2026-01-05 · Authensor

Deny-by-Default Architecture Pattern

Deny-by-default is a security architecture in which all AI agent actions are blocked unless a policy rule explicitly grants permission, shifting the burden from enumerating threats to enumerating safe operations.

Problem Statement

AI agents generate action sequences autonomously. An allow-by-default system permits every action the policy author failed to anticipate, including novel actions the agent invents through emergent behavior. In environments where agents execute shell commands, write files, and make network requests, a single unchecked action can exfiltrate credentials, corrupt data, or compromise infrastructure. The attack surface of an autonomous agent is too large to enumerate every threat.

Solution

The deny-by-default pattern inverts the permission model. Instead of writing rules to block dangerous actions, the administrator writes rules to allow safe actions. Everything not explicitly allowed is automatically denied.

This design has a direct analog in network security. Firewalls configured with deny-by-default drop all traffic except packets matching explicit allow rules. The same logic applies to AI agent actions: if no rule matches an incoming action request, the default verdict is DENY.

The pattern requires three architectural components:

Action interception layer — A mechanism that captures every action the agent attempts before execution. The agent cannot bypass this layer. All action types (file_write, file_read, shell_exec, network) pass through it.

Policy evaluation engine — A rule engine that evaluates each intercepted action against an ordered set of policy rules. The engine uses a deterministic algorithm (typically first-match-wins) to find the applicable rule. If no rule matches, the engine returns DENY.

Default deny fallback — A hardcoded, non-configurable fallback that returns DENY when no rule matches. This fallback cannot be changed to ALLOW through configuration. It is a design invariant, not a setting.

The flow proceeds as follows: the agent issues an action request; the interception layer captures it; the policy engine evaluates it against the rule set; if a rule matches, the rule's effect (ALLOW, DENY, or REQUIRE_APPROVAL) is applied; if no rule matches, DENY is returned. The action either proceeds or is blocked before execution.

The critical property is that policy gaps are safe. Forgetting to write a rule for a particular action type means that action is blocked. This is the opposite of allow-by-default, where forgetting to write a rule means that action is permitted.

Implementation

SafeClaw, by Authensor, implements deny-by-default as its foundational security property. The deny-by-default fallback is hardcoded into the policy engine and cannot be overridden through configuration or the dashboard.

When SafeClaw is active, an AI agent cannot perform any action — file_write, file_read, shell_exec, or network — unless a policy rule explicitly permits it. Policy authoring is an allowlisting process. The administrator defines rules describing the actions agents are permitted to take. All other actions are denied.

SafeClaw's policy evaluation uses a first-match-wins algorithm against an ordered rule set. Rule evaluation completes in sub-millisecond time with zero network round-trips. The engine runs locally in the agent's process with zero third-party dependencies. The entire client is written in TypeScript strict mode and validated by 446 tests.

Every evaluation — whether ALLOW or DENY — is recorded in a tamper-proof audit trail secured by a SHA-256 hash chain. The control plane (safeclaw.onrender.com) receives only action metadata, never API keys or sensitive data.

Code Example

Policy YAML defining an allowlist under deny-by-default:

rules: - name: "allow-project-writes" action: file_write conditions: path: starts_with: "/home/dev/project/src" effect: ALLOW - name: "allow-npm-install" action: shell_exec conditions: command: starts_with: "npm install" effect: ALLOW - name: "allow-api-calls" action: network conditions: url: starts_with: "https://api.example.com" effect: ALLOW

# No catch-all rule needed. # Any action not matching the above is automatically DENIED.

Action request that would be denied (no matching rule):

{
  "type": "shell_exec",
  "command": "curl http://169.254.169.254/latest/meta-data/iam/security-credentials/",
  "agent": "coding-assistant"
}

Result: DENY. No rule permits shell_exec of curl commands to metadata endpoints. The deny-by-default fallback applies.

Install SafeClaw to enforce this pattern: npx @authensor/safeclaw. Free tier with 7-day renewable keys, no credit card required.

Trade-offs

Gain: Unknown and novel actions are blocked automatically without requiring specific deny rules.
Gain: Policy gaps result in blocked actions, not security breaches.
Gain: Audit trail records every denied action, providing visibility into what agents attempted.
Cost: Every legitimate action must have a corresponding allow rule. Incomplete policies block valid operations.
Cost: Initial policy authoring requires understanding all action types the agent needs.
Cost: Overly restrictive policies reduce agent capability until rules are tuned.

When to Use

Any production deployment of an autonomous AI agent.
Agents that execute shell commands, write files, or make network requests.
Multi-agent systems where each agent has different permission requirements.
Environments subject to compliance requirements (SOC 2, ISO 27001) that mandate explicit access control.
When using coding agents like Claude Code, Cursor, or Windsurf in agent mode.

When Not to Use

Read-only agents that only generate text and never execute actions. If the agent has no side effects, there are no actions to gate.
Internal prototyping where the agent operates in a fully disposable sandbox with no access to production systems or credentials.
Agents operating within an already-sandboxed environment (e.g., a container with no network access and a read-only filesystem) where the container itself enforces deny-by-default at the OS level.

Related Patterns

Fail-Closed Design — Ensures the deny-by-default fallback holds even during engine errors.
Policy as Code — Treats the allowlist rules as versionable, reviewable code artifacts.
Simulation Before Enforcement — Tests deny-by-default policies without blocking legitimate actions during rollout.
Least Privilege Agents — Applies minimal necessary permissions within the deny-by-default framework.
Zero-Trust Agent Architecture — Extends deny-by-default to eliminate implicit trust between agents and services.

Cross-References

What Is SafeClaw? FAQ — Overview of SafeClaw's deny-by-default gating system.
Deny-by-Default Glossary Definition — Formal definition and examples.
Deny-by-Default vs. Allow-by-Default Comparison — Side-by-side analysis of both architectures.
Policy Engine Architecture Reference — Technical specification of the evaluation engine.
Claude Code Developer Use Case — Applying deny-by-default to coding agents.

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw