A new open-source tool called Praxen is addressing a blind spot in AI agent security: verifying that an autonomous agent's actual capabilities match what it was authorized to do before it ever touches production systems. As companies deploy AI agents that can access applications, call tools, and make decisions independently, the risk isn't just whether the agent contains exploitable flaws, but whether it has been granted permissions and access that exceed its intended role.

Why Traditional Security Tools Miss the Real Risk?

Vulnerability scanners and red team exercises catch bugs and attack vectors, but they don't answer a fundamental question: does this agent's actual behavior match the governance remit it was built to enforce? Exabeam argues that current security methods provide checks during testing and operation but fail to verify whether an agent is configured safely before deployment.

The gap between what an agent is authorized to do and what it is actually capable of doing is where operational risk lives. One early user, Medigram, discovered this firsthand. Rather than receiving a risk report to file away, the tool produced a precise engineering roadmap showing exactly where the agent's code-level capabilities exceeded its approved permissions.

"Most security tools tell you what's vulnerable. Praxen asked a different question entirely: Does this agent's actual behavior match the governance or work remit it was built to enforce?" said Sherri Douville, Chief Executive Officer at Medigram.

Sherri Douville, Chief Executive Officer at Medigram

How Does Agent Behaviour Verification Work?

Praxen introduces what Exabeam calls Agent Behaviour Verification, a security approach that examines an AI agent as a complete system rather than focusing only on software flaws or individual pieces of code. At the center of this approach is what Exabeam calls an ABV remit, a policy contract that sets out what an agent may do, which resources it may access, and the boundaries within which it must operate.

The tool reviews an agent's implementation across multiple dimensions, then identifies gaps between intended and implemented behavior. Praxen reports include specific findings, recommendations for improvement, and an overall maturity score for the agent's security posture.

Steps to Implement Agent Behaviour Verification Before Deployment

• Define the ABV Remit: Create a clear policy contract that specifies what tasks the agent may perform, which resources and systems it can access, and the operational boundaries it must respect.
• Review Agent Implementation: Examine the agent's tools, configurations, memory systems, integrations, and operating environment to ensure they align with the approved remit.
• Identify and Remediate Gaps: Use the tool's findings and recommendations to close discrepancies between what the agent is authorized to do and what it is actually capable of doing in code and configuration.
• Score and Iterate: Review the agent's overall security maturity score and use it as a baseline for ongoing governance improvements throughout the agent's lifecycle.

Praxen has been built as an agentic coding agent skill and is being released under the Apache 2.0 license, an open-source approach that Exabeam hopes will encourage scrutiny and contribution from developers, researchers, and security practitioners working on AI governance and assurance.

The timing of this release reflects a broader industry shift. As companies move from AI experimentation to operational deployment, security teams need more than runtime visibility into what agents are doing. They need confidence that agents have the right permissions, the right controls, and the right boundaries before they enter production.

"Organisations are rapidly moving from AI experimentation to operational deployment. As agents become digital workers, security teams need more than runtime visibility. They need confidence that agents have the right permissions, the right controls, and the right boundaries before they enter production," said Steve Wilson, Chief AI Officer at Exabeam.

Steve Wilson, Chief AI Officer at Exabeam

Where Does This Fit in the Broader AI Agent Security Picture?

Exabeam positions Agent Behaviour Verification as the pre-deployment element of a wider approach to AI agent security. It sits alongside Exabeam's Agent Behaviour Analytics, which focuses on spotting anomalous or risky behavior once agents are operating in live environments. This distinction reflects a broader industry debate over how to govern AI systems that are no longer limited to answering prompts but can take actions across enterprise software.

The release of Praxen also signals an attempt to shape an emerging category of security practice around autonomous software agents. Standards for governing, verifying, and monitoring these systems are still developing, and vendors, security teams, and industry groups are competing to define the frameworks that may become common practice. Steve Wilson, who leads this effort at Exabeam, also serves as founder and co-chair of the OWASP Gen AI Security Project, a connection that matters because industry efforts around AI security are increasingly drawing on established software security communities to create models for risk assessment, testing, and control.

As AI agents gain autonomy and access to critical business systems, the question of whether they have only the authority needed for their intended role becomes as important as whether they contain exploitable vulnerabilities. Praxen represents an industry recognition that verifying agent behavior before deployment is not optional, but essential.