Waveguide

Blog  ·  June 14, 2026  ·  2 min read

Why the model never holds a credential

security architecture

Ask any security engineer what worries them about AI agents and you’ll hear the same answer: the credentials.

Give a language model your Gmail token and you’ve created a new kind of risk. Not because the model is malicious — because it’s influenceable. A model that holds a credential can be talked into using it. Prompt injection, a poisoned webpage, a cleverly-worded email: the attack surface is every piece of text the model ever reads.

Most AI tools handle this with instructions. “Do not reveal the API key.” “Never send credentials to external services.” These are polite requests to a system whose defining property is that text changes its behavior.

We removed the credential instead

Waveguide’s agent runs in a sandboxed micro-VM with default-deny networking. When it needs to call Gmail, Meta, or any connected service, it composes the request — method, path, body — and sends it out the only door that exists: the egress proxy.

The proxy does four things on every call:

  1. Matches the request against the provider’s allow-list of paths. Anything else is refused.
  2. Classifies the action into a risk tier (T0–T3) and checks whether it needs an approval token.
  3. Injects the credential — fetched from an encrypted vault the sandbox has no access to.
  4. Logs everything — the enforcement record, not a courtesy log.

The model composes requests; it never sees the token that authorizes them. There is nothing in the sandbox to leak. A prompt injection that fully compromised the model’s judgment would find itself holding… nothing. It can ask the proxy to do things, and the proxy applies the same tiers, caps, and approval gates it always applies.

Envelope encryption, per tenant

The vault itself uses envelope encryption: each tenant has its own data-encryption key, wrapped by a master key that only the control plane holds. Compromising one tenant’s data can’t unlock another’s. When you delete your tenant, the keys are destroyed with it — the deletion is cryptographic, not just a row removal.

Why this matters more than any feature

Everything interesting Waveguide does — running campaigns, answering leads, pursuing outreach missions across email and phone — is only responsible to ship because of this property. Capability and safety aren’t in tension here; the safety architecture is what makes the capability shippable.

If you’re evaluating any AI agent, ours included, ask one question: where does the credential live, and what enforces that? If the answer involves the model’s context window and a system prompt, the rest of the feature list doesn’t matter much.

The full security model — quarantine for untrusted content, risk tiers, the kill switch — is documented on the security page and in the docs.