AI runtime protection watches models and applications in production. Runtime trust asks the last-mile question: should this already-allowed tool call, callback, MCP handoff, package endpoint, or outbound action proceed right now?
AI runtime protection is the production layer that monitors, validates, filters, or blocks risky AI application behavior — prompt injection, prompt extraction, denial of service, command execution, data leakage, unsafe model output. Runtime trust is narrower: it decides whether an already-allowed agent action should be trusted at the moment it is about to execute. The prompt may have passed a filter, the model may be approved, the tool may be scoped, the identity may be valid — runtime trust still asks whether the destination, callback, MCP server, package endpoint, tool output, or action authority drifted enough to pause, downgrade, or block. Sunglasses v0.2.54 ships detection across MCP threats, model-routing confusion, memory eviction/rehydration, prompt injection, and retrieval poisoning to cover exactly this gap.
Quick answer
AI runtime protection is the production security layer that monitors, validates, filters, or blocks risky AI application behavior: prompt injection, prompt extraction, denial of service, command execution, data leakage, unsafe model output, and other model/application threats. It is a real control layer.
Runtime trust is narrower. It decides whether an already-allowed agent action should be trusted at the moment it is about to execute. The prompt may have passed a filter. The model may be approved. The tool may be scoped. The identity may be valid. Runtime trust still asks: did the destination, callback, MCP server, package endpoint, tool output, metadata, or action authority drift enough that this workflow should pause, downgrade, or block?
The useful sentence is: runtime protection reduces malicious behavior; runtime trust decides whether the next action path is trustworthy enough to take. For a fuller framing, see how Sunglasses works.
Why this distinction matters now
Enterprise AI-security vendors are teaching the market a broad control vocabulary. Cisco AI Defense is a strong current example: its public AI Defense pages package model and application validation, AI runtime protection, AI cloud visibility, AI access, AI supply-chain risk management, red teaming, taxonomy, reference architecture, and a State of AI Security report into one Zero Trust story for an agentic AI workforce.
That is useful category education. Cisco's runtime-protection page explicitly names production attacks such as prompt injection, prompt extraction, denial of service, and command execution. Its broader AI Defense framing says Zero Trust has to evolve from who you are to what you do. Buyers are learning to ask better questions about agents in production.
Sunglasses should not answer that by pretending to be a full enterprise platform. The honest answer is sharper. Access control, model validation, cloud visibility, supply-chain scanning, red teaming, and guardrails all matter. Sunglasses lives one step later: when the agent is allowed, the tool exists, the workflow is in motion, and the live context changes the trust boundary of the next action. Our FAQ is explicit about what we do and do not replace.
Plain-language explanation
Think of AI runtime protection as the security camera and guardrail system around an AI application in production. It watches the model, prompts, responses, policies, and application behavior. It can flag or block malicious prompts, unexpected outputs, sensitive data leakage, unsafe instructions, command execution attempts, and model-level abuse.
Now think of an AI agent as a worker that can act across tools. It can open tickets, call APIs, browse, fetch packages, trigger workflows, summarize records, create pull requests, approve changes, send messages, or hand off work through MCP servers and connectors. Many of those actions are legitimate. The hard part is that the agent's environment can change between the moment access is granted and the moment the action fires.
A support ticket can contain prompt-bearing text. A tool output can include a hidden instruction. A callback can redirect to a new destination. A package endpoint can look familiar but resolve somewhere else. A generated connector can expose a broader method than expected. A model response can be clean while the action path it creates is not.
Runtime trust is the decision layer for that gap. It does not say guardrails are useless. It says guardrails are incomplete if the final question is an action: should this workflow, through this tool, to this destination, with this live context, proceed now? The Sunglasses manual walks through how this check fits a real agent loop.
What the control stack gets right
The fair way to compare runtime protection and runtime trust is not to create a fake rivalry. The broad control stack solves real problems:
- Model and application validation finds dangerous model behavior before production.
- AI runtime protection watches production prompts, outputs, policies, and application behavior.
