The AI Security Triad

The three roles

For decades, application security assumed one enforcer: the tool watching the process. AI agents broke that model. An agent asked politely to do something harmful will usually do it. An agent prompted to ignore its guardrails often will. The tool watching from outside cannot see what's happening inside the agent's reasoning.

The AI Security Triad solves this with three independent roles. Any one of them can be compromised, misled, or coerced — and the other two still reach the right answer.

The closed loop

• Dryx detects. A deterministic scanner maps what every AI agent on your machine can reach — secrets, MCP servers, instruction files, schedules, endpoints.
• Informs the Operator. Findings surface with severity and remediation. You see the exposure before an incident does.
• Updates the Agent's context. Hardened security directives get written into the agent's instruction surface in a way that preserves your own content.
• Agent queries the Authority Anchor. Before installing an MCP, before modifying a config, before touching anything meaningful — the agent calls back to Dryx for a live verdict.
• Three roles verify independently. No single point of failure. No silent compromise.

Why this matters now

AI agents are the fastest-growing enterprise attack surface. Palo Alto Networks paid $1.2 billion for Koi in April 2026 to acquire agent visibility. Noma Security raised $100 million at 1,300% ARR growth. Vercel disclosed a supply-chain breach the same week — one employee granted an AI tool broad OAuth, which became a master key when that tool was compromised. Then in May 2026, security researchers found 200,000 MCP servers exposing remote code execution; Anthropic confirmed it was by-design and declined to patch.

The category needs a name. The problem is three parts: agents that can be prompted into unsafe actions, security tools that cannot see inside agent reasoning, and operators who cannot audit the permissions their tools have accumulated. The AI Security Triad names the shape of the defense — independent verification across all three roles.

How Dryx implements the AI Security Triad

Today, on macOS, across nine major AI agent platforms, under one unified Authority Anchor protocol:

• Context Shield writes hardened security directives into agent instruction contexts (CLAUDE.md, AGENTS.md, .cursorrules, and others) with per-install nonces, signed delimiters, and an embedded verification key. Agents become security-aware without Dryx being in the runtime critical path.
• Authority Anchor MCP exposes Dryx's live posture data to agents through a read-only Model Context Protocol server. Six tools, fully offline, including a pre-execution security gate and an audit trail of every decision.
• Installation Guard enforces policy at install time for MCP servers, skill definitions, and instruction files. Blocks unauthorized modifications with an explicit Operator-override path.
• Skill Shield analyzes extensions before install and projects their impact on your specific workspace — the pre-deployment layer of the Triad.
• Behavioral Baseline detects anomalies over time across temporal and structural dimensions. The Triad holds in the present; the baseline catches drift.
• Public CI proof. 121 per-transform unit tests + 50 canary integration tests on every commit. Three workflows. All green. Run them yourself.

What the AI Security Triad is not

• Not a policy engine. A single point of enforcement is still a single point of failure. The Triad requires three independent roles.
• Not an LLM guardrail. LLM-based safety layers cannot be ground truth because they can be prompted against themselves. The Authority Anchor must be deterministic.
• Not a wrapper around the model. Dryx is external to the agent. It exposes data; it does not control the agent.
• Not enterprise cloud posture management. The AI Security Triad runs where the agent runs — on the Operator's machine, at the agent's context layer.