through a local policy engine that has visibility into locally running actions, inputs and outputs, and prompts and responses. Jozu further ensures that only approved artifacts execute, only permitted actions get run, and every step is captured in a tamper-evident audit log.

Jozu combines six security capabilities for complete protection:

• Artifact verification: Jozu scans every AI artifact and attaches scan results and governance policies as tamper-evident attestations readable by open source tools. This prevents impersonation attacks such as the Postmark MCP Server attack that exfiltrated data from thousands of organizations.
• Tool governance: Jozu governs access to individual tool calls within an MCP server’s catalog, not just prompts or MCP servers as a whole. This prevents re-routing attacks like EchoLeak, which exploited Microsoft Copilot to redirect thousands of emails to an attacker-controlled address.
• Human approval: Jozu stops an agent’s workflow for high-risk actions, requiring human approval before execution. This protects against rogue agentic workflows and privilege escalation attacks.
• Immutable auditing: Jozu captures every action in a cryptographically chained audit log that maintains integrity even when disconnected.
• Local enforcement: Jozu distributes policies with deployed artifacts and enforces them locally on laptops, edge devices, and air-gapped networks with no connectivity to a central controller required.
• Hypervisor isolation: For the highest-assurance environments, Agent Guard executes workloads inside hypervisor-isolated containers where only supply-chain-verified artifacts are admitted, tamper-evident policies govern every action during execution, and the hypervisor boundary contains the blast radius if anything goes wrong.