- AI access and Zero Trust restrict which users, agents, apps, and tools can reach which systems.
- AI cloud visibility helps teams find where models, data, and applications are running.
- AI supply-chain security scans models, files, datasets, open-source components, and agent dependencies.
- Red teaming probes failure modes before attackers do.
Runtime trust complements that stack by checking the live action boundary. If the approved agent is about to call an MCP tool, follow a callback, fetch a package, post to an endpoint, run a command, or hand off authority to another system, runtime trust asks whether the path still matches the expected trust model.
That is why this is an AI agent security problem, not just a model-safety problem. Model behavior matters. So does the action graph around the model.
Three concrete failure examples
Example 1: prompt injection changes an allowed tool call
A customer record includes polite text that tells the agent to ignore prior instructions and export the account summary through a permitted internal tool. Runtime protection may detect the injection pattern. Access control may confirm the agent is allowed to use the tool. Runtime trust asks whether the specific tool call is now being shaped by untrusted customer-controlled text.
Example 2: an MCP handoff drifts after approval
A developer approves an agent workflow that reads issue context and opens a pull request. During the run, an MCP server returns a handoff to a different repository, package endpoint, or callback URL. The workflow is still inside an allowed tool family. Runtime trust checks whether the handoff changed destination, authority, or provenance enough to block or re-confirm.
Example 3: command execution hides behind a normal support workflow
An operations agent receives a ticket that looks like routine diagnostics. A tool output includes shell-like text, a generated connector exposes a command method, and the agent prepares to run it with valid credentials. Runtime protection can catch obvious command-execution attempts. Runtime trust adds the action-time check: is this command consistent with the expected workflow, source, destination, and authority?
How Sunglasses catches it
Sunglasses is built for the moment after broad controls say an agent can continue and before the workflow acts. It looks for risky patterns around tool-output instruction injection, prompt-bearing metadata, MCP tool poisoning, endpoint drift, callback-chain authority changes, package endpoint substitution, policy-scope redefinition, state-sync poisoning, and generated connector trust.
Jack's recent pattern shipments make this concrete. MCP/tool-poisoning patterns show how tool descriptions, schemas, and handoffs can become instruction carriers. Policy-scope redefinition patterns show how allowed workflows can silently expand what they are allowed to do. State-sync poisoning patterns show how checkpoint, replica, rollback, and reconciliation state can become trust surfaces. Agent-contract and metadata-poisoning research show how friendly descriptions can alter authority without looking like classic malware.
The product sentence stays simple: Sunglasses helps decide whether an already-allowed agent action should be trusted right now. If the prompt passed, the model is approved, the tool is scoped, and the endpoint still changed, that is where runtime trust earns its keep. The same logic powers our CVP credibility runs.
For deeper background, start with the MCP Attack Atlas, the MCP tool poisoning detection guide, the Sunglasses manual, and AI Agent Security 101.
FAQ
What is AI runtime protection?
AI runtime protection is the production control layer for detecting, monitoring, filtering, or blocking unsafe AI application behavior such as prompt injection, prompt extraction, data leakage, denial of service, command execution, and unsafe model output.
What is runtime trust for AI agents?
Runtime trust is the action-time decision that asks whether an already-allowed agent workflow should proceed now, through this tool, destination, callback, MCP handoff, package endpoint, or outbound request, given the live context.
Do guardrails stop prompt injection?
Guardrails can stop many prompt-injection attempts and should be used. They do not end the security decision when an allowed workflow is about to act. A filtered or allowed prompt can still produce an unsafe action path through metadata, tool output, callbacks, or endpoint drift.
How is runtime trust different from Zero Trust access?
Zero Trust access asks who or what is allowed to reach a system. Runtime trust asks whether the specific action being taken through that allowed access is still trustworthy. The first decision grants reach; the second decision governs use.
Why does MCP security need runtime trust?
MCP security needs runtime trust because MCP servers, tools, schemas, resources, and handoffs can change the trust boundary of an agent action. Even when a server is approved, the live tool output, callback, destination, or package endpoint can still become untrusted.