Kola Akinnibi
Solutions Architect at AWS
Vijay George
Product Manager
Emmanuelle Lejeail
Engineering Manager
Alexa Levine
Senior Product Marketing Manager
AI agents can reason through tasks, call tools, and adapt their next steps based on intermediate results. That flexibility is useful for building agentic applications, but it also creates security risk at runtime: A prompt injection attempt can change the agent’s instructions, a malicious request can try to exfiltrate sensitive data, and an unsafe tool call can lead to an action that the application owner did not intend.
Datadog AI Guard now works with AWS Strands Agents through a Strands plugin that evaluates prompts, model responses, and tool interactions as the agent runs. By using the Strands native hook system, AI Guard can monitor or block unsafe behavior in the agent loop without requiring teams to scatter security checks throughout application code. In this post, we’ll show how to:
Monitor the Strands agent loop
Strands Agents takes a model-driven approach to orchestration. The model reasons through the task, chooses tools, builds context from previous steps, and decides when it has enough information to respond. This design helps teams build agents that can handle open-ended workflows, but it also means the application’s behavior can change with each user request and model decision.
Traditional application security controls are not always designed for this type of runtime behavior. An agent’s risk can depend on the sequence of prompts, intermediate tool results, and tool calls that led to a particular action. The attack surface is a dynamic sequence of model decisions that changes with every interaction. If teams add custom checks directly into each part of that workflow, those checks can make the agent harder to audit and maintain. Teams also need to redeploy the application whenever they change those checks.
The AI Guard plugin for Strands Agents gives teams a central place to evaluate agent behavior as the agent runs. The plugin assesses every interaction in the context of the full agent session to catch multistep attacks that become harmful only after several tool calls. It registers callbacks on Strands life cycle events, sends relevant content to AI Guard for evaluation, and applies the configured response before the agent loop continues. This makes AI Guard part of the agent’s execution path rather than a separate review layer after the fact.
Evaluate prompts, responses, and tool calls inline
AI Guard evaluates the parts of an agent session where risk most often appears: user input, assistant output, tool invocations, and tool results. This inline approach helps teams inspect agent behavior in context, including the relationship between a tool call and the preceding steps that produced it.
The AIGuardStrandsPlugin
registers callbacks for four Strands hook events:
| Hook event | What AI Guard evaluates | Response when blocked |
|---|---|---|
BeforeModelCallEvent | User prompts, excluding tool results | Raises AIGuardAbortError |
AfterModelCallEvent | Assistant text content | Raises AIGuardAbortError |
BeforeToolCallEvent | Pending tool call and conversation context | Cancels the tool with a descriptive message |
AfterToolCallEvent | Tool result and conversation context | Replaces the tool result content |
These checks help protect against common risks in production agent workflows. Prompt protection evaluates user prompts and model responses for attacks such as prompt injection and jailbreaking. Tool protection analyzes tool calls, arguments, intent, and surrounding context to help determine whether an invocation should continue. Sensitive data protection detects personally identifiable information (PII), secrets, and other sensitive content in LLM inputs and outputs.
The AI Guard plugin also avoids duplicate evaluations. Tool results that AI Guard evaluates during AfterToolCallEvent
are excluded from the next BeforeModelCallEvent
scan, which prevents the same content from being evaluated twice. If the AI Guard API is unreachable because of a network error, the plugin logs the failure at the debug level and allows the agent to continue.
Configure enforcement without changing agent code
AI Guard supports a monitor mode that lets teams observe evaluations before they start blocking traffic. This is useful when you are first adding AI Guard to an agent, tuning policy behavior, or evaluating how detections map to real production traffic. After your team has reviewed the results, you can switch a service to blocking mode from the AI Guard settings.
You can also adjust detection sensitivity to make policies stricter or more lenient for a given service. For tool-specific controls, AI Guard supports a tool denylist that proactively blocks selected tools from being used by the agent. This gives security and platform teams a way to reduce risk for sensitive actions, such as file operations, administrative APIs, or payment-related tools.
Because these controls are managed in Datadog, teams can update policies without editing the agent or redeploying the application. This is especially helpful when multiple teams own different agents across environments. Security teams can start in monitor mode, review how agents behave in practice, and then tighten controls as policies mature.
Investigate AI Guard evaluations in Datadog
After you add AI Guard to a Strands agent, evaluations appear in Datadog as spans that show whether an interaction was safe or unsafe. For unsafe interactions, Datadog includes the attack category, such as prompt injection, data exfiltration, tool misuse, or jailbreaking. These spans link to Datadog APM and Agent Observability traces, so teams can move from a flagged evaluation to the broader agent session that produced it.
This trace context is important because agent attacks often unfold over several steps. A single prompt, tool call, or response might look harmless in isolation, but the full session can reveal how an instruction changed the agent’s behavior or how a tool result influenced the next model call. By reviewing the span side panel, teams can inspect previous prompts, tool calls, and related context as part of the same investigation. Every evaluation decision is a traceable event linked to the full LLM trace, giving teams the audit trail they need to demonstrate that their agent behaved within policy.
