Enterprise Security in the Agentic AI Era

Tenuo

3 min read

Tenuo

Startup founded by Niki Aimable Niyikiza (also Security Engineering at Snap) building capability-based authorization for AI agents. The core primitive is the Tenuo Warrant — a six-property cryptographic capability artifact (signed / scoped / ephemeral / holder-bound / verifiable offline / delegation-aware). The implementation is a Rust core with Python bindings, open-sourced at github.com/tenuo-ai/tenuo.

Public emergence: March 4, 2026 at [un]prompted (talk page). Tenuo’s positioning is that the missing primitive in the agentic-AI security stack is delegation-aware authorization at execution time — and that warrants productize 60 years of capability-systems research (Dennis & Van Horn 1966 → Macaroons → UCAN → Biscuits → CaMeL) into something that drops into LangGraph, CrewAI, Temporal, or an MCP proxy.

Product

Tenuo Core (Rust + Python bindings; open source). Implements the warrant primitive plus four deployment modes:

ModeWhereBest for
In-processInterceptor / middleware / drop-in nodeLangGraph, CrewAI, Temporal — “one line of code” replacement of the framework’s tool node
SidecarSeparate process, same hostPolyglot stacks
GatewayProxy between agents and toolsFleet-wide enforcement
MCP ProxyInside the MCP tool server (client- and/or server-side)Any MCP-compatible agent — easiest because MCP already has structured tool + arg schemas

Constraint language supports basic logic, regex, glob, and CEL (Common Expression Language) for arbitrary expressivity.

A live decoder/playground for warrants is hosted at tenuo.ai.

Validation results published

HarnessNumber
End-to-end authorization (constraints + PoP)~55 μs (Rust core, CBOR, Mac M3 Max)
Denial fast-path~200 ns
Constraint + cryptographic-integrity violations rejected53 / 53 (5,700 fuzz probes; 0 bypasses)
Multi-agent-delegation baseline ASR: 90% → 0%Custom in-house benchmark; no public benchmark exists for delegation-aware authorization at scale

The 90%→0% claim is on Tenuo’s own custom harness — credible signal, not yet third-party-replicated. The talk’s open call to researchers is explicitly about building a shared benchmark.

Constraint-design lesson the company has internalized

Slide 11 of the talk reports a real-world rejection-rate fix from 87.5% → 100% that was not a cryptographic fix — it was constraint-design. The company maintains an opinionated three-layer model:

  1. Map — logical constraint (regex / glob)
  2. Annotated Map — constraint + normalization (Subpath, UrlSafe)
  3. Territory — execution guard (path_jail, url_jail, OS sandbox)

Tenuo ships open-source execution guards for filesystem and process running.

How they position vs adjacent vendors

Adjacent capability vendor / projectTenuo’s framing
Stripe ToolshedCentralized PDP via ToolAnnotations; Tenuo is decentralized via in-artifact policy
Sondera (Cedar reference monitor)Cedar policy language for declared-tool actions; Tenuo carries the policy in the artifact and adds the delegation chain
Macaroons / UCAN / BiscuitsPrior art Tenuo cites; Tenuo’s contribution is the agent-runtime productization (LangGraph, MCP, OAuth/IAM stacking)
Google DeepMind CaMeLModel-layer privileged/quarantined split; complementary, not redundant

Open questions about Tenuo specifically

  1. Operational composition with existing PEPs — Tenuo’s verification is offline, but a fleet-scale deployment still needs a place to issue root warrants and collect receipts. How that composes with Stripe-/Block-/Salesforce-scale infra is not yet publicly disclosed.
  2. Real-world adoption beyond LangGraph demos — public examples to date are demo-shaped (SOC triage pipeline, two LangGraph agents). Production case studies are pending.
  3. Public benchmark contribution — whether Tenuo’s harness becomes (or is contributed to) a community benchmark or stays vendor-internal.

See also

Graph View

Backlinks