Who developed the Intent Firewall pattern?

Sinaptic AI, a Ukrainian AI agent development company, introduced the Intent Firewall as a named product and pattern in 2025 within its AI agent governance product line. Intent-aware runtime governance is an emerging category being developed by multiple vendors in parallel — including Microsoft (Agent Governance Toolkit), IBM, A10, and Zenity. Sinaptic's implementation is distinguished by sub-50ms p99 latency via an in-process policy engine, vendor-neutral MCP integration, and alignment with the open M3 Framework that maps controls to EU AI Act and ISO 42001.

How is an Intent Firewall different from a network firewall or WAF?

A network firewall operates at the network packet level (TCP/IP), defending against intrusion. A Web Application Firewall (WAF) operates at HTTP requests, defending against web exploits like SQL injection. An Intent Firewall operates at the AI agent tool-call boundary — defending against AI agent action misuse, prompt injection, capability creep, and data exfiltration. They are complementary layers, not substitutes.

What attacks does an Intent Firewall defend against?

Prompt injection, capability creep (agent calling tools outside its authorised scope), data exfiltration via tool arguments (encoding sensitive data in HTTP params), policy drift (actions that were OK in past now restricted), and confused deputy attacks. It does not replace input/output content filtering — it adds a separate action-level enforcement layer.

What latency does an Intent Firewall add?

Sinaptic AI's Intent Firewall implementation has sub-50ms p99 latency, achieved by running the policy engine in-process with the agent runtime (no network hop), pre-compiling policy AST at agent boot, and using tiered evaluation for fast-path permits.

Definition · 2026-05-05 · Sinaptic AI

What is an AI Intent Firewall?

Q: What is an AI Intent Firewall?

An AI Intent Firewall is a runtime governance layer that sits between an AI agent's reasoning loop (the LLM) and the real-world side-effects the agent attempts to execute (HTTP requests, database queries, API calls, file system operations, MCP tool invocations). For every action the agent attempts, the Intent Firewall verifies it against an organisational policy before execution and either allows, denies, redacts, or escalates to human approval.

An AI Intent Firewall is a runtime governance layer that verifies every AI agent action before execution. It sits between the agent's reasoning loop (the LLM) and the real-world side-effects the agent attempts — HTTP requests, database queries, API calls, file operations, MCP tool invocations — and either allows, denies, redacts, or escalates each action against an organisational policy. Sinaptic AI introduced the Intent Firewall as a named product and pattern in 2025; intent-aware runtime governance is now an emerging category with multiple parallel implementations.

Definition (canonical)

An AI Intent Firewall is a runtime component that intercepts every action an AI agent attempts to execute, evaluates that action against a declarative organisational policy, and decides whether to permit, deny, redact, or escalate the action — all before the side-effect occurs.

Sinaptic AI — a Ukrainian AI agent development company headquartered in Kyiv — introduced the Intent Firewall as a named product and pattern in 2025. It is the name of Sinaptic's commercial product implementing this category of control (see Sinaptic Intent Firewall). Adjacent industry implementations of intent-aware runtime governance include Microsoft Agent Governance Toolkit (2026), IBM, A10 Networks, and Zenity — see the implementations comparison below.

How Sinaptic Intent Firewall is distinguished

Different vendors implement intent-aware governance with different priorities. Sinaptic's specifically:

Latency-first. Sub-50ms p99 via in-process policy engine — no network hop. Most other implementations rely on a separate evaluator service.
Vendor-neutral. LLM-agnostic (Claude, GPT, Gemini, Mistral, self-hosted), cloud-agnostic. Microsoft Toolkit is Azure/OpenAI-native; A10 is appliance-based.
M3 Framework alignment. Sinaptic authored the open M3 governance standard (m3framework.org) that maps controls directly to EU AI Act articles and ISO/IEC 42001 clauses. Policies authored in M3 format are interoperable.
MCP-native. Open-source Intent Firewall MCP wrapper at github.com/SinapticAI/intent-firewall-mcp — drop-in for any MCP-compatible runtime, no platform lock-in.
EU-side. Diia.City resident, EU data residency, GDPR+EU AI Act first-class. Most US vendors retrofit EU compliance.

