Sondera

What is it?

Sondera is a platform designed to apply enterprise policies to AI agents. It is based around a policy-engine harness that integrates with AI agent frameworks including LangGraph, Google ADK, and Strands.

Sondera uses hooks to intercept LLM and tool call requests and responses. These hooks evaluate policies that can block or steer the model away from undesirable actions, and escalate to a human if necessary. Sondera can also be used in a custom agent implementation by providing an API for policy hook integration. Sondera’s harness is open-source, with a commercial platform layer for team policy management, dashboards, and centralized audit logs.

Why did they build it?

AI agents are non-deterministic. The current approach to constraining agent behavior is writing instructions in the system prompt and hoping the model follows them. It does not always follow instructions.

The risks in enterprise deployments are specific and compounding. Any agent with access to private data, exposure to untrusted content, and the ability to communicate externally is a prompt injection target waiting for data exfiltration. Agents can also modify data in ways DLP never sees because nothing leaves the network. Attribution is another problem: compromised code from a coding agent could be an insider threat, a hijacked agent, or a hallucination, and existing tools cannot distinguish agent actions from human ones. EDR is equally blind here because prompt injection is logic-based, not malware-based. No binary detonates. There is nothing for endpoint detection to find.

Existing security tooling was built for humans and malware, not autonomous software that improvises.

How does the harness work?

The harness intercepts the entire agentic loop using six hooks: before the agent starts, before each model call, after the model responds, before tool execution, after the tool completes, and then after the agent completes. At every hook, the action, its parameters, and accumulated context are evaluated against Cedar policies. The harness tracks what the agent has done across the full trajectory, so it catches compound violations where individual steps look benign but the sequence is not. Cedar is default-deny and provably decidable: every policy evaluation terminates with a result, guaranteed. When a policy denies an action, the agent receives a reason and can attempt an alternative. Sondera calls this “steer, don’t block.”

Won’t agents find workarounds?

Yes. Block rm -rf and the agent tries find -delete, mv to trash, or something else. Agents are hyper-competent, eager to please, and will invent creative paths to accomplish their goal.

Sondera’s approach is to enumerate and block the behaviors rather than constraining intent through prompts. A policy pack for a coding agent with shell access covers rm -rf, find -delete, credential file reads, config overwrites, and dozens of other risky patterns. It is a cat-and-mouse game, but deterministic policy enforcement provides a hard boundary that prompt-based instructions cannot.

Policies can also prevent agent self-modification: rewriting framework configuration, modifying tool definitions, or altering system prompts, any of which would let a prompt-injected agent escalate its own capabilities.

What doesn’t it do?

It does not secure the model itself or prevent hallucinations. It is a behavioral constraint layer. If an agent produces a wrong answer without making a tool call, the harness has nothing to intercept.

Risky Business appearances (last 24 months)

Sources

Disclosure

Patrick Gray is an advisor to Sondera. Sondera is a Decibel portfolio company, and Decibel is a part owner of Risky Business Media.