Tech

Brex builds its AI agent policy by looking at what agents actually do, not by writing rules first

OpenClaw has become one of the most widely accepted agent frameworks, but it has yet to prove itself at enterprise scale. Agents need real credentials — API keys, OAuth tokens, service accounts — to function properly, and Brex found that traditional monitoring lines couldn’t contain what those agents were doing with them.

Brex set out to overcome these limitations by developing an in-house platform it calls the CrabTrap. An open source HTTP/HTTPS proxy intercepts all network traffic, checks policy rules, and uses LLM-as-a-judge to decide whether the agent’s requests should be approved or denied.

“What we noticed was that the network layer was an untapped enforcement area,” Brex founder and CEO Pedro Franceschi told VentureBeat. “Every request an agent makes is an opportunity to block, think about, and make a policy decision.”

The take away Franceschi wants IT leaders to draw: managing agents must move from SDK-level permissions and monitoring models to a network control plane that enforces and learns from real agent behavior in the field.

How Brex has targeted the transport sector

The “obvious fix” (at least initially) for the agent security gap was monitoring tools, and much of the early work focused on integrated tools, per-action permissions, and human-in-the-loop authorization. But as agents evolve, each new capability means another API to be invoked or reviewed for research, notes Franceschi.

“Any agent program with multiple tools and access to the open Internet creates an immediate tension for developers: If you make the agent competent, it becomes more dangerous, and if you make it safer, it can help less,” he said.

Existing solutions for this trade-off were “weak”: Well-characterized API tokens helped the margins but could still be misused and hinder performance. Semantic guardrails (such as context, capabilities, or instantiation) are easily bypassed by instant injection, especially for Internet-connected agents.

Agents can be “tainted” when they’re given read-only access or limited tools, but then they can’t do meaningful work, Franceschi said. On the other hand, providing a wide access to writing and a large tool can lead to missing things and real productivity results.

Modeled content protocol (MCP) gateways apply policy at the protocol layer — but only to traffic that uses MCP. Meanwhile, guardrails from LLM providers are tied to a single model and can be “identified” to customize with business-specific policies. And powerful tools like Nvidia OpenShell offer more “sandbox egress control.”

“When we started, we didn’t have a solution to use harnesses like OpenClaw safely,” said Franceschi. “Instead of waiting for the industry to get involved, we decided to own the problem and develop the necessary tools.”

Notably, they needed a platform that sat between all agents and all network applications, and could make “subtle decisions about what to allow,” he said.

This made the transport layer part of the core architecture and the starting point of the environment, he said.

By working on this layer, CrabTrap is framework-agnostic, language-agnostic, and API-agnostic. It does not require SDK wrapping or integration of each tool. Users are set HTTP_PROXY again HTTPS_PROXY to the agent’s environment, and all outgoing request routes through the agent before reaching the environment.

However, Franceschi stressed, Brex did not start the transport layer because it thinks it is the only answer; rather, they believe in “class protection.”

“The transportation infrastructure was something that was underinvested, and we saw an opportunity to add some sensible legislation there and everything else,” he said.

LLM-as-a-judge training loop

CrabTrap combines static rules that decide with LLM-as-a-judge for applications outside of known patterns, explains Franceschi. The judge only “shoots for the long tail of unusual points or unusual request conditions,” which for a mature agent is usually less than 3% of requests.

The most pressing issue was how do you know if the policy is the right one? With fixed rules, it is “relatively straightforward” to think about precision. But with the LLM judge, the system is not limited, and users need to be confident that the policy approves the right requests and blocks others.

“Our key insight was to bootstrap policy from observed behavior instead of writing it from scratch,” Franceschi said. Starting with real behavior and planning down based on real-world learning “was more effective than starting with a blank page.”

The Brex team built a policy builder (itself an agent loop) that uses sub-agents in shadow mode, analyzes historical network traffic, sample calls, and writes a natural language policy similar to what the agent is doing.

From there, they created an eval system that tests policy changes before they go live. CrabTrap compares historical audit entries against the draft policy and reports specific changes that need to be made. Users can filter results by method, URL, actual decision, and agreement status.

All of this is accompanied by simultaneous jury calls, so replaying thousands of applications “takes minutes, not hours,” Franceschi said. Brex has also established a live feedback loop: Complete test traces are stored in PostgreSQL and can be queried via the admin API and dashboard. In cases where the service is repeatedly denied, the system can notify the person or agent to suggest a policy update for review.

