Flock v0.5.500: Enterprise Security for Agentic AI<\/p>\n
<\/h1><\/div>
AI agents are moving into production. And with that move comes a set of questions that no one asks during a prototype: How do we authenticate without hardcoding API keys? How do we prevent prompt injection from compromising agent behavior? How do we make security a first-class concern, not an afterthought?<\/p>\n\n\n\n
Flock 0.5.500 answers all three. This release introduces two foundational security features that make it significantly easier to build and operate AI agents in enterprise environments: keyless authentication via Azure Entra ID and Managed Identity, and a pluggable guard framework to protect agents from malicious inputs.<\/p>\n\n\n\n
Most LLM frameworks require an API key to talk to Azure OpenAI. That key ends up in environment variables, CI\/CD pipelines, container specs, and developer machines. It needs to be rotated, audited, and kept out of source control. In practice, that rarely happens.<\/p>\n\n\n\n
In Azure-native workloads, there is a better way: Managed Identity<\/a>. A workload running on Azure Container Apps, AKS, or Azure Functions can authenticate to Azure OpenAI directly, with no secrets involved. Azure handles the credential lifecycle. You handle the business logic.<\/p>\n\n\n\n Flock 0.5.500 makes this the default path for Azure deployments. Authentication works across Azure OpenAI and Azure AI Foundry.<\/p>\n\n\n\n A new The result is clean, keyless configuration:<\/p>\n\n\n\n For workloads using a user-assigned Managed Identity, pass the client ID:<\/p>\n\n\n\n The Azure AI Foundry Agents API requires a different token scope. That is covered too:<\/p>\n\n\n\n The Azure identity support ships as an optional dependency to keep the core package lean. It pulls in That’s it. No secrets. No rotation. No exposure.<\/p>\n\n\n\n Agentic systems are different from chatbots. They process external data (documents, web content, API responses, user inputs) and act on it. That external data is an attack surface. A malicious PDF can contain instructions that redirect agent behavior. A crafted user message can attempt to jailbreak the underlying model. Prompt injection<\/a> consistently ranks as one of the top risks in production LLM applications.<\/p>\n\n\n\n Without explicit protection, there is no reliable way to detect these attacks before they influence what an agent does.<\/p>\n\n\n\n Flock 0.5.500 introduces a guard framework that makes protection composable and configurable, not bolted on as an afterthought.<\/p>\n\n\n\n Each guard returns a Three actions can be configured per phase:<\/p>\n\n\n\n Guards compose naturally. Assign priorities to control execution order. A block in any guard stops subsequent components and the engine run.<\/p>\n\n\n\n The first built-in implementation calls the Azure AI Content Safety Prompt Shields<\/a> API. It detects two classes of attacks: direct jailbreak attempts in user prompts, and indirect prompt injection embedded in context documents.<\/p>\n\n\n\n Both Managed Identity and API key authentication are supported. Document content is extracted automatically from Flock’s artifact types, with configurable truncation for large documents.<\/p>\n\n\n\n Setting The framework is designed to be extended. Implement Multiple guards with different backends can run on the same agent. Combine Azure Prompt Shield with a domain-specific policy check, for example. Priority ordering guarantees a deterministic execution sequence.<\/p>\n\n\n\n The Both features are available now in the Flock repository on GitHub. Flock is an open-source, declarative, and highly modular AI agent framework built by our team. Explore Flock on GitHub<\/a><\/p>\n\n\n\n Building agentic AI systems in production? Talk to us about a Solution Assessment<\/a>. We help teams design, implement, and operate AI agents on Azure.<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":"How It Works<\/h4>\n\n\n\n
