For two decades, the firewall has been the security primitive for controlling what crosses a boundary — a network firewall for packets, a web application firewall for HTTP, a host-based firewall for processes. AI agents introduce a boundary that none of those tools were designed to enforce: the boundary between an autonomous program and the OS resources it can act on.
That gap is what the agent firewall closes. Instead of inspecting traffic, it inspects agent actions. Instead of blocking IPs, it blocks behaviors. And instead of operating at the network edge, it operates where the agent actually executes — on the endpoint, in the kernel.
What an agent firewall has to do
A real agent firewall has to deliver three things that no first-generation AI security tool was built for:
- Discovery without an allowlist. The firewall has to recognize agents it has never seen — including ones that an employee installed five minutes ago after watching a YouTube tutorial. That requires a continuously-updated signature pipeline, not a static catalog.
- Enforcement at the OS layer. Prompt-time guardrails and output classifiers don't see what happens after the agent decides to run a tool. The firewall has to intercept at the kernel — filesystem writes, registry changes, network sockets, IPC handles.
- Isolation that doesn't break the agent. A firewall that blocks every uncertain action becomes shelfware in two weeks. The firewall has to let the agent do its work while keeping the blast radius contained.
Copy-on-write, not block-on-deny
The architectural bet that defines a real agent firewall is the difference between blocking and sandboxing. A block-on-deny firewall stops the agent the moment it tries to do something risky — and the agent reports a failure, the user disables the firewall, and you're back to zero coverage.
Ospiri's agent firewall takes the opposite approach. When an agent tries to modify a file, the firewall clones it into a sandbox. The agent operates against its sandboxed copy and gets the functionality it needs. The original files remain untouched. Policies decide whether to commit, discard, or escalate the sandboxed changes.
This is the difference between an agent firewall that breaks productivity and one that enables governed productivity. It's also where the technical moat sits — copy-on-write at kernel scope is genuinely hard to build.
The four isolation layers
Ospiri's agent firewall is implemented as a Windows kernel driver that enforces policy across four scopes, with a fifth in active development:
- File system isolation — controls which paths an agent can read, write, modify, or delete.
- Registry isolation — controls Windows registry writes; stops agents from establishing persistence or tampering with other software.
- Network isolation — per-process firewall built on the Windows Filtering Platform (WFP). Block a coding agent from reaching Salesforce, allow it to reach GitHub.
- Object isolation — controls IPC and inter-process interaction; stops agents from injecting into or coordinating with other processes.
- WSL & VM monitoring (in development) — extends the same isolation guarantees to WSL containers and VM-resident agents.
How an agent firewall fits with EDR
Ospiri's agent firewall doesn't replace your EDR — it deploys alongside it. EDR is built to recognize malicious binaries and signature-matched attack patterns. It doesn't classify a benign coding agent writing files as a threat, because by EDR's lights, it isn't one. The agent firewall sits one layer deeper and asks a different question: given that this is a known agent, what is it allowed to do in this environment, and what should happen if it tries to do more?
That layered model is how every other endpoint security category got mature. EDR + agent firewall is the same shape as antivirus + EDR was a decade ago: a coarser layer that catches the obvious threats, plus a finer layer that gives the security team granular control over the things that aren't threats but still need to be governed.
Why this is the moment to deploy one
Every major AI lab is shipping agents that act on behalf of the user — installing software, opening network connections, modifying files, controlling other applications. Anthropic's Claude Dispatch capability lets a phone control a desktop computer remotely. Every other lab is racing to ship the same. The endpoint isn't where the human sits anymore. Without an agent firewall, the enterprise has no way to enforce what the agent can do, where it can reach, or whether it's authorized to be there.
88% of organizations reported an AI agent security incident in the last 12 months. Shadow AI breaches run roughly $670K above the cyber breach baseline. The category currently has no incumbent. Whoever ships kernel-grade isolation and a working signature pipeline first owns it.