TheVortiq
Inteligencia Artificial

Brex reinvents AI agent governance: observation-based policies

The fintech launches CrabTrap, an open source proxy that analyzes agent network traffic to decide permissions in real time, instead of imposing prior rules.

July 18, 2026 · 5 min read

padlock on laptop with light trails

TL;DR: Brex has created CrabTrap, an open source HTTP/HTTPS proxy that intercepts AI agent network traffic and uses an LLM as a judge to decide permissions in real time, based on observing actual behavior rather than static rules.

What happened?

Brex, the fintech specializing in financial services for startups, has announced a new governance policy for AI agents based on observing their actual behavior rather than imposing prior static rules. To implement it, they created an internal platform called CrabTrap, an open source HTTP/HTTPS proxy that intercepts all agent network traffic, examines policy rules, and uses a language model as a judge (LLM-as-a-judge) to decide whether to approve or deny requests.

According to Brex co-founder and CEO Pedro Franceschi, speaking to VentureBeat, the network layer was an underutilized enforcement point. “Every request an agent makes is an opportunity to intercept, reason, and make a policy decision,” he said. The initiative stems from Brex's experience with its own agent framework, OpenClaw, which according to the same source has surpassed 500,000 instances but lacked a proper enterprise security mechanism. Agents need real credentials — API keys, OAuth tokens, service accounts — to function, and Brex found that traditional guardrails could not contain what those agents did with them.

Why is it important?

AI agent governance is one of the most pressing challenges for companies deploying autonomous systems. Traditional approaches — SDK-level permissions, semantic guardrails, or intermediate human approvals — have proven insufficient: they are easy to bypass via prompt injection, limit agent functionality, or require constant adjustments as new capabilities emerge. Franceschi described the inherent tension: “The more capable you make an agent, the more dangerous it becomes; the safer you make it, the less useful it is.” This dichotomy has been a key obstacle to enterprise adoption of autonomous agents.

Brex's approach addresses this dichotomy by operating at the transport layer, making it framework-agnostic, language-agnostic, and API-agnostic. This enables centralized governance without the need for SDK wrappers or per-tool integrations. According to Franceschi, existing solutions were “weak”: fine-grained API tokens help at the margins but can still be misused and limit functionality; semantic guardrails (like context, skills, or prompt routing) are easily overcome by prompt injection, especially in internet-connected agents. Moreover, limiting agents to read-only access or restricted tool sets “disarms” them, preventing them from doing meaningful work.

How does CrabTrap work?

CrabTrap is configured simply by setting the HTTP_PROXY and HTTPS_PROXY environment variables in the agent's environment. Every outgoing request passes through the proxy before reaching its destination. The proxy applies policy rules and, when necessary, consults an LLM to decide whether the request is acceptable. The system is framework-agnostic (compatible with any agent framework, such as OpenClaw), programming language-agnostic, and API-agnostic, making it a universal solution for governing agents regardless of their internal implementation.

On the technical implementation side, CrabTrap intercepts HTTPS traffic using a CA certificate, allowing inspection of request content. Policies are defined in YAML configuration files, specifying rules such as domain whitelists/blacklists, HTTP method restrictions, or conditions to trigger LLM evaluation. For example, a policy might deny all requests to api.example.com unless the LLM determines the request is legitimate. The LLM receives the full request context (URL, headers, body) and returns a decision (approve/reject) along with a justification. Brex uses proprietary and third-party language models and plans to allow users to bring their own LLM.

Industry implications

Brex's approach could mark a turning point in AI agent security. By shifting enforcement to the network layer, companies can apply consistent policies to all agents, regardless of their origin or framework. Moreover, by relying on real observation, policies can evolve with agent behavior rather than quickly becoming obsolete. This contrasts with previous approaches where static rules rapidly became ineffective as agents gained new capabilities.

However, using an LLM as a judge introduces its own risks: bias, latency, cost, and the possibility that the LLM itself could be deceived. Brex acknowledges that layered security is necessary and that CrabTrap is not the only answer, but rather another layer in a defense-in-depth strategy. Compared to other approaches, such as model guardrails (e.g., OpenAI's content filters) or API-level permission systems (e.g., OAuth scopes), CrabTrap offers a key advantage: it is independent of the AI provider and agent framework, making it applicable to heterogeneous environments. However, the added latency from LLM queries could be an issue in real-time applications. Brex says they have optimized the process so that most requests are approved without LLM intervention, using simple rules first, and only resorting to the LLM in ambiguous cases.

From a market perspective, this innovation could accelerate the adoption of autonomous agents in companies that have been hesitant due to a lack of adequate security controls. According to industry data, the AI agent market is expected to grow at a compound annual rate of 40% until 2030, and governance is one of the main obstacles. Solutions like CrabTrap, being open source, allow any organization to adopt and customize this approach, potentially democratizing agent security.

What should readers know?

For CTOs and security leaders, the lesson is clear: agent governance cannot rely solely on static rules or superficial guardrails. A centralized control point that observes and decides in real time is necessary. CrabTrap, being open source, allows any organization to adopt and customize this approach. Moreover, Brex's case demonstrates that security innovation can arise from internal need, and solutions like this can scale across the industry. The combination of network proxy and LLM-judge is promising, but will require more research and testing to ensure its robustness.

It is important to note that CrabTrap is not a magic solution: layered security is still necessary, and the LLM-judge can fail or be deceived. Brex recommends complementing it with other measures such as anomaly monitoring, rate limiting, and periodic human review. Additionally, the proxy introduces a single point of failure and a potential bottleneck, so organizations must consider high availability and redundancy. In summary, CrabTrap represents a significant advance in agent governance, but it must be integrated into a broader security strategy.

Keep reading