"Scripts run in Rhai, a lightweight embedded language that has no built-in access to the operating system. Every read, write, or open is intercepted by a Rex SDK call, which evaluates a Cedar policy before permitting the underlying system call. If the policy denies the action, the script receives an `ACCESS_DENIED_EXCEPTION` and the operation never reaches the kernel."
"The script and the policy are versioned separately. The host owner - not the developer who wrote the script, not the agent that may have generated it - defines what is allowed. The targeted use case is explicit. AWS describes Rex as designed to contain three specific failure modes in agentic AI: hallucinated code, prompt injection, and overly eager task interpretation."
"None of those is hypothetical. Each is a documented attack class, and each has been publicly conceded as unsolvable by the labs building the underlying models. OpenAI stated in late 2025 that prompt injection "is unlikely to ever be fully 'solved.'" Anthropic acknowledged in research that "prompt injection is far from a solved problem, particularly as models take more real-world actions.""
Trusted Remote Execution (Rex) provides runtime guardrails for agentic AI by intercepting every system operation an AI-generated script attempts. Scripts run in Rhai, a lightweight embedded language without built-in operating system access. Each read, write, or open is routed through a Rex SDK call that evaluates a Cedar policy before allowing the underlying system call. If the policy denies the action, the script receives an ACCESS_DENIED_EXCEPTION and the operation never reaches the kernel. Script code and Cedar policies are versioned separately, with the host owner defining allowed actions rather than the script developer or the agent. Rex targets hallucinated code, prompt injection, and overly eager task interpretation.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]