OpenEdison: Firewall Your Data, Control Agents

I'm about to show you how any AI agent connected to your software and data can be turned into a corporate spy in under 60 seconds. 

The most surprising part? No coding required, just some English. 

Everyone wants AI to do their tedious work without compromising their sensitive data. This changes today with the introduction of OpenEdison.

Connecting AI to existing software should, in theory, provide more context and improve the usefulness of these AI tools. It should reduce the amount of copy and paste between your tool and ChatGPT, making AI agents that require less work from you. The vision is compelling: intelligent assistants that can read your emails, access your files, and take actions on your behalf.

But here's the fundamental problem: AI agents follow your commands, not your common sense.

Unlike humans, AI has no inherent understanding of what data should be where. It can easily be "prompt-injected" and tricked into leaking your credit card information, financial records, trade secrets, or any other sensitive data. Similar to how humans can be tricked into sending credit card information to a random person on the internet, AI systems can be phished via jailbreak attempts to send credit card information to bad actors.

AI can easily become compromised by a bad actor or simply hallucinate a dangerous action that a non-technical user would never anticipate. The consequences can be catastrophic, yet many users remain entirely unaware of these risks.

Security researcher Simon Willison has identified what he calls "the lethal trifecta" that highlights the data leak risks of connecting AI to existing software. The trifecta can occur when AI systems simultaneously have the ability to access private data, read untrusted content, and communicate with the external world. The core vulnerability is that AI systems may follow any instructions they encounter, regardless of source. Attackers can embed malicious commands in webpages, emails, or documents that trick the AI into stealing private data and sending it to the attacker when users innocently ask the AI to read that content.

Despite affecting major AI systems from companies like Microsoft, Google, and GitHub, current security measures only block about 95% of such attacks. This means that even with the best available protection, there's still a 5% chance of being compromised. Thus, until today, the only truly reliable protection is to altogether avoid combining all three capabilities in a single AI system.

For example, when ChatGPT is connected to your Gmail, it creates a direct pathway for the exploitation and compromise of your private information. A seemingly innocent request to "summarise this email" could turn into a data exfiltration operation if that email contains malicious instructions.

OpenEdison is a unified MCP (Model Context Protocol) proxy that directly solves the problem of the lethal trifecta by tracking agent tool exposure and blocking dangerous actions. MCP is a de facto standard that allows AI assistants to securely connect to external data sources and tools in real-time.

Key Features

OpenEdison can be installed from PyPI or Docker using a one-line command:

OpenEdison uses a simple algorithm to protect users: When an agent session accesses untrusted content and private data and tries to call an external communication tool, it will block the MCP tool call and notify the user about potential exfiltration.

In addition to preventing the lethal trifecta, we track Access Control Levels (ACL) for each tool call. Each tool has an ACL level (PUBLIC, PRIVATE, or SECRET), and we track the highest ACL level for each session. If a write operation is attempted on a lower ACL level, it gets blocked automatically.

The crucial difference is this: OpenEdison protects users even if a bad actor jailbreaks the agent. Unlike other solutions that try to prevent jailbreaks or protect against them, OpenEdison assumes a jailbreak will happen and blocks any undesirable interactions.

Today, OpenEdison employs a simple algorithm to prevent data exfiltration, which can be restrictive and requires excessive human-in-the-loop intervention. In the future, OpenEdison will have smarter tool blockers without the need for human interaction, so that you don’t have to compromise agent autonomy for protection. Edison will be a digital watchdog that never sleeps, keeping agents accountable to keep your data safe.

Edison will constantly update to fight the latest digital threats.

EdisonWatch is an AI governance platform that maps the live ontology of entities, workflows, and policies, and ensures your data is handled in a compliant and secure way at full company scale.

EdisonWatch will enable AI pilots to scale within organisations securely and in a compliant way, unlocking productivity while ensuring execution in accordance with policy, approvals, and audits. Ensure there is clear governance for risk and accountability.

Onboarding to the commercial product is lightning fast: EdisonWatch will auto-generate policy-as-code based on compliance documents and natural language requests in your specific company setting.

Don't let your AI agents become your most significant security vulnerability; let OpenEdison be the watchdog that keeps your digital world secure.

For companies interested in getting a security assessment for agents in your organisation, schedule a demo here.