Every guardrail approved a $2,400 refund. The order never existed.
A clean, well-formed, on-topic tool call executed a real, irreversible action — on a fact the agent made up. Content guardrails can’t see this, because the problem isn’t the words. It’s whether the words are true.
An AI support agent is wired to a simple rule: only refund verified orders. It has a lookup_order tool and a process_refund tool. A customer writes in, upset, asking for a refund.
The agent works the ticket. Partway through its chain it states: “Order #A-4471 confirmed — $2,400, purchased 12 days ago, within refund window.” It calls process_refund(order_id="A-4471", amount=2400). The money leaves. The ticket closes. Handle time: 9 seconds. A clean, helpful resolution.
Except lookup_order was never called successfully. No tool ever returned order A-4471. The agent, under pressure to resolve the ticket, generated a plausible order — a realistic ID, a believable amount, a date inside the window — and then acted on its own invention. The refund was real. The order was fiction.
What your guardrails saw
Run that interaction through the standard stack and every check passes. Each guardrail is asking “is this text safe and well-formed?” — and the honest answer is yes.
Conventional guardrails
What none of them ask
What was actually happening
The failure isn’t in the words. It’s in the gap between what the agent claimed (“order confirmed”) and what any tool established (nothing). The evidence that justified an irreversible action was fabricated. That is invisible to any check that reads the content, because the content is impeccable. The lie is well-spoken.
The verdict that catches it
Arcezia sits in front of process_refund and asks a different question — not “are these words safe?” but “is the claim that authorizes this action grounded in real evidence?”
Destructive action on a payment blocked. The agent claimed the order was confirmed — no matching order exists in any tool result. The evidence is fabricated. Action denied before execution.
Evidence chain
Not a probability. Not “72% suspicious.” A deterministic BLOCK with the reason attached — a verdict you can put in an audit log. No model in the loop to be fooled by the same fabrication it’s meant to catch.
Why this isn’t an edge case
In our internal fabrication test suite — actions justified by invented evidence, dressed up to look legitimate — this class of attack slipped past content-layer guardrails the large majority of the time, precisely because the surface text is clean. Evidence-grounded verification caught the same set at the point that matters: before the action fired. The suite is reproducible — you can run it against your own agents and see where your stack lands.
Honest boundary
Arcezia verifies whether an action is grounded and authorized. It does not read the agent’s intent, and it will not catch a harmful action that is fully evidenced and within policy — that is a different problem. What it removes is the class of failure where an agent acts on something it never actually established.Try it live
Send one of these actions through the real engine. The verdict below is computed live — not canned. Same verifier, signed certificate, ~50ms.
Your agents take real actions — refunds, deployments, writes. Each is authorized by a claim. Can you tell, before it executes, which claims are true because a tool proved it, and which are true because the model sounded confident?
Run it on your agents → See how it works