Every Guardrails & Safety comparison and buyer's guide for building AI agents — 19 pieces and counting. Each is a head-to-head or a “best X for Y” roundup with a sources-backed verdict.
Most prompt-injection defenses scan what goes in and what comes out. Meta's open-source LlamaFirewall adds the one check a classifier structurally can't do — it audits the agent's own chain-of-thought for the moment its goal quietly changes.
A shared rubric for scoring how dangerous a jailbreak is arrived the same week a frontier model came back from an export-control ban. The rubric's real job isn't safety — it's giving governments and labs the same units to argue in.
Exabeam open-sourced Praxen, a tool that reads your agent's whole implementation and compares it to a written charter of what it's allowed to do. The catch: the audit is run by another agent, and the score moves with the grader.
Microsoft's AutoJack shows how a single web page can RCE the host running an AI agent — not by forging an origin, but because the agent's own browser is localhost.
Three critical 2026 CVEs — in ModelScope's MS-Agent, Microsoft's Semantic Kernel, and Cursor — share one root cause. The agent filtered the command it was about to run. It never controlled the ground that command would run on.
The summary your long-running agent writes to stay under its token budget is lossy in one direction: it keeps the rules that fire and drops the rules that forbid. New research puts a number on how fast safety erodes.
They get used as synonyms, and that confusion is why teams 'add a guardrail' and stay wide open. A jailbreak attacks the model's policy; prompt injection attacks your application's trust boundary.
The Digital Omnibus pushed the high-risk rules to 2027 — and most builders read that as a reprieve. But the deadline that actually catches a typical agent never moved at all.
Microsoft, Okta, and AWS all shipped the same first move against unmanaged agents — an inventory. It's the shadow-IT playbook again, except this time the thing you can't see replicates itself.
MCP standardized how agents connect and A2A standardized how they talk. The Agent Control Specification standardizes the part that decides whether you can deploy — what an agent is allowed to do — and its smartest move is what it refuses to standardize.
A classifier that blocks 98% of injections sounds like a fix. Against an attacker who can retry, a nonzero bypass rate isn't a wall — it's a toll. The defenses with real guarantees don't detect the bad instruction at all; they cap what any instruction is allowed to cause.
Five AI-infra CVEs this spring were weaponized straight from the advisory text — no PoC, no patch window — because the serving layer ships a shell by default.
Every shipping agent data breach has the same three ingredients. Once you see them, the fix stops being "make the model harder to fool" and becomes "remove one leg."
For a normal service the threat is a static key leaked to a repo. For an agent the sharper threat is the agent itself being talked into reading its own environment and handing the key to an attacker.
The list reads like a model-safety checklist. Read it again: most of the ten are not the model misbehaving — they're your architecture trusting the model too much. Agents make exactly those entries worse.
Three open-source tools promise to catch prompt injection before it reaches your agent. Their GitHub status pages tell you more about whether detection works than any benchmark does.
Three ways to scrub names, card numbers, and patient IDs out of a prompt before it reaches a model provider. The hard part isn't detection — it's whether you can ever put the data back.
You cannot patch prompt injection out of a model. The defenses that actually hold treat it as an architecture problem — and start by taking away what a hijacked agent could do.
They get filed together as "LLM guardrails," but they guard three different things — format, flow, and content. Picking by stars gets you a tool that protects the wrong layer.