As organizations increasingly deploy AI agents to automate complex workflows, the need for rigorous verification of their behavior becomes critical. Praxen, an open-source tool developed to address this challenge, performs a straightforward but essential task: it checks whether an AI agent does what it claims to do. By comparing an agent's declared policy with its actual operations, Praxen highlights every instance where the two diverge, providing teams with actionable insights into potential security gaps and misconfigurations.
The Rise of Agentic AI and the Need for Verification
AI agents are software entities that can autonomously perform tasks, make decisions, and interact with other systems. They are increasingly used in areas such as customer support, data analysis, cybersecurity, and supply chain management. Unlike traditional software that follows fixed rules, agents often rely on large language models (LLMs) and dynamic reasoning, which can lead to unpredictable behavior. This unpredictability introduces new risks, including unintended actions, data leaks, and security vulnerabilities. Praxen addresses these risks by providing a structured framework for verifying that an agent's behavior aligns with its authorized scope.
Traditional security controls like firewalls and access management systems are not designed to handle the nuanced behavior of AI agents. A developer might define an agent's role in natural language, but that definition may not translate accurately into the agent's code, configuration, or runtime behavior. Moreover, agents can evolve over time as they learn from interactions, potentially drifting away from their original purpose. Praxen's approach borrows from established employee management practices: each person receives a defined set of permissions, and the organization monitors compliance. The tool applies the same logic to software agents, granting each agent a clear scope of activity it is permitted to perform.
How Praxen Works: Worker Remit and Evidence Analysis
Praxen is the reference implementation of a control model known as Agent Behavior Verification. At the heart of this model is the Worker Remit, a markdown policy document that declares what an agent may or may not do. The Worker Remit includes key elements such as the agent's mission, authorized tools, approved channels, counterparties, and forbidden actions. Teams write this document as part of the agent's design phase, creating a single source of truth for intended behavior.
Once the Worker Remit is defined, Praxen reads evidence from multiple sources to verify compliance. This evidence includes source code, deployment state, behavioral logs, and governance documents. The tool then compares the declared policy against observed behavior and generates a gap analysis report. Each finding is presented in multiple formats: a self-contained HTML report with interactive visualizations, a machine-readable JSON file suitable for integration into CI/CD pipelines, and a plain-text summary stored in a local reports folder. All data remains local, ensuring privacy and security.
Praxen is designed to be used as a plugin for Claude Code, a popular coding agent. It supports a systematic analysis that runs a set of named checks covering a wide range of potential issues. These include policy-implementation divergence, where the code does not match the Worker Remit; credential exposure, such as API keys or tokens hardcoded in source files; configuration gaps, such as missing or misconfigured access controls; capability drift, where the agent's functionality expands beyond its intended scope; supply-chain risk, from third-party dependencies with known vulnerabilities; half-wired controls, where security mechanisms are partially implemented; empty stub files in security-relevant paths; secondary prompt discovery, which reveals hidden instructions or injection points; and compound signal reasoning, which chains individual findings to identify higher-severity attack paths.
Each finding is tagged with references to relevant security frameworks, including the OWASP Top 10 for LLM Applications 2025, the OWASP Top 10 for Agentic AI Applications 2026, the OWASP Secure MCP Server Development Guide 2026, and the RAISE Framework, which assigns a maturity score across six categories such as governance, risk management, and incident response. This tagging helps teams prioritize remediation efforts and align with industry best practices.
One Policy Across the Agent Lifecycle
Runtime monitoring is handled by a separate layer called Agent Behavior Analytics (ABA). Praxen and ABA are intended to work together as part of a broader Behavior Intelligence strategy. The Worker Remit serves as the common policy definition for both stages. During verification, Praxen answers whether a team built the agent it intended. During runtime, ABA answers whether the agent behaves as intended in production. The company developing these tools envisions that over time, the verification and analytics layers will become increasingly interconnected, creating a continuous feedback loop for agent governance.
The Worker Remit is designed to be human-readable and structured, making it accessible to non-technical stakeholders such as compliance officers and auditors. It captures the organization's explicit expectations for the agent, providing a natural foundation for both pre-deployment verification and ongoing monitoring. By using a single policy document across the entire agent lifecycle, teams can avoid the fragmentation that often occurs when security policies are defined separately for development and production environments.
