The enforcement infrastructure that makes AI agent behavior controllable at the execution layer.
Plarix sits between what an AI agent decides and what it is allowed to execute. Not a guardrail. Not a prompt. Not a monitor. The enforcement layer — operating before the action lands, every time.
The Authorization Gap
Every major agent framework today relies on system prompts to constrain behavior. A prompt can say “do not exfiltrate user data.” The agent can still do it. There is no mechanism in any framework that deterministically stops it.
That gap — between what you instruct the agent to do and what it is physically capable of doing — is the Authorization Gap. It is the core attack surface for every production agentic system today.
AI safety is not a prompt engineering problem. It is a computational medium problem. It requires deterministic interception at the execution layer. That is what Wyatt is.
BEFORE PLARIX
system_prompt: "do not delete files"
agent.run(task)
→ agent calls delete_file(path)
→ file deleted ✗
WITH WYATT
wyatt.policy: delete_file → DENY
agent.run(task)
→ agent calls delete_file(path)
→ Wyatt intercepts ✓
→ action denied, logged ✓
How agent systems actually fail
The Agent Failure Boundary taxonomy is Plarix's first-principles model of how agentic AI systems break. Four distinct failure categories. Four distinct enforcement boundaries. Most “AI security” products protect against generic vulnerabilities. AFB is built specifically for agents.
Context Poisoning
Malicious data injected into the agent's context — via poisoned RAG retrieval, indirect prompt injection, or compromised tool outputs. The agent believes corrupted information and acts on it.
Model Boundary Compromise
The model itself is extracted, manipulated, or abused. Requires model-provider-level access for full enforcement — the boundary Plarix approaches via attestation and identity.
Instruction Hijack
Injected instructions override the agent's intended behavior mid-run. The model's output becomes an attack vector — executing instructions the operator never authorized.
Unauthorized Action
The agent executes a tool call, API request, or file operation it was not authorized to perform. This is the enforcement boundary — the one Wyatt closes deterministically.
What Plarix builds
The enforcement stack is composed of four layers. Each addresses a distinct part of the authorization problem. The free tool is the wedge. Wyatt is the core. Virgil and CEE are what enterprise requires.
Wyscan
Open Source · Apache 2.0Static analysis CLI and GitHub App. Scans agentic codebases for AFB04 violations using AST analysis, data flow analysis, and call graph traversal. Reports every unauthorized action surface before it reaches production.
Install AFB Scanner →Wyatt
Early AccessThe runtime enforcement gateway. A lightweight daemon that runs alongside your agent system, intercepts every tool call at the execution layer, and enforces declarative policy. Deny by default. Framework agnostic. Set and forget.
Virgil
Attestation Layer · ProprietaryCryptographic identity and action tracing. Every agent action gets a tamper-evident record: action taken, policy matched, identity authorized, timestamp. Built for SOC 2, legal defensibility, and enterprise incident response.
CEE
Open Standard · CC0Canonical Execution Event — the open standard for structured agent action records. CEE-compliant audit logs answer enterprise security questionnaires directly. If buyers ask how you audit agent behavior, CEE is the answer.
Aryan Haghighi
Founder, Plarix · Istanbul, Turkey
Solo founder. 2nd year Electrical Engineering undergraduate at Bahcesehir University. EE coursework is deprioritized until the first paying customer is secured. The entire cognitive budget goes to Plarix.
The bet: AI safety is a computational medium problem, not a prompt problem. Deterministic enforcement at the execution layer is the right architectural approach. Wyatt is the proof of concept. If it wins, it proves the model for every layer above it.
Human control over AI systems.
The current state of agentic AI is: agents have full access to tools and data, system prompts are the only constraint, and no mechanism exists to enforce what they can actually do. That is not a gap in product features. It is a gap in infrastructure.
Plarix is building that infrastructure. The goal is a world where any team can deploy an AI agent into production with the same confidence they deploy any other piece of software — knowing exactly what it can and cannot do, and having a tamper-evident record of every decision it makes.