> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Veto

> Kernel-level enforcement engine that protects AI agent environments from unauthorized execution and data exfiltration.

Veto is Ona's kernel-level enforcement engine for AI agents. It runs as a Linux Security Module (LSM) inside the environment kernel, below the agent, below userspace. The LLM cannot bypass or disable it.

AI agents reason about security boundaries and work around them. Traditional runtime security operates above the agent, making it observable and evadable. Veto moves enforcement below the agent's reach.

## Capabilities

<div className="overview-cards">
  <a href="https://ona.com/docs/ona/organizations/policies/executable-deny-list" className="overview-card">
    <div className="overview-card-content">
      <div className="overview-card-title">Executable deny list</div>
      <div className="overview-card-desc">Block specific binaries by content hash. Rename-resistant and symlink-resistant. The check and the block happen in the same kernel call, so there is no gap to exploit.</div>
      <div className="overview-card-link">Learn more →</div>
    </div>
  </a>

  <a href="https://ona.com/docs/ona/guardrails/datawall" className="overview-card">
    <div className="overview-card-content">
      <div className="overview-card-title">Datawall <span style={{fontSize: '0.75em', fontWeight: 'normal', opacity: 0.7}}>(coming soon)</span></div>
      <div className="overview-card-desc">Detect confidential data leaving the environment over the network. Fingerprints data in-kernel and monitors all egress, including through TLS.</div>
      <div className="overview-card-link">Learn more →</div>
    </div>
  </a>
</div>

## Kernel-level enforcement

When enforcement operates above the agent, the agent can discover and circumvent it. Path-based deny lists fall to renamed binaries. Userspace sandboxes can be disabled. Proxy-based DLP is avoided by encoding data differently.

Veto enforces at the syscall level. The agent cannot unload the LSM, modify its configuration, or observe whether an action was flagged. The kernel is the last trust boundary before hardware.

## Watch: Claude Code vs. Veto

Leonardo walks through how Claude Code bypasses traditional guardrails and how Veto enforces controls from inside the kernel.

<iframe className="w-full aspect-video rounded-xl" src="https://www.youtube.com/embed/kMoh4tCHyZA" title="Claude Code bypasses its own security, then meets the Ona kernel" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerPolicy="strict-origin-when-cross-origin" allowFullScreen />

## Further reading

* [How Claude Code Escapes Its Own Denylist and Sandbox](https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox) - Leonardo's research post that motivated Veto
* [The enterprise agent problem Claude Code wasn't built to solve](https://ona.com/stories/enterprise-agent-problem) - Matt Boyle on the platform layer enterprises need around coding agents
* [Introducing Veto](https://ona.com/stories/introducing-veto-security-for-the-next-era-of-software) - announcement and technical overview