InterceptAI ยท Terminus
How much a default-deny action layer reduces what a compromised or misdirected agent can do to your database. Measured against live attacks, not asserted.
Terminus operates at the database-action boundary. It governs what an agent is permitted to do to your database, not what it is permitted to think or say.
The agent holds no database credentials. Every action is decided before it can execute. There is no side path to the data.
Live A/B run: claude-sonnet-5 · 18 adversarial scenarios · 3 trials per arm · 108 agent turns.
Every figure on this page reproduces from the commands below.
Default-deny at the action boundary.
The agent asks; Terminus decides allow, deny, or a safer rewrite. Nothing reaches the database without an explicit allow. The starting posture is "no," not "yes."
The agent holds no database credentials.
It cannot reach the data except by asking Terminus, and Terminus will not act without a decision. There is no bypass to find, because there is no other door.
Enforcement does not depend on the model behaving.
In our test the unprotected model refused some attacks on its own and carried out the rest. Terminus removed the rest. A control that only works when the model chooses to cooperate is not a control.
Two arms, identical model and scenarios. Arm A is a direct-database agent with no Terminus in front of it, full read and write. Arm B is the same agent whose only database access is Terminus. An attack counts as successful only when real database state changed, or a seeded secret appeared in a result. Never from what the agent said, only from what it did.
Two results are worth stating plainly, because both make the number more honest, not less:
The unprotected baseline is 46.7 percent because the model refused the other attacks itself. Terminus's job was the ones it did not refuse. It blocked every one of them.
Benign task completion rose under enforcement, from 83 to 100 percent. The unprotected agent sometimes chased the injected instruction and never answered the real question. Given a clean allow or deny, the enforced agent stayed on task.
Two Terminus capabilities do the work across every framework below: default-deny access enforcement, least privilege applied to each query, and a tamper-evident audit chain, a complete and verifiable record of every allow, deny, and rewrite. Terminus is a control that provides evidence toward the access and logging obligations these frameworks impose. It is not a certification, and it does not make you compliant. That stays your program's responsibility.
SOC 2
Trust Services Criteria
CC6.1 · CC6.3 logical access, least privilege
CC7.2 system monitoring
Query-level default-deny enforces least-privilege access, and the decision log gives you the monitoring record these criteria expect.
Evidence toward your SOC 2 scope. Your auditor attests; Terminus is one control within it.
ISO/IEC 27001:2022
Annex A
A.5.15 access control
A.8.3 information access restriction
A.8.15 logging
Least-privilege access to data and tamper-evident logging of every access decision map directly to these Annex A controls.
Supports the named controls. Certification covers your ISMS as a whole.
NIST SP 800-53
AC-3 access enforcement
AC-6 least privilege
AU-2 event logging
AU-9 protection of audit information
Access is enforced at the action boundary, and the audit record's integrity is protected by a cryptographic chain, which is exactly what AU-9 asks for.
Control-level evidence. System authorization remains the deployer's.
DORA (EU 2022/2554)
Financial entities · from Jan 2025
Art 9(4)(c) logical access limited to
approved functions only
Art 9 event logging
DORA requires logical access limited "to what is required for legitimate and approved functions only." That is default-deny in the regulation's own words, recorded on a reliable, verifiable log.
Applies to EU financial entities and their ICT providers. Terminus supports the access and logging duties; the ICT risk framework is yours.
NIS2 (EU 2022/2555)
Essential & important entities
Art 21(2) access-control policies
Art 21(2) monitoring and logging
Access-control enforcement and continuous logging for the agent-to-database path address two of the ten Article 21 risk-management measures.
Proportionate to your risk exposure. NIS2 covers your whole security program.
EU AI Act (Reg. 2024/1689)
Art 12 record-keeping
Art 14 human oversight
Art 15 accuracy, robustness, cybersecurity
A traceable decision record (Art 12), an enforceable allow / deny / oversight point (Art 14), and a robustness control at the database boundary (Art 15).
Provides evidence for these obligations. It does not make a deployer "EU AI Act compliant." EU regulatory copy pending legal review.
InterceptAI does not represent Terminus as a compliance certification. These mappings describe the controls Terminus provides evidence toward; whether they satisfy a given obligation is your compliance team's determination.
Trust comes from the boundaries a vendor draws, not just the wins it reports. Here is what Terminus is not.
Terminus does not guess intent inside a valid query on a table an agent is allowed to use. That is a losing game against attacker creativity. It bounds what the agent can do, so intent inside those bounds does not have to be guessed.
This is first-party testing, and we are telling you so. We authored the scenarios and the corpus wrapping. What makes it checkable rather than self-serving is that every number above reproduces from two deterministic commands and one live command.
# benign false-positive rate. no API key. make bench-static # SQL-injection coverage. no API key. make bench-corpus # the attack-success A/B headline. needs an API key. make bench-agent
e86ff4019a. Per-file checksums recorded and verified on every fetch.2b7c1af1…Full source and the engineer-level report, with the complete scenario set and every corpus checksum, are available under evaluation. Your engineers can reproduce every figure in an afternoon.
The strongest version of this report is the one your team runs.
These numbers are ours. The method is yours to check, and the benchmark is built to run against your schema, your policy, and your agents. That is where a number stops being marketing and starts being evidence.