“That closes the loop between perceived denial and policy correction,” Franceschi said.

Key challenges and roadblocks

Of course, construction was not without its challenges. The big one was latency: “Putting LLM between the agent and every outgoing API request felt like it would freeze things up,” he said.

However, it was not as big a problem as expected. This was due to two reasons: The LLM judge only applies to a small part of the applications (the aforementioned 3%). Agents quickly settle into predictable traffic patterns; once observed, high-volume patterns become static rules. Second, by using small, fast models like Claude Haiku it meant that, even when the judge fired, the added latency “didn’t matter.” This can be greatly reduced with local models and quick storage, says Franceschi.

A difficult and invisible challenge was the rapid injection, he said. The judge receives a full HTTP request and all content is controlled by the user, so it is possible that a crafted URL, header, or body of the request can sway the judge’s decision.

Brex addressed this by formatting the request as a JSON object before sending it to the model, so all user-controlled content “is escaped rather than being entered as raw text,” Franceschi said.

Results, and where CrabTrap may appear

Brex tracks several factors to measure CrabTrap’s internal impact: Engagement with agents, network traffic patterns, and net promoter scores (NPS). The most important result of CrabTrap has been “organizational confidence,” Franceschi said.

Previously, the team had “real doubts” when it came to deploying independent agents widely across business operations, because the existing monitoring options did not provide sufficient assurance.

“The CrabTrap changed that calculus,” Franceschi said. They now have an enforcement layer they trust, increasing confidence in expanding agent deployments across multiple business segments and handing more agent configuration and management to users.

Franceschi described the traffic policies as “incredibly strict.” The team expected the policy maker to produce a “difficult starting point” that required heavy manual planning. In practice, however, targeting a platform over a few days of real traffic produces policies that match human judgment on “the majority of outstanding requests.”

Additionally, CrabTrap has revealed how much noise the agent produces. “The audit trail made this apparent for the first time,” Franceschi said. They used denial logs and traffic analysis not only to tune policies, but to harden the agents themselves, remove tools, and cut out all the layers of requests that were wasting both time and tokens.

“The proxy has been a discovery tool, not just an enforcement tool,” he said.

Areas of growth (and input from the open source community)

Brex expects CrabTrap to continue to evolve, especially since they have released it as open source. “We hope the community helps shape it,” said Franceschi.

Areas of improvement include deeper authentication functionality such as single sign-on (SSO), fine-grained role-based access control (RBAC); increased functionality that allows agents to request more permissions; and policy recommendations based on denial patterns.

Programmatic configuration, or developing API endpoints to “create, fork, and apply” policies to agents, can allow the entire policy lifecycle to be automated rather than manually managed, Franceschi said.

In terms of escalation, if an agent is consistently denied a given resource or endpoint, it should be able to submit requests to humans or other AI agents for review and support that with a reason why it needs access.

“That turns CrabTrap from a strict enforcement border into something like a managed permit system,” Franceschi said.

Additionally, the policy is designed to bootstrap from network traffic, but there is an opportunity to include additional signals about agent tracking and calling services, as well as the broader context of what the agents are trying to accomplish in the end. This can help produce more accurate and precise policies.

Finally, there is an “open philosophical question” about the correct posture of CrabTrap: Should it be a fully transparent layer that the agent itself is unaware of, or should it act as a “well-intentioned manager”? (ie, the agent knows about the layer and can communicate with it).

The open source community can help shape these developments, and CrabTrap will only get better with more users, Franceschi said. Brex agents talk to a specific set of APIs; groups using CrabTrap with different agents, services, and policy requirements will reveal “criteria and patterns that we can’t beat on our own.”

“We have big plans for where we can go, and we would like to build in the open space,” said Franceschi.

What other builders can learn from CrabTrap

The response was stronger than expected. CrabTrap has over 700 stars on GitHub. Franceschi said Brex has also heard from OpenAI, Y Combinator CEO Garry Tan, and programmer Pete Steinberger, all of whom have expressed interest in installing a similar internal infrastructure.

The broader lesson: “Don’t let infrastructure gaps be an excuse to wait," Franceschi advised. There are “real barriers” for all businesses that want to use AI agents, including security concerns, lack of tools, or unclear roadblocks.

“It’s tempting to sit on your hands until the industry catches up,” he said. “The lesson from CrabTrap is that you can own those problems directly.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button