Every SSH server you have ever connected to can display a banner before authentication. Most organizations put one there:
WARNING: This system is for authorized use only. All activity
is monitored and recorded. Unauthorized access is prohibited
and subject to criminal prosecution under applicable law.
Nobody has ever been deterred by this. No attacker has read “unauthorized access is prohibited” and reconsidered. The banner exists for legal compliance. It is not a security control. It is a paragraph.
And yet the AI industry is building agent security on the same premise: if you write the right words in the right place, the agent will behave.
The modern SSH banner#
System prompts are the AI agent’s SSH banner. Text that tells the agent what it should and should not do, presented before the agent begins operating, enforced by nothing.
“Do not access files outside the working directory.” “Do not exfiltrate sensitive data.” “Do not use credentials for unauthorized purposes.” These exist in the same category as “UNAUTHORIZED ACCESS PROHIBITED”: they describe desired behavior. They do not constrain actual behavior.
Guardrail models evaluate agent outputs and flag violations. This is a second banner that reads the first one and writes a report. Safety training bakes the banner into model weights; more durable, but still behavioral. Sandboxes restrict the agent’s process, which is real security for the host, but the agent inside the sandbox still has the API keys.
The industry is layering text on top of text and calling it defense in depth. Multiple banners is not defense in depth. It is the same banner written in different fonts.
Banners vs. locks#
The answer to SSH security was not a better banner. It was public key cryptography, certificate authorities, and killing password authentication entirely. The banner stayed for legal compliance. The security moved to mechanisms that do not require reading.
Agent security is the same problem. System prompts are alignment notices; they should stay. But no one confuses an SSH banner with SSH security. The entire field of information security exists because text does not work. The SSH banner says “unauthorized access is prohibited.” The lock on the door makes unauthorized access impossible. One is a sentence. The other is security.