lm_kwargs<\/code> field on DSPyEngine<\/code> forwards arbitrary keyword arguments to the underlying LiteLLM<\/a> constructor. This is a provider-agnostic mechanism: any LiteLLM parameter can be passed through. For Azure, a dedicated helper wraps DefaultAzureCredential<\/code><\/a> into a token provider callable that LiteLLM understands.<\/p>\n\n\n\nfrom flock.engines import DSPyEngine\nfrom flock.engines.auth.azure import get_default_azure_token_provider\n\ntoken_provider = get_default_azure_token_provider()\n\nengine = DSPyEngine(lm_kwargs={\n \"api_base\": \"https:\/\/<resource>.openai.azure.com\/\",\n \"api_version\": \"2024-12-01-preview\",\n \"azure_ad_token_provider\": token_provider,\n})<\/code><\/pre>\n\n\n\nDefaultAzureCredential<\/code> resolves the right credential automatically: Managed Identity when running on Azure, az login<\/code> during local development. No code change required between environments.<\/p>\n\n\n\ntoken_provider = get_default_azure_token_provider(\n managed_identity_client_id=\"<client-id>\"\n)<\/code><\/pre>\n\n\n\nfrom flock.engines.auth.azure import (\n get_default_azure_token_provider,\n AZURE_AI_FOUNDRY_SCOPE,\n)\n\ntoken_provider = get_default_azure_token_provider(scopes=AZURE_AI_FOUNDRY_SCOPE)<\/code><\/pre>\n\n\n\nGetting Started<\/h4>\n\n\n\n
azure-identity<\/code><\/a>, Microsoft’s official Python credential library:<\/p>\n\n\n\nuv add \"flock[azure]\"<\/code><\/pre>\n\n\n\nGuardComponent: Pluggable Input and Output Protection<\/h3>\n\n\n\n
The Prompt Injection Problem<\/h4>\n\n\n\n
How It Works<\/h4>\n\n\n\n
GuardComponent<\/code> is an abstract base class that integrates into Flock’s existing agent lifecycle. Guards execute during on_pre_evaluate<\/code> (before the model sees the input) and on_post_evaluate<\/code> (after the model produces output). No new architectural patterns are needed: guards are just components with a well-defined interface.<\/p>\n\n\n\nGuardVerdict<\/code> with four fields: safe<\/code>, reason<\/code>, details<\/code>, and provider<\/code>. This gives full auditability: every decision is traceable.<\/p>\n\n\n\n\n
block<\/code>: raises GuardBlockedError<\/code> and halts execution<\/li>\n\n\n\nwarn<\/code>: logs the finding and continues<\/li>\n\n\n\nannotate<\/code>: attaches the verdict to the agent’s context<\/li>\n<\/ul>\n\n\n\nAzure Prompt Shield: The First Built-in Guard<\/h4>\n\n\n\n
from flock.components.agent.azure_prompt_shield import (\n AzurePromptShieldGuard,\n AzurePromptShieldConfig,\n)\nfrom flock.core import Agent\nfrom flock.engines import DSPyEngine\n\nagent = Agent(\n name=\"support_agent\",\n engine=DSPyEngine(model=\"azure\/gpt-4.1\"),\n components=[\n AzurePromptShieldGuard(\n priority=-10, # run before all other components\n config=AzurePromptShieldConfig(\n endpoint=\"https:\/\/<resource>.cognitiveservices.azure.com\",\n on_input_flagged=\"block\",\n scan_context_artifacts=True, # scan documents passed as context\n ),\n ),\n ],\n)<\/code><\/pre>\n\n\n\npriority=-10<\/code> ensures the guard runs before any other component. If the input is flagged, a GuardBlockedError<\/code> is raised immediately, and the model never sees the malicious content.<\/p>\n\n\n\nBuilding Custom Guards<\/h4>\n\n\n\n
scan_input<\/code> and optionally scan_output<\/code>, and the base class handles the rest: lifecycle wiring, artifact extraction, verdict routing, and action dispatch.<\/p>\n\n\n\nfrom flock.components.agent.guard import GuardComponent, GuardVerdict\n\nclass MyCustomGuard(GuardComponent):\n async def scan_input(self, text: str, documents: list[str]) -> GuardVerdict:\n flagged = await my_policy_check(text)\n return GuardVerdict(\n safe=not flagged,\n reason=\"Custom policy violation\" if flagged else None,\n provider=\"my-guard\",\n )<\/code><\/pre>\n\n\n\nGuardComponent<\/code> interface is also a natural integration point for broader policy enforcement tooling. Microsoft’s Agent Governance Toolkit<\/a> covers policy enforcement, zero-trust identity, and audit logging across the full OWASP Agentic Top 10. A custom guard wrapping its PolicyEvaluator<\/code> can bring those deterministic controls directly into the Flock agent lifecycle, putting content safety (Prompt Shield) and tool-call governance in the same execution pipeline with no changes to the agent itself.<\/p>\n\n\n\nFlock is Open Source<\/h3>\n\n\n\n