Introducing Veto: security for the next era of software

Johannes Landgraf and Christian Weichel present "Veto," a kernel-level enforcement engine designed to address security challenges in AI agent platforms, introduced to the Ona platform in early access. The text highlights the inadequacy of current horizontal runtime security tools, which typically rely on path-based enforcement, explaining how AI agents can bypass these measures by reasoning about their own restrictions. Veto aims to offer a more robust solution by enforcing security at the syscall level, limiting an agent's ability to exploit vulnerabilities through file access, network connections, and process executions. This approach emphasizes the necessity of integrating security vertically into the platform, akin to how brakes are built into a car's chassis, to provide defense in depth across the full stack. The authors argue that effective agent security requires both static rules and dynamic adjustments based on real-time behavior, stressing the importance for CIOs and CISOs to collaborate on building secure AI platforms to ensure productivity and innovation while mitigating risks.