AI agents that automate digital tasks have gained popularity but often cause chaos through unintended actions like mass-deleting emails. In response, security engineer Niels Provos launched IronCurtain, an open-source AI assistant designed to operate securely within an isolated virtual machine. IronCurtain uses a user-defined policy, written in plain English and converted into an enforceable security rule, to mediate all of the agent's actions and prevent destructive behavior. The system aims to provide utility while adding a critical layer of predictable control, addressing the inherent unpredictability of large language models. IronCurtain is currently a research prototype intended for community development and exploration.
AI agents like OpenClaw have recently exploded in popularity precisely because they can take the reins of your digital life. Whether you want a personalized morning news digest, a proxy that can fight with your cable company's customer service, or a to-do list auditor that will do some tasks for you and prod you to resolve the rest, agentic assistants are built to access your digital accounts and carry out your commands. This is helpful—but has also caused a lot of chaos. The bots are out there mass-deleting emails they've been instructed to preserve, writing hit pieces over perceived snubs, and launching phishing attacks against their owners.
Watching the pandemonium unfold in recent weeks, longtime security engineer and researcher Niels Provos decided to try something new. Today he is launching an open source, secure AI assistant called IronCurtain designed to add a critical layer of control. Instead of the agent directly interacting with the user's systems and accounts, it runs in an isolated virtual machine. And its ability to take any action is mediated by a policy—you could even think of it as a constitution—that the owner writes to govern the system. Crucially, IronCurtain is also designed to receive these overarching policies in plain English and then runs them through a multistep process that uses a large language model (LLM) to convert the natural language into an enforceable security policy.
“Services like OpenClaw are at peak hype right now, but my hope is that there’s an opportunity to say, ‘Well, this is probably not how we want to do it,’” Provos says. “Instead, let’s develop something that still gives you very high utility, but is not going to go into these completely uncharted, sometimes destructive, paths.”
IronCurtain's ability to take intuitive, straightforward statements and turn them into enforceable, deterministic—or predictable—red lines is vital, Provos says, because LLMs are famously “stochastic” and probabilistic. In other words, they don't necessarily always generate the same content or give the same information in response to the same prompt. This creates challenges for AI guardrails, because AI systems can evolve over time such that they revise how they interpret a control or constraint mechanism, which can result in rogue activity.
An IronCurtain policy, Provos says, could be as simple as: “The agent may read all my email. It may send email to people in my contacts without asking. For anyone else, ask me first. Never delete anything permanently.”
IronCurtain takes these instructions, turns them into an enforceable policy, and then mediates between the assistant agent in the virtual machine and what's known as the model context protocol server that gives LLMs access to data and other digital services to carry out tasks. Being able to constrain an agent this way adds an important component of access control that web platforms like email providers don't currently offer because they weren't built for the scenario where both a human owner and AI agent bots are all using one account.
Provos notes that IronCurtain is designed to refine and improve each user's “constitution” over time as the system encounters edge cases and asks for human input about how to proceed. The system, which is model-independent and can be used with any LLM, is also designed to maintain an audit log of all policy decisions over time.
IronCurtain is a research prototype, not a consumer product, and Provos hopes that people will contribute to the project to explore and help it evolve. Dino Dai Zovi, a well-known cybersecurity researcher who has been experimenting with early versions of IronCurtain, says that the conceptual approach the project takes aligns with his own intuition about how agentic AI needs to be constrained.
“What a lot of the agents have done so far is, they’ve added permission systems that basically put all the burden on the user to say ‘yes, allow this,’ ‘yes, allow that,’” Dai Zovi says. “Most users are going to start to tune out and eventually just say, ‘yes, yes, yes.’ And then after a little while, they may dangerously skip all permissions and just grant full autonomy. With something like IronCurtain, capabilities—like, say, deleting files—can actually be outside the reach of the LLM, where the agent can't do something no matter what.”
Dai Zovi argues that these types of black-and-white constraints, which may initially seem overly rigid or simply annoying to some, are actually necessary for ultimately giving agentic AI more leash.
“If we want more velocity and more autonomy, we need the supporting structure,” Dai Zovi says. “You put a rocket engine inside an actual rocket so it has the stability to get where you want it to go. I could strap a jet engine to my back in a backpack, and I would just die.”
Meridiano
