Two architectures keep showing up in AI agent runtime security in 2026. Both promise to stop bad agent actions before they complete. Underneath they work differently, and the difference matters when an agent goes wrong in production. The first is webhook-based runtime monitoring. The AI platform calls out to a policy service before executing an action, the service decides, and the platform respects the answer. Obsidian Security frames its product this way. From their AI Agent Runtime Security page : "evaluate every agent against OWASP-aligned risk factors in real time, and use webhooks to intercept and stop policy-violating, high-risk executions before they complete." The second is the network-egress firewall. A proxy sits between the agent and the network. Traffic routed through the proxy gets inspected before it leaves or before the response reaches the agent. The proxy decides allow or block based on the content of the traffic itself, not on whether the agent asked for a policy decision.…