CNCF: Prempti Brings Policy Enforcement and Visibility to AI Coding Agents
The CNCF Falco team has released Prempti — an experimental project that extends Falco's runtime security model to AI coding agents. The system intercepts tool calls before execution and enforces policy rules, giving teams control over agent actions such as those performed by Claude Code.
This article was generated using artificial intelligence from primary sources.
The Falco team within the Cloud Native Computing Foundation (CNCF) has released Prempti — an experimental project that brings structured visibility and control over the actions of AI coding agents. The goal is the same one Falco already achieves in Kubernetes environments: runtime security applied at the moment something wants to act, not only after the damage is done.
What is Prempti and how does policy enforcement work?
Prempti is a lightweight user-space service that sits between an AI agent and the operating system. When an agent — for example Claude Code — announces a tool call (an operation such as reading a file, running a shell command, or accessing the network), Prempti intercepts that event before execution and sends it to Falco via a Unix socket.
Falco’s rules engine then evaluates the request against a YAML policy configuration — the same format engineers already know from Falco runtime rules. The verdict can be Allow, Deny, or Ask (interactive user confirmation). The system supports two modes: Monitor, which only logs events without blocking, and Guardrails, which actively enforces the policy.
What threats does it cover and why does that matter?
The default ruleset covers six risk categories specific to AI agents: escaping the working directory, accessing sensitive paths (SSH keys, AWS credentials, .env files), disabling the sandbox, credential theft, destructive commands, and MCP/slash-command injection — an attack vector becoming increasingly relevant as AI agents gain access to external tools.
Can Prempti replace a sandbox?
No — and the authors state this explicitly. Prempti intercepts declared agent tool calls, not the system calls those invocations may eventually generate. It is a policy layer that complements OS hardening and process isolation but does not replace them. It currently supports Claude Code on Linux, macOS, and Windows, with OpenAI Codex integration planned.
For security teams already using Falco, Prempti offers a natural extension of a familiar model to a new attack surface — AI agents executing code increasingly autonomously in production environments.
Frequently Asked Questions
- What is Falco and how is it related to Prempti?
- Falco is a CNCF graduated project for cloud-native runtime security that detects anomalous behavior in Kubernetes environments by analyzing system calls. Prempti uses Falco's plugin system and rules engine to apply the same policy model to tool calls from AI coding agents.
- How does Prempti decide what an agent is allowed to do?
- Prempti intercepts every tool call the agent announces, sends the event to Falco via a Unix socket, and Falco's engine evaluates it against YAML policy rules. The verdict can be Allow, Deny, or Ask — depending on whether the action matches the defined rules.
- Does Prempti replace a sandbox or OS hardening?
- No. Prempti is a policy layer that intercepts declared agent tool calls, not the system calls those calls generate. It complements OS hardening and sandboxing but does not replace them.
Sources
Related news
arXiv:2605.18414: Prompts do not protect — MCP proxy with ABAC achieves 0% unauthorized tool calls
IBM: Project Glasswing brings the most advanced AI-powered security portfolio for enterprise
arXiv:2605.16090: CrossMPI — an attack on vision-language models using image-only perturbation