Security by architecture,not afterthought.
Lorenz treats security as a design constraint built into routing, retrieval, execution, and recovery instead of a checkbox added after the agent works.
Security controls
Layered controls that protect every operation inside Lorenz across identity, data, execution, and recovery.
Zero-Trust Identity
Requests are bound to user and tenant scope. Session posture, token validation, and scoped access paths reduce ambient trust.
Tenant Isolation
JWT tenant claims, request-scoped context, workspace boundaries, and scoped undo flows reduce cross-tenant leakage risk.
AEGIS Guardian
Lorenz evaluates prompts, commands, and high-risk actions for destructive patterns, prompt injection markers, and unsafe intent before execution.
Data Egress Control
Sensitive routing and OCR policy decide when data can stay local, when it can remain in-country, and when external providers are forbidden.
Governed RAG
Hybrid retrieval, canonical claim governance, and conflict monitoring keep memory useful without turning the knowledge layer into a blind trust surface.
Controlled Skills And Tools
No blind plugin sprawl. Skills are explicit capabilities that can be allowlisted, scoped, and monitored before touching user data.
Fortress Runtime
Air-tight baseline checks, immutable security-critical settings, heartbeat visibility, and build traceability reduce silent posture drift.
Recovery And Evidence
Action Journal, workspace snapshots, undo, heartbeat, and build metadata support detection, response, and accountable rollback.
Threat model
How Lorenz addresses common AI security threats by design, from prompt injection to OCR egress and runtime drift.
| Threat | Mitigation |
|---|---|
| Prompt injection | AEGIS screens prompts for injection markers and destructive intent before execution. |
| Retrieval poisoning | RAG Governor, conflict handling, and scoped ingestion reduce the chance that malicious documents silently become authoritative memory. |
| Data exfiltration | Sensitive routing and OCR policy enforce local-only and in-country data paths. |
| Unauthorized tool execution | Skills require explicit allowlisting, scoping, and human confirmation for high-risk actions. |
| Cross-tenant leakage | JWT tenant claims and strict workspace path validation prevent cross-boundary access. |
| Path traversal and workspace breakout | Workspace roots, local scope validation, and blocked path escape attempts constrain execution to approved boundaries. |
| OCR egress abuse | External OCR is gated by allowlists, rollout controls, and explicit policy instead of being a silent default path. |
| Runtime posture drift | Fortress checks, immutable critical settings, heartbeat, and build traceability make unsafe drift visible early. |
| Silent failure | Action Journal, heartbeat, and build metadata ensure incidents are visible and traceable. |
Operator principles
- Security is a design constraint, not a feature flag.
- Every action must be attributable to a user, tenant, and workspace.
- Sensitive data paths default to local-only until policy explicitly allows otherwise.
- Human confirmation is required for destructive or high-risk operations.
- Audit trails are immutable and always-on — they cannot be disabled by tenants.
- Execution power must remain bounded by scope, policy, and recovery evidence.
- No silent fallback should bypass a broken security or integrity invariant.
Security that scales with you
Deploy Lorenz with confidence — every layer is designed for enterprise-grade security.