Invariant Labs — research-grounded agentic security from ETH Zurich
Why the ETH spin-off designation matters for the field, and what it means when a security company's work originates in years of academic publication rather than in a product pitch.
Invariant Labs achieved formal recognition as an ETH Zurich spin-off this month. This matters more than a credential. The ETH programme recognises companies that are directly founded on research conducted at the institution — work that was peer-reviewed, published at NeurIPS and ICML, and cited by NIST and the Future of Privacy Forum before a commercial product existed.
Why provenance matters in security
The AI security market in 2024 is full of companies that identified a real problem (agent security is broken) and built products against it. The rare thing is a company where the product is a direct translation of prior academic work on the same problem — where the researcher who published the formal guarantee is also the engineer who implemented the runtime check.
This matters for two reasons. First, the threat models are grounded in real attack research rather than marketing threat taxonomies. When Invariant publishes an attack, it's because they built it and demonstrated it against real systems. Second, the defences derive from formal analysis — the policy language is inspired by OpenPolicyAgent, not assembled from heuristics.
What the research actually covers
The foundational work addresses: how do you provide formal guarantees about what an AI system will and won't do? That's a harder question than it sounds. Current LLM safety is statistical — the model usually refuses certain requests. Invariant's approach is to move the guarantee outside the model, into a deterministic policy layer that evaluates traces before any action executes.
For anyone building regulated AI systems — financial services, healthcare, critical infrastructure — this distinction is load-bearing. A regulator does not accept "the model usually refuses" as a compliance statement. They accept "the system cannot perform action X under policy Y, and here is the audit log proving it."
Connection to Genie
Genie's governance architecture is directly influenced by this work. The CompositePolicy chain, the dataflow rules, the deterministic evaluation before any agent action — all of these reflect the same architectural intuition: move security out of the model's context and into verifiable infrastructure.