TL;DR: Edison.Watch is building Open Edison, an MCP firewall and policy layer that intercepts AI agent calls, enforces rules, and prevents stealthy data exfiltration—designed so small teams can deploy guardrails at startup speed.

Open Edison is Edison.Watch’s flagship open-source project. It sits as a control plane between AI agents (via the Model Context Protocol) and internal systems of record (databases, email, file stores, tools). It offers observability, rule enforcement, and alerts on agent interactions.

Under the hood, it supports tool-decoration (you add @edison.track() to your functions/tools to bring them under the firewall’s surveillance). The system is designed to monitor the so-called lethal trifecta (private data access, exposure to untrusted content, external communication) and block writes when risk thresholds are crossed.

It ships with support for Docker, REST APIs, a local UI, and integration paths for frameworks like LangGraph or LangChain.

At the helm is Eito Miyamura, cofounder & CEO. His background includes Oxford computer science and prior work in robotics/ML (LinkedIn). His public-facing moves include demonstrating how ChatGPT’s MCP capabilities can be hijacked via malicious calendar invites—showing data leaks of private email content (MEXC)

Beyond Eito, there is limited public disclosure of the other individual team members. But multiple sources indicate a tight-knit, small team composed largely of Oxford CS alumni, intentionally kept lean so they can respond quickly to emerging threats in the agentic AI space.

In startup profiles, Eito has requested intros to CISO / CRO / enterprise security leads as they push into more high-stakes customer segments (GTO Startup) This suggests they are preparing to scale in enterprises with compliance and risk responsibilities.

Agentic AI has crossed the threshold from text playground to system control. Agents can now manipulate infrastructure, send emails, alter data stores. Without explicit constraints, “read” privileges can morph into “leak.”

Existing guardrails—RBAC, static policies—fall short when agents stitch tools across apps (Slack, databases, calendars). Humans used to glue context; agents don’t carry context in the same way.

Micro-teams move fast, adopt new agent stacks rapidly, and often lack internal security discipline. Edison’s approach gives them a deterministic firewall rather than relying solely on probabilistic heuristics. Having that early is the difference between heroic rescue and permanent damage.

I expect to see a few layers emerge: “bodyguard agents” overseeing “executor agents,” open MCP firewall frameworks baked into dev stacks, and standardized safety protocols around MCP adoption.

Until jailbreak risk is fully tamed—which it is not—the safer path is layered: proxies, policy, observability, and human sign-off on writes.

Micro Empires succeed when leverage lies on the side of discipline, not exposure. Edison.Watch is building more than a product—it’s cultivating a posture: small, precise, auditable. If you're deploying agentic AI (like MCPs) in your business, build an MCP firewall first. Then scale with confidence.