Security Model

Edison Watch prevents data exfiltration by detecting and blocking the combination of capabilities required for an attack.

The Threat: Prompt Injection

AI agents are vulnerable to prompt injection—malicious instructions hidden in external content (like a web page or file) that manipulate the AI into exfiltrating sensitive data.

The Lethal Trifecta

Exfiltration requires three capabilities. Edison Watch tracks these via per-session monotonic flags:

Capability	Security Flag	Action
Private Data Access	`read_private_data`	AI reads internal files, DBs, or docs.
Untrusted Content	`read_untrusted_public_data`	AI fetches data from the internet.
External Communication	`write_operation`	AI sends data out (Slack, Email, APIs).

Enforcement Logic: If a session has accessed both Private Data AND Untrusted Content, any subsequent External Communication is paused for human approval.

Session State

State is tracked in the Edison server and is monotonic: once a flag is set (e.g., Private Data accessed), it cannot be unset for that session. This prevents "reset" attacks.

Access Control Levels (ACL)

ACLs prevent sensitive data from flowing to lower-sensitivity destinations regardless of the Trifecta state.

Level	Rule
PUBLIC	Can flow anywhere.
PRIVATE	Cannot flow to PUBLIC.
SECRET	Cannot flow to PRIVATE or PUBLIC.

Example: If an agent reads a database marked SECRET, it is immediately blocked from posting to a PUBLIC Slack channel.

Data Tracking

Data Type	Logged	Retention (Default)
Tool Calls	Metadata & Params	90 Days
Results	Truncated Output	90 Days
Security Events	Flag changes & Blocks	1 Year
Approvals	User decisions	1 Year

Privacy: Raw file contents and full conversation histories are not tracked or stored on Edison servers.

Transport & Auth

Auth: HMAC-signed API keys or SAML 2.0/OIDC.
Transport: TLS 1.2+ mandatory.
Isolation: Clients communicate only with the Edison server; no direct client access to MCP backends.