AI Guard also provides an aggregate view of evaluations in the Signals tab. Instead of requiring teams to review raw evaluation logs one by one, Datadog groups and ranks events that warrant investigation. This helps security and platform teams prioritize high-signal activity across agents and environments.
Protect agentic workflows in production
AI Guard for AWS Strands Agents helps teams evaluate agent behavior at the points where runtime risk appears: prompts, responses, tool calls, and tool results. By using the Strands hook system, the plugin brings AI Guard into the agent loop while keeping policy configuration separate from application logic. The result is a centralized way to observe, govern, and block unsafe agent behavior while preserving the trace context that teams need for investigation.
To get started, read the Datadog AI Guard documentation and the AWS AI Guard Strands plugin documentation. If you’re interested in trying AI Guard, sign up for the AI Guard Limited Availability Program.
If you’re new to Datadog, sign up for a 14-day free trial.
Facts Only
* AI agents can reason through tasks, call tools, and adapt next steps based on intermediate results.
* Datadog AI Guard works with AWS Strands Agents through a Strands plugin.
* AI Guard evaluates prompts, model responses, and tool interactions as the agent runs.
* The plugin registers callbacks for four Strands hook events: BeforeModelCallEvent, AfterModelCallEvent, BeforeToolCallEvent, and AfterToolCallEvent.
* Prompt protection evaluates user prompts and model responses for attacks like prompt injection and jailbreaking.
* Tool protection analyzes tool calls, arguments, intent, and surrounding context to assess invocation safety.
* Sensitive data protection detects PII, secrets, and other sensitive content in LLM inputs and outputs.
* The plugin avoids duplicate evaluations by excluding tool results from subsequent scans.
* AI Guard supports a monitor mode for observing evaluations before blocking traffic.
* Teams can configure enforcement via settings without changing agent code or redeploying applications.
* Evaluations appear in Datadog as spans linked to APM and Agent Observability traces, including attack categories like prompt injection or tool misuse.
Executive Summary
AI agents can reason through tasks and adapt next steps based on intermediate results, creating security risks during runtime, such as prompt injection or unsafe tool calls. Datadog AI Guard integrates with AWS Strands Agents via a plugin to monitor these interactions by evaluating prompts, model responses, and tool interactions throughout the agent loop. This approach is necessary because traditional security controls are insufficient for dynamic agent behavior; an agent's risk depends on the sequence of decisions rather than static code checks.
The AI Guard plugin registers callbacks across the Strands lifecycle events—BeforeModelCallEvent, AfterModelCallEvent, BeforeToolCallEvent, and AfterToolCallEvent—to evaluate these interactions inline. This allows for specific protections: prompt protection guards against injection; tool protection analyzes calls and context; and sensitive data protection detects PII and secrets in inputs and outputs. The system avoids duplicate evaluations by excluding certain tool results from subsequent scans.
Furthermore, AI Guard offers flexible configuration management. Teams can use a monitor mode to observe evaluations before enforcing blocks, adjust detection sensitivity, or implement tool denylists without modifying the agent code or requiring redeployments. Evaluations are centralized in Datadog as traceable spans, linking unsafe interactions to the full LLM trace for detailed investigation.
Full Take
The shift from static application security controls to runtime monitoring of dynamic agent behavior highlights a fundamental mismatch between traditional security paradigms and the emergent complexity of agentic systems. The core tension lies in managing an exponentially increasing attack surface—a sequence of model decisions rather than discrete code execution points. By embedding AI Guard into the agent loop via hook systems, the solution reframes security from a post-facto review to an intrinsic part of the execution path. This introduces a distributed accountability mechanism where risk is contextualized by the entire session history, which is vital for multi-step attacks that manifest only across sequential tool calls.
The ability to observe evaluations in Datadog as traceable spans offers a powerful mechanism for establishing auditability. It transforms abstract runtime risk into concrete, actionable forensic data by linking specific failure events (e.g., prompt injection) directly back to the preceding context (tool calls and prompts). The concept of an aggregate view in the Signals tab suggests a necessary move toward prioritizing security based on observed system behavior rather than solely relying on isolated vulnerability scanning.
The operational flexibility—monitor mode, sensitivity tuning, and tool denylists managed outside the application deployment pipeline—addresses the friction point where security mandates conflict with development velocity. This design attempts to balance centralized governance (Datadog) with decentralized execution (agent workflow). The challenge, then, shifts from technical implementation to establishing a unified, context-aware security language that respects the fluid, iterative nature of reasoning, ensuring that the safety envelope scales gracefully with the agent's increasing autonomy rather than imposing rigid, static boundaries.
Bridge Questions: If agents are inherently designed for adaptive reasoning, what metrics should be developed to quantify "safe" or "unsafe" reasoning sequences across varied task complexity? How can organizations ensure that centralized policy enforcement does not inadvertently constrain the emergent, beneficial reasoning capabilities of the agent itself? What is the long-term implication of treating runtime interaction as a sequence of traceable events versus a singular system state?
Sentinel — Human
This appears to be a technically informed article detailing the integration of security monitoring into an AI agent workflow, exhibiting the flow and detail typical of specialized technical journalism.
