Brex built an AI agent governance system by watching real agent behavior, not writing rules first
venturebeat.com

Brex built an AI agent governance system by watching real agent behavior, not writing rules first

Tech News
4 min read

Published by AINave Editorial • Reviewed by Ramit

TL;DRBrex open-sourced CrabTrap, an HTTP/HTTPS proxy that enforces AI agent governance by deriving policies from observed network traffic, not writing rules first.

Brex has open-sourced CrabTrap, an HTTP/HTTPS proxy that enforces AI agent governance by intercepting every outbound request and using a combination of deterministic rules and an LLM-as-a-judge. The key innovation: policies are derived from observed agent behavior, not written in advance. For AI builders managing autonomous agents, this approach reduces the tension between capability and safety by aligning guardrails with what agents actually do.

What happened

Brex built CrabTrap as an internal platform and released it as open-source. It sits at the transport layer, routing every outbound HTTP/HTTPS request from an agent through a proxy before it reaches its destination. The proxy applies a deterministic policy core for known traffic patterns and uses an LLM-as-a-judge to decide on the roughly 3% of requests that fall outside those patterns.

Instead of writing security rules from scratch, the system bootstraps policy from real agent traffic. A policy-builder (itself an agentic loop) runs agents in shadow mode, analyzes historic network traffic, and drafts a natural-language policy that matches what the agent actually does. An eval system tests policy changes before deployment by comparing historical audit entries against the draft policy. Full audit trails are stored in PostgreSQL and queryable through an admin API and dashboard.

Why AI builders should care

Transport-layer enforcement is framework-, language-, and API-agnostic. It does not require SDK wrappers or per-tool integration. Users set HTTP_PROXY and HTTPS_PROXY in the agent's environment, and every outbound request routes through the proxy. This gives a single point of control across all agents, regardless of the underlying framework.

Latency concerns are manageable. The LLM judge fires only on a small fraction of requests, and Brex uses small, fast models like Claude Haiku. For agents with predictable traffic patterns, high-volume requests become static rules, so the judge rarely activates.

The policy-builder turned out to be surprisingly effective. Brex expected it to produce a rough starting point, but policies derived from a few days of traffic matched human judgment on the vast majority of held-out requests. This means teams can skip the guesswork of writing rules and instead let observed behavior define the policy.

Practical implications

For AI builders deploying autonomous agents, the takeaway is a practical pattern:

  • Adopt a transport-layer gateway as a universal enforcement point. It works with any agent framework, language, or API.
  • Use a policy-builder to infer natural-language policies from real traffic before codifying rules. Run shadow-mode evals to catch regressions.
  • Implement an LLM-based judge for the long tail of unfamiliar requests, but keep it on a short leash to avoid latency creep.
  • Store audit trails in a relational store (e.g., PostgreSQL) and provide a dashboard for review. Brex used denial logs and traffic analysis to tighten agents themselves, cutting out requests that waste time and tokens.
  • Plan for future RBAC and SSO to scale governance as agent usage grows. Brex anticipates deeper authentication functionality and escalation workflows that allow agents to request additional permissions.

Caveats

Evidence is based on coverage from VentureBeat and Brex's public disclosures; details may evolve as the open-source release progresses. Prompt-injection risk exists because the LLM judge receives user-controlled content. Brex mitigates this by structuring the request as a JSON object to escape rather than interpolate raw text, but no mitigation is foolproof. Latency and model choice are described in Brex's communications; real-world deployments may vary by workload and network conditions. The open-source community will surface edge cases and accelerate policy evolution, but maturity depends on adoption.

FAQs

Brex built CrabTrap as an open-source HTTP/HTTPS proxy that sits between agents and their outbound network requests. Every request routes through the proxy, where a deterministic policy core handles known patterns and an LLM-as-a-judge decides on unusual requests. Full audit trails are stored in PostgreSQL and accessible via a dashboard for human review, providing a central enforcement point for agent governance.

Sources

Latest Tech News