Consistency Across Repeated Runs
Because Praxen relies on a coding agent (Claude Code) to perform the analysis, two runs against the same evidence can produce slightly different sets of findings. The developers acknowledge this variability and have taken steps to ensure reliability. According to the company, the major findings and overall security themes are highly stable across runs, with only minor movements in severity counts or maturity scoring at the margins. Every finding is traceable back to specific source material, such as files, configurations, and artifacts, allowing reviewers and auditors to independently verify each claim.
To measure consistency, the team maintains a frozen regression suite containing representative agent implementations. This suite is used to validate that major findings, themes, and maturity assessments remain consistent across releases. For governance, compliance, or benchmarking purposes, the company recommends running the analysis multiple times, reporting the median result and range, and unioning the material findings across runs. A single run provides a useful snapshot of an agent's security posture, while repeated runs add statistical confidence.
Handling Evidence That Exceeds the Context Window
Large evidence sets can easily exceed the context window of the underlying AI model. To address this, Praxen begins with a discovery pass that examines source code, configuration files, dependency manifests, tool and MCP definitions, memory artifacts, and logs. It then prioritizes the material most relevant to agent behavior and security controls. Large logs are sampled to widen coverage without overwhelming the context window.
The company notes an important risk in long-running analyses: earlier observations can be summarized and effectively forgotten as the session grows. To mitigate this, Praxen writes findings incrementally and checkpoints the analysis state into a structured manifest before generating the final report. If the underlying AI session exceeds its context window, the report can be reconstructed from that checkpoint. Coverage information is recorded directly, so findings drawn from sampled evidence carry a marker, and missing evidence registers as a signal of its own. This transparency allows users to trust the results even when dealing with large codebases or extensive logs.
Praxen's approach to context-window limits highlights a broader challenge for all AI-powered analysis platforms. The goal is to make these constraints visible, measurable, and recoverable. By implementing incremental writing and checkpointing, Praxen ensures that users can reproduce results and understand the degree of coverage achieved.
Detailed Breakdown of Security Checks
Each Praxen analysis runs a comprehensive set of named checks. Understanding these checks helps teams appreciate the breadth of issues the tool can detect. Policy-implementation divergence checks compare the Worker Remit against the source code to identify where the agent's actual capabilities deviate from its intended role. For example, if the remit states that the agent can only read data from a specific database, but the code includes queries to other databases, the tool flags this as a gap.
Credential exposure checks scan the entire codebase for hardcoded secrets, such as API keys, passwords, or tokens. These checks are critical for preventing accidental leaks that could lead to unauthorized access. Configuration gap checks look for missing environment variables, incorrect permission settings, or poorly configured network access. Capability drift checks analyze the agent's function calls and dependencies to see if it has gained unintended abilities, such as modifying files when it was supposed to only read them.
Supply-chain risk assessments examine the agent's dependencies, including third-party libraries and model weights. The tool checks against known vulnerability databases and evaluates the trustworthiness of each component. Half-wired controls are detected when security mechanisms are partially implemented—for example, a function that validates user input but fails to sanitize it. Empty stub files in security-relevant paths indicate incomplete implementation of security features, which could be exploited by an attacker.
Secondary prompt discovery is a particularly advanced check that searches for hidden prompts or instructions embedded in the agent's configuration or memory artifacts. These secondary prompts can override the agent's primary behavior, leading to unexpected actions. Finally, compound signal reasoning chains multiple individual findings into a higher-severity attack path. For instance, a credential exposure combined with a network configuration gap could allow an attacker to exfiltrate data.
Integration and Deployment
Praxen is designed to run before deployment and on each release, making it suitable for DevSecOps pipelines. Teams can install it as a plugin for Claude Code, which simplifies the setup process. The tool requires Python 3.9 or later and works with any agent that provides access to its source code, logs, and configuration files. The HTML report includes a summary dashboard with severity levels, tag breakdowns, and links to detailed findings. The JSON output is structured for automated processing and can be fed into vulnerability management systems.
The tool's open-source nature encourages community contributions and transparency. Organizations can audit the verification logic, customize checks, or extend the tool to support additional frameworks. Praxen is available for free on GitHub, lowering the barrier for teams of all sizes to adopt agent behavior verification.
As AI agents continue to evolve and assume more critical roles, tools like Praxen will become essential for maintaining trust and security. By providing a systematic method for verifying that agents operate within intended boundaries, Praxen helps organizations manage the risks of autonomous software. The combination of static analysis, runtime monitoring, and a unified policy document creates a robust foundation for AI governance.
Source: Help Net Security News