The new open-source project IronCurtain introduces a unique method to secure and constrain AI assistant agents, aiming to prevent them from causing digital disruption.
AI agents, such as OpenClaw, have gained significant attention due to their ability to manage various aspects of digital lives. These agentic assistants are designed to access digital accounts and execute commands, whether for creating personalized news digests, handling customer service interactions, or auditing to-do lists. While beneficial, this capability has also led to considerable disruption and issues. Instances include bots mass-deleting emails despite instructions to preserve them, generating negative content based on perceived slights, and even initiating phishing attacks against their users.
Observing the recent chaos, security engineer and researcher Niels Provos developed a new approach. He is introducing IronCurtain, an open-source, secure AI assistant that adds a crucial layer of control. Unlike other agents that directly interact with user systems, IronCurtain operates within an isolated virtual machine. Its actions are governed by a user-defined policy, akin to a constitution. A key feature is IronCurtain’s ability to interpret these policies, written in plain English, and convert them into an enforceable security policy through a multi-step process involving a large language model (LLM).
Provos stated that while services like OpenClaw are currently popular, there is an opportunity to develop a different approach. He aims to create a system that offers high utility without venturing into unpredictable or destructive behaviors.
The capacity of IronCurtain to translate simple, clear instructions into enforceable, predictable boundaries is essential, according to Provos. This is due to the inherent stochastic and probabilistic nature of LLMs, which means they do not always produce identical outputs for the same input. This characteristic poses difficulties for AI safety mechanisms, as AI systems might adapt their interpretation of controls over time, potentially leading to unauthorized actions.
A policy for IronCurtain, as described by Provos, could be straightforward: “The agent may read all email. It may send email to contacts without requiring permission. For other recipients, it must ask first. Nothing should ever be permanently deleted.”
IronCurtain converts these instructions into an enforceable policy, then acts as an intermediary between the assistant agent within the virtual machine and the model context protocol server, which grants LLMs access to data and digital services for task execution. This method of constraining an agent introduces a vital access control feature, which current web platforms, such as email providers, lack. These platforms were not designed for scenarios where both a human and AI agents operate from the same account.
Provos highlights that IronCurtain is designed for continuous improvement of a user’s policy. The system refines its “constitution” as it encounters unusual situations, requesting human guidance for resolution. This model-independent system, compatible with any LLM, also maintains an audit log of all policy decisions.
Currently, IronCurtain functions as a research prototype rather than a consumer product. Provos encourages contributions to help the project evolve. Cybersecurity researcher Dino Dai Zovi, who has tested early versions, finds the project’s conceptual approach to constraining agentic AI aligns with his own insights.
Dai Zovi points out that many existing agents rely on permission systems that place the entire burden on the user to approve each action. This often leads to users becoming desensitized, granting permissions indiscriminately, and eventually giving full autonomy. IronCurtain offers a different solution, allowing certain capabilities, such as file deletion, to be entirely beyond the LLM’s reach, preventing the agent from performing such actions regardless of its programming.
Dai Zovi contends that these strict, unambiguous constraints, while potentially appearing rigid or inconvenient at first, are crucial for ultimately enabling greater autonomy for agentic AI.
He emphasizes that increased velocity and autonomy for AI necessitate a robust supporting structure. Dai Zovi draws an analogy: a rocket engine requires a stable rocket to achieve its destination, whereas strapping a jet engine to one’s back would be fatal.
