ThirdKey AI demonstrates elimination of AI agent exploits across multiple attack classes.

PASADENA, CA — May 5, 2026 — ThirdKey AI today announced results from a comparative empirical evaluation of its Symbiont runtime against two alternative substrates, demonstrating that structural security controls eliminate entire classes of AI agent execution-layer exploits where industry-standard OS isolation does not.

The study — Three Substrates, Seven Models, Six Tasks: A Comparative Empirical Evaluation of Structural Enforcement for AI Agent Runtimes (preprint v0.2, May 2026; DOI 10.5281/zenodo.20043247) — ran 3,760 trials across seven hosted LLMs spanning four vendors and three capability tiers (frontier, mid, floor), against three execution substrates: a permissive Python baseline, the same baseline wrapped in a strict Docker container, and Symbiont. Across four pure-action attack classes — filesystem enumeration, network-boundary escape, syscall execution, and state mutation — Symbiont recorded 0 successful exploits out of 560 trials regardless of model or capability tier.

The evaluation compared three approaches to securing AI agents:

• A permissive Python baseline
• A Docker-sandboxed Python environment — the prevailing industry default
• ThirdKey’s Symbiont runtime, with typestate-enforced tool contracts and policy-gated execution

The Docker substrate provided effectively zero protection on the four vectors where the malicious behavior occurs inside the agent’s own bind-mounted working area: it failed to stop 88% of filesystem-enumeration attacks, 89% of network-boundary attacks, and 84% of state-mutation attacks. The lone vector where Docker materially helped — syscall execution (38% → 9% pooled) — succeeded only because the lure binary /usr/bin/openssl happens to be missing from the python:3.12-slim image. On any image that includes openssl, the substrate contribution shrinks toward zero. The defense is incidental, not structural.

Symbiont, by contrast, eliminated all four vectors entirely by constraining the agent’s available action surface through typestate-enforced tool contracts, policy-gated execution, and capability-scoped tools. Its 0% rate on syscall-boundary is independent of what binaries are installed on the host or in any container: no python_eval tool exists in declared capabilities, and no execve path runs through the agent surface at all.

The evaluation also examined prompt-injection attacks against agent orchestration, tightened to n=200 per cell across all seven working models for tight Wilson confidence intervals. Symbiont reduced pooled orchestrator-injection success from 59% (826/1,400) to 3.6% (50/1,400) — a 56-percentage-point reduction produced by the agent_summary ToolClad parameter type, which routed 1,711 distinct attempts through the symbi-invis-strip injection-marker detector before any worker output could reach the downstream agent.

The remaining 3.6% is not uniform. Six of seven models cluster at 1–4% bypass; excluding the outlier, Symbiont’s pooled rate is 1.5% (18/1,200). One frontier model, GPT-5, alone reaches 16% [12%, 22%] (Wilson 95% CI) against the content validator — a confidence interval that does not overlap any other model’s. ThirdKey characterizes this as the regex ceiling: frontier models possess paraphrase capabilities that exceed substring marker matching, regardless of how the marker list is expanded. The structural fixes that would close it — LLM-as-judge classification of worker output, or user-role data separation in the downstream agent — are explicitly identified in the paper.

ThirdKey’s results suggest that AI agent security should be separated into two distinct problems: execution safety and content integrity. Execution safety controls what actions an agent can perform. Content integrity addresses whether inputs, outputs, and intermediate summaries have been maliciously manipulated.

Symbiont focuses on execution safety using structural controls that constrain what an agent can express, rather than relying solely on runtime filtering or post-hoc detection. Content-integrity defenses — cryptographic provenance, structural output isolation, LLM-as-judge validators — remain a complementary, model-dependent layer that the industry has yet to standardize.

The full preprint, reference corpus, runtime, and specification are available at:

• Preprint: Three Substrates, Seven Models, Six Tasks: A Comparative Empirical Evaluation of Structural Enforcement for AI Agent Runtimes (v0.2, May 2026) — DOI 10.5281/zenodo.20043247. Full methodology, per-cell results, Wilson confidence intervals, and per-trial audit format.
• Reference corpus: github.com/ThirdKeyAI/symbiont-orga-demo — raw data, sweep configurations, per-trial audit sidecars (request IDs, blocked_by attributions, SHA-256 evidence hashes). Reproducible at $50.89 ground-truth OpenRouter spend.
• symbiont.dev — the Symbiont agent runtime
• openagenttruststack.org — the Open Agent Trust Stack (OATS) specification
• thirdkey.ai — company overview and product index

ThirdKey AI is an AI security company building open primitives for trustworthy autonomous systems. Its work focuses on making agent behavior enforceable, auditable, and resistant to exploitation at runtime — through cryptographic identity, schema verification, declarative tool contracts, and a policy-governed runtime.

Media contact