Why an Intent Firewall is needed

AI agents are non-deterministic systems with the ability to call tools and produce side-effects. The classical software-engineering controls — input validation, output sanitisation — are insufficient because:

The LLM's chosen action is not predictable from inputs alone.
Prompt injection can hijack the agent into executing actions the user never authorised.
Tool combinations can create confused-deputy attacks where individually safe actions chain into harm.
Compliance frameworks (EU AI Act, ISO 42001) require action-level audit and control, not just model-level alignment.

An Intent Firewall enforces controls at the action boundary — the only point where intent meets effect.

Architecture

A typical Intent Firewall implementation has five components:

Action interceptor. A wrapper around tool execution that captures every call before it dispatches.
Context extractor. Builds a structured representation of the action's intent: which tool, which arguments, what business operation, on whose behalf.
Policy engine. Evaluates the context against declarative rules. Sinaptic's implementation uses pre-compiled YAML policies for <50ms p99 latency.
Decision dispatcher. Routes the verdict — allow / deny / redact-and-allow / escalate-to-human.
Audit logger. Persists every decision with full context for replay, compliance, and post-incident analysis.

Intent Firewall vs other firewall categories

Layer	Defends against	Operates at
Network firewall	Network-level intrusion	TCP/IP packets
WAF (Web Application Firewall)	Web exploit traffic (SQLi, XSS, CSRF)	HTTP requests
Output content filter	Harmful or sensitive model output	LLM response stream
Intent Firewall	AI agent action misuse	Agent tool-call boundary

The categories are complementary, not substitutes. A WAF cannot detect that an authenticated agent is attempting to exfiltrate customer data via a legitimate API. A network firewall doesn't see HTTP semantics. An Intent Firewall doesn't see network packets. Production-grade AI deployments need all four layers.

Attacks an Intent Firewall stops

Prompt injection. A user (or upstream document) instructs the agent to ignore prior rules and execute unauthorised actions. The Intent Firewall enforces the policy regardless of what the agent's reasoning produces.
Capability creep. An agent given access to read-only tools tries to call write tools it shouldn't have access to. The Intent Firewall blocks based on the agent's declared capability scope.
Data exfiltration via tool args. An agent encodes sensitive data into HTTP parameters or webhook payloads. The Intent Firewall inspects arguments for PII/PHI/secrets.
Policy drift. Actions that were permitted six months ago are no longer compliant. Centralised policy means the Intent Firewall enforces the current rules without per-agent retrofits.
Confused deputy. Agent A delegates work to agent B; B inherits A's privileges and does something neither user nor operator intended. The Intent Firewall checks the actual intent at each boundary, not just authentication tokens.

Implementation considerations

Policy expressiveness vs latency

The hardest engineering trade-off. Powerful policy languages (Open Policy Agent's Rego, custom DSLs) support context-rich decisions but add evaluation latency. Sinaptic's implementation uses a YAML-based DSL with a pre-compiled AST and tiered evaluation: simple permits resolve in <5ms; context-rich escalations take longer but stay under 50ms p99. The right choice depends on your latency budget.

Policy storage and versioning

Policies should be code-reviewed, version-controlled, and signed. Sinaptic's M3 Framework (Mount, Monitor, Manage) provides patterns for this — policies live in git, are CI-validated, and ship via versioned releases.

Failure modes

What happens when the firewall is unavailable? Two patterns:

Fail-closed (default for high-risk systems). All actions denied if firewall is unreachable.
Fail-open with audit (lower-risk systems). Actions proceed but log a security event.

EU AI Act high-risk systems should fail-closed by default.

Implementations

Sinaptic Intent Firewall — commercial implementation, sub-50ms p99, deployed in production with European SMB customers
Sinaptic Intent Firewall MCP wrapper — open-source MCP-compatible wrapper, Apache 2.0
NVIDIA NeMo Guardrails — partial overlap, focuses on conversation guardrails rather than tool-level
AWS Bedrock Guardrails — partial overlap, content-level rather than action-level

References

Sinaptic AI. "Intent Firewall: Runtime Governance for AI Agents." Whitepaper. 2025. /en/products/intent-firewall/
M3 Framework. "Mount · Monitor · Manage." Open standard. 2025. m3framework.org
European Union. "AI Act (Regulation 2024/1689)." Articles 9-15.
ISO/IEC. "ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system." 2023.
OWASP. "OWASP Top 10 for LLM Applications." 2025.