Fetching from the wire…
Public story · 2026-07-16 · high
The fix checks signed runtime metadata like calling tool and reasoning summary, not just the destination URL.
Why now: Safeguard's writeup landed in security coverage dated July 16, 2026.
Destination allowlists fail agents in three distinct ways, per Safeguard's writeup on agent runtime egress controls.
For any team giving an agent real tool access and an open network, the stakes are direct. A malicious request can look exactly like a legitimate one, and nothing in a flat allowlist tells them apart.
Agents often need to reach a URL a user just typed in, so the allowlist can't stay locked to a small set of destinations.
That openness creates the second problem. A flat entry for a domain like api.example.com passes every request, whether the agent's own reasoning produced the call or a prompt injection did.
Free-form fields in the logs for allowed destinations open a third path. Data can leave through what looks like a normal request, logged and ignored.
Safeguard's fix moves the decision off the URL. A proxy checks metadata the runtime signs: session, initiating user, context provenance, calling tool, and a summary of recent reasoning. None of that can be dressed up the way a URL can.
The writeup recommends running these policies in logging-only mode first. It also suggests routing DNS through a resolver that scores queries for exfiltration patterns before they ever become an HTTP request.
The bet underneath this is that request destination was never the right signal. Once an agent has a legitimate reason to reach any URL a user names, the only thing worth checking is whether its reasoning holds up. Most agent stacks aren't logging one detailed enough to check.
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
Both cover DNS, URLs; overlapping topics (agent, context); earlier DNS coverage from 2026-05-20.
Shared entity: DNS / Shared topic / Earlier coverage / Tension
Both cover DNS; overlapping topics (agent, context); earlier DNS coverage from 2026-06-19.
Shared entity: DNS / Shared topic / Earlier coverage
Both cover DNS; overlapping topics (agent, channel, egress); earlier DNS coverage from 2026-03-19.
Both cover DNS; overlapping topics (agent, channel, egress); earlier DNS coverage from 2026-03-19.
Shared entity: URLs / Shared topic / Earlier coverage
Both cover URLs; overlapping topics (agent, channel); earlier URLs coverage from 2026-03-29.
Both cover URLs; overlapping topics (agent, context); earlier URLs coverage from 2026-03-01.
Shared entity: DNS / Earlier coverage / Tension
Both cover DNS; earlier DNS coverage from 2026-07-10; pushes against this story (against).
Both cover DNS; earlier DNS coverage from 2026-06-14; pushes against this story (against).