Highflame

Overview

Highflame Shield is a runtime action-enforcement product for AI agents. It intercepts every agent-initiated action before execution, evaluates it against declarative policy and accumulated session context, enforces one of five authorization decisions, and emits a signed, offline-verifiable receipt for each decision.

Classification

Coverage surface

MCPEndpointSaaSCloudAPINetworkData/DB

Stage

Launched

Type

Commercial

Target audience

Enterprise

Deployment

SaaSSelf-hostedHybrid

Technical profile

Spec-grounded axes, verified by the TWG.

Interception architecture (R1)

SDK InstrumentationProtocol Gateway

Policy model (R3)

Hybrid

Authorization decisions (R4)

DENYMODIFYSTEP_UPDEFERALLOW

Conformance level

Core (R1–R6)

Conformance review

Platform capabilities

• Pre-execution interception at a fail-closed enforcement endpoint — no fail-open path
• Per-session context accumulation (prior actions, data classifications, original request), defaulting to highest sensitivity
• Append-only, hash-chained session context log (tamper-evident)
• Cedar policy engine with four classifications and documented, auditable defer triggers
• Typed parameter validation (type, range, pattern, allow/blocklist) on tool-call arguments
• All five decisions: ALLOW, DENY, MODIFY (PII redaction), STEP_UP (human approval), DEFER (bounded cascade depth)
• Cryptographically signed receipts over a canonical serialization, verifiable offline; workload-attested signing keys
• Identity binding across human, service, agent, session, and role/privilege with freshness, revocation, and delegation-chain preservation

Architecture

This review was conducted by the AARM Conformance Agent and completed on June 11, 2026. Highflame Shield satisfies all six AARM Core requirements (R1–R6); the extended requirements (R7–R9) were not assessed in this review. Interception (R1): Shield intercepts every action before execution at a dedicated enforcement endpoint and is fail-closed — absent or unsynced policies return an error rather than silently allowing, and no configuration path bypasses policy evaluation. A matching DENY blocks execution and emits a signed denial receipt recording the determining policy and reason; DEFER suspends the action with no side effects. Context (R2): Shield accumulates per-session context — prior actions, data classifications, and the original request — and defaults to the highest sensitivity when classification is unavailable. The session log is append-only and hash-chained, so tampering with a prior entry breaks the chain. Policy & intent alignment (R3): The Cedar-based engine supports forbidden, context-dependent deny, context-dependent allow, and context-dependent defer. Deferral triggers (unpopulated context, same-priority conflict, low detector confidence) are documented and auditable, and tool-call arguments are projected into a typed record and validated by type, range, and allow/blocklist. Decisions (R4): All five authorization decisions are enforced. MODIFY applies PII redaction; STEP_UP routes for human approval with a bounded, deny-on-timeout window (no fail-open); DEFER supports dependent-action cascading with a configurable depth limit and follow-up receipts. Receipts (R5): Every decision type produces a cryptographically signed receipt over a canonical serialization, verifiable offline against published keys, with workload-attested signing credentials. Identity (R6): Each action is bound to human, service, agent, session, and role/privilege scope. Identity is validated against trusted issuers including freshness and revocation; unverifiable identity is denied, and identity is preserved across deferral and delegation.

Key facts