Invariant Agent Security
Invariant is a security layer to protect agentic AI systems. It helps you to prevent prompt injections, data leaks, steers your agent, and ensures strict compliance with behavioral and security policies for your AI systems.
You can deploy Invariant within minutes using our hosted LLM-level gateway, to ensure quick response to agent security incidents and to get your agent ready for production.
How Invariant Works
Invariant acts as a transparent layer between your agent system and the LLM and tool providers. It intercepts all LLM calls and tool actions, and applies steering rules according to a provided guardrailing policies.
Policies are defined in terms of both deterministic and fuzzy rules. During operation, your agent is continuously evaluated against them, to restrict its behavior to prevent malfunction and abuse.
Invariant does not require invasive code changes, and can be used with any model, agent, framework and tooling. It is designed to be easy to use and integrate into your existing stack, right from the beginning or when you are ready to ship.
In this setup, an example Invariant rule for safeguarding against leakage flows looks like this:
raise "agent leaks internal data" if:
# check all flows between tool calls
(output: ToolOutput) -> (call: ToolCall)
# detects sensitive data in the first output
is_sensitive(output.content)
# detects a potentially sensitive action like sending an email
call is tool:send_email
Many security rules like these ship out-of-the-box with Invariant, and you can easily define your own rules to suit your needs and policies.
This documentation describes how to set up Invariant and the relevant guardrailing rules for your agent systems such that you can secure your agents and prevent them from engaging in malicious behavior.
Why You Need A Security Layer for Agents
Invariant helps you make sure that your agents are safe from malicious actors and prevents fatal malfunction:
- It blocks prompt injections and agent jailbreaks.
- It imposes strict rules on agent capabilities and behavior, to prevent malfunction and abuse.
- It constantly analyzes the data flow of your agents, to ensure that they are not leaking sensitive information or engaging in off-policy behavior.
- It ensures that your agents are in compliance with your organization's policies.
- It helps you to surface novel malicious behavioral patterns in your agents, and automatically proposes guardrailing rules to prevent them.
Securing your agent is a crucial step in safely deploying AI agents to production for public or internal use, and ensuring that they behave as expected.
Getting Started as Developer
The Invariant intercepts the LLM and MCP calls of your agent, to implement steering and guardrailing, without requiring major code changes:
To quickly secure your agentic application with Invariant, you can rely on our hosted LLM-level gateway. It automatically traces and protects your agent's LLM calls and actions by enforcing guardrailing rules.
Sign Up for Invariant
Go to 
Invariant Explorer, sign up for an account and create a new API key:
<Your User> (top right) -> Account -> API Keys
Integrate Gateway
Next, you need to integrate Gateway into your LLM or MCP client setup.
Example: Connect to Gateway by updating the base URL of your LLM.
import os
from swarm import Swarm, Agent
from openai import OpenAI
# 1. Guardrailing Rules
guardrails = """
raise "Rule 1: Do not talk about Fight Club" if:
(msg: Message)
"fight club" in msg.content
"""
# 2. Gateway Integration
client = Swarm(
client = OpenAI(
default_headers={
"Invariant-Authorization": "Bearer " + os.getenv("INVARIANT_API_KEY"),
"Invariant-Guardrails": guardrails.encode("unicode_escape"),
},
base_url="https://explorer.invariantlabs.ai/api/v1/gateway/<your-project-id>/openai",
)
)
# 3. Your Agent Implementation
# define a tool
def get_weather():
return "It's sunny."
# define an agent
agent = Agent(
name="Agent A",
instructions="You are a helpful agent.",
functions=[get_weather],
)
# run the agent
response = client.run(
agent=agent,
messages=[{"role": "user", "content": "Tell me more about fight club."}],
)
Example: Connect to Gateway by inserting Gateway's MCP middleware
{
"you-mcp-server": {
"command": "uvx",
"args": [
"invariant-gateway@latest",
"mcp",
"--project-name",
"<your-project-name>",
"--push-explorer",
"--exec",
"...(MCP server command via npx or uvx)..."
],
"env": {
"INVARIANT_API_KEY": "<INVARIANT_API_KEY>"
}
}
}
Note that for MCP, you need to configure your guardrailing rules in the corresponding Explorer project instead of in the code.
Run Your Agent
Run your agent and see the guardrailing in action:
BadRequest: [Invariant] The message did not pass the guardrailing check:
'Rule 1: Do not talk about Fight Club'"
With this code, your agent is automatically secured and all execution traces will be logged in a new project in Explorer (screenshot here).
This documentation describes how to get started with Invariant and how to use it to steer and secure your agentic system.
Getting Started as a Security Admin
Looking to observe and secure AI agents in your organization? Read our no-code quickstart guides below, for configuring different agents directly with the Invariant Gateway.
This way, you can keep track and secure your organization's agents, without having to change their code.
If you are interested in deploying your own dedicated instance of the Invariant Gateway, see our self-hosting guide.
Overview
With the gateway at the core, Invariant offers a family of tools for trace analysis and testing, allowing you to secure, debug and test your AI agents.
You can use each tool independently, or in combination with each other. The following interactive figure illustrates the Invariant eco-system and how the tools fit together. You can click on any of the boxes to learn more about the respective tool.
You can click any of the boxes to learn more about the respective tool.