IronCurtain: the open project that keeps AI agents from getting out of control

The artificial intelligence industry is experiencing a boom in autonomous agents — programs that not only answer questions but independently act in the user's digital world: sending emails, booking meetings, editing documents, managing subscriptions. But the more authority AI receives, the more pressing the question becomes: what will happen when an agent makes the wrong decision? A new open-source project called IronCurtain, featured in Wired, offers an answer — and its approach is fundamentally different from what major laboratories are doing.

The problem IronCurtain addresses is not abstract. Over the past year, dozens of companies — from OpenAI and Google to startups like Adept and Cognition — have released AI agents capable of interacting with applications and services on behalf of humans. These systems gain access to email, banking applications, and work tools.

However, the language models underlying them remain probabilistic systems: they can hallucinate, misinterpret instructions, or fall victim to prompt injection — an attack in which malicious text in an email or web page forces an agent to perform an unwanted action. Imagine your AI assistant, after reading a specially crafted email, begins forwarding confidential documents to third parties. This is not science fiction — such vulnerabilities have already been demonstrated by security researchers.

The traditional approach to solving this problem is to embed constraints directly in the language model through system prompts, fine-tuning, or RLHF. But IronCurtain takes a different path. The project creates an external protective layer — a kind of "iron curtain" between the agent's intentions and the real world. Before any action by an AI agent is executed, it passes through a system of strict rules and policies that cannot be bypassed through prompt manipulation. This is a fundamental architectural decision: security is placed outside the model, where it is not subject to the same vulnerabilities as the AI itself.

Technically, this can be compared to a firewall in computer networks. A firewall does not attempt to make each program safe from within — it controls what traffic can pass and what is blocked, regardless of the program's intentions. Similarly, IronCurtain intercepts API calls and system commands from the agent, checks them against a set of policies defined by the user or administrator, and only allows actions that are explicitly permitted. If an agent tries to send an email to an unfamiliar address, delete a file, or conduct a financial transaction exceeding a set threshold, the action is blocked and the user receives a notification.

Open-source code is another key element of the project's philosophy. Unlike proprietary security solutions embedded in commercial agents, IronCurtain allows any developer or researcher to study exactly how constraints work, find potential vulnerabilities, and propose improvements. This is especially important in the context of growing distrust toward the "black boxes" of major AI companies. When it comes to a system that controls AI's access to your digital life, transparency stops being a nice bonus and becomes a necessity.

For the industry, the emergence of IronCurtain signals an important shift in thinking. For a long time, AI agent security was treated as a problem to be solved at the level of the model itself — making it "more obedient," "more cautious." But as practice shows, this approach has fundamental limitations: a model smart enough to be useful is inevitably flexible enough to be deceived. An external security layer operating on deterministic rules does not replace internal model constraints, but creates a critically important second line of defense. This is the same "defense-in-depth" principle that has been applied in cybersecurity for decades.

However, the approach has its limitations. Strict rules can reduce the utility of an agent — if the policy is too strict, the AI assistant becomes a useless program that asks for confirmation on every action. The balance between security and functionality remains an unsolved design challenge, and IronCurtain for now offers tools but not universal recipes. Moreover, the project is still in its early stages, and its real resilience to sophisticated attacks remains to be tested in real-world conditions.

Nevertheless, the direction is correct. As AI agents become everyday reality — and 2026 is already being called the year of agentic AI — the need for reliable, transparent, and model-agnostic control systems will only grow. IronCurtain could become the standard around which an entire ecosystem of security tools for autonomous AI will form. And if that happens, we will remember this project as the moment when the industry finally acknowledged: trusting an agent does not mean trusting it blindly.