Agentic AI Security Reference Architecture (AAI-S RA)

The Agentic AI Security Reference Architecture (AAI-S RA) secures agentic AI applications under a vendor-neutral trust model. A single layered design covers every common deployment shape: web and desktop chatbots, generative coding tools, data-science copilots, RAG systems, MCP servers, agent skills, and multi-agent meshes.

On this page

block-beta
  columns 2
  
  User(["Human user"]):2
  
  Identity["Identity plane"]:2
  
  Control["Control plane"]:2
  
  Runtime["Runtime plane"]:2
  
  Egress["Egress plane"]
  Data["Data plane"]
  
  Obs["Observability plane"]:2

  classDef pip stroke:#0d6efd
  classDef pdp stroke:#fd7e14
  classDef pep stroke:#dc3545
  classDef mixed stroke:#6f42c1
  classDef user stroke:#198754
  
  class User user
  class Identity pip
  class Control pdp
  class Runtime pep
  class Egress pep
  class Data mixed
  class Obs pip

What this RA delivers

The architecture below is the implementation surface of an oversight layer: the system that monitors, evaluates, and intervenes in AI agent behavior in production. The six planes decompose the layer into the four roles codified in NIST SP 800-162 §2.2: PDPs (Policy Decision Points, concentrated in Control), PEPs (Policy Enforcement Points, distributed across Runtime / Egress / Data), PIPs (Policy Information Points, spanning Identity / Data / Observability), and PAP (Policy Administration Point, cross-cutting policy lifecycle). The Sentinels and Operatives split (PIPs feed PDP+PEP) is the runtime decomposition. The goal is verified accountable autonomy: agents act independently, but every action is verifiable, auditable, and bounded by enforced policy.

Gartner calls this layer a guardian agent in its procurement taxonomy. The architectural primary term (oversight layer / PDP+PEP) applies when discussing components; the procurement synonym (guardian agent) applies when discussing vendor categories. See Oversight Layer (PDP + PEP for Agentic AI) §Cross-walk for the full term comparison.

Design principles

Five principles anchor the architecture, drawn from Q1 2026 incident data and practitioner consensus.

  1. Platform-level enforcement, not prompt-level. Every control that matters runs in the runtime/platform, below the model. Prompt-level guardrails are bypassable by definition. (Consensus across AI Security Standards in Q1 2026: Agentic Threats Outpace Frameworks, Emerging Cybersecurity Practices for Agentic AI Applications, Securing the Autonomous Future: Trust, Safety, and Reliability of Agentic AI.)
  2. Least agency, not just least privilege. Autonomy and agency are distinct governable dimensions: agency is the scope of permitted actions; autonomy is the degree of independent decision-making within that scope (definitions per the AWS Agentic AI Security Scoping Matrix). An agent’s allowed tier (auto / notify / confirm / block) is set per-action, not per-agent. (OWASP, Least Agency Principle.)
  3. Verifiable identity for every actor. Every agent has a cryptographic identity that traces back to a human. Action-to-identity binding is the foundation for audit, revocation, and compliance. (AI Agent Identity Architecture, NIST CAISI Concept Paper, Feb 2026.)
  4. No agent owns credentials. The credential proxy pattern is load-bearing; 5+ tools converged on it independently. Even successful prompt injection cannot extract credentials that never enter context. (Credential Proxy Pattern for AI Agents.)
  5. The “Lethal Trifecta” is a structural test. Any deployment combining private data, untrusted content, and external comms is unconditionally vulnerable. The architecture must break the trifecta at the platform layer. (Lethal Trifecta, Simon Willison.)

Competing evidence on principles 1 and 5

See Wiki Novelty and Counter-Arguments §Thesis 1 (platform vs prompt) and §Thesis 3 (Lethal Trifecta).

Principle 1: the framing is hierarchy, not exclusivity. Prompt-layer guardrails reduce ASR materially (LlamaFirewall PromptGuard 2 on AgentDojo: 17.6%→7.5%, combined with AlignmentCheck to 1.75%; Anthropic Constitutional Classifiers: 86%→4.4% jailbreak success).1 Platform-layer is primary because injection cannot bypass it; prompt-layer is residual-risk reduction. RAG hardening + system-prompt architecture pages already carry residual-risk callouts in this spirit.

Principle 5: “unconditionally vulnerable” is design-time pedagogy. In production, Stripe’s containment architecture runs trifecta agents and reports 1.5–6.7% ASR depending on model (single-source practitioner data, not independently replicated): probabilistically exploitable, not unconditional. The Lethal Trifecta is necessary for natural-language exfil at scale and sufficient given current defense maturity to require platform-layer containment. Containment can drive ASR very low but not to zero, which remains unacceptable for high-risk-tier actions.

The six planes

The architecture decomposes into six logical planes. Multiple planes may be implemented by a single product, but the controls must be addressable independently.

Plane order reflects action flow (User → Identity → Control → Runtime → Egress / Data). Each plane is annotated with its XACML role (PIP / PDP / PEP / PAP). Observability spans the bottom as a cross-cutting plane consuming signals from all five above.

Each plane table carries a Type column classifying its reference implementations: OSS (open-source software), COTS (commercial off-the-shelf vendor product or SaaS), Std (formally governed standard or specification: IETF, CNCF, OWASP, NIST), Infra (generic infrastructure primitive such as a cloud VPC or Docker networking), Research (academic prototype with no shipped production implementation), Concept (architectural concept without a canonical implementation yet), and Exploratory (forward-looking prototype or ecosystem project, e.g., OpenClaw, that indicates where agentic security is heading; treat as an emerging indicator, not a foundational control). Many rows combine types (e.g., “OSS + COTS”) where a capability has both free and commercial implementations in common use.

block-beta
  columns 2
  
  User(["Human user"]):2
  
  Identity["Identity plane · PIP-side<br/>Workload identity · Agent lifecycle<br/>NHI governance · Credential proxy"]:2
  
  Control["Control plane · PDP + PAP<br/>Policy evaluation · Capability tokens<br/>Least-agency tiers · HITL"]:2
  
  Runtime["Runtime plane · PEP (in-process)<br/>Lifecycle hooks · Input filtering<br/>CoT auditing · Code scanning<br/>Sandboxing"]:2
  
  Egress["Egress plane · PEP (broker)<br/>Agent/MCP proxy · Tool authorization<br/>Tool integrity · Egress filtering"]
  Data["Data plane · PIP + PEP<br/>AI-BOM · RAG provenance<br/>Memory integrity · State rollback<br/>Supply-chain scanning"]
  
  Obs["Observability plane<br/>PIP (cross-cutting)<br/>Distributed tracing<br/>Behavioral monitoring · AI-SPM<br/>Red-team integration"]:2

  classDef pip fill:#cfe2ff,stroke:#0d6efd,color:#000
  classDef pdp fill:#fff3cd,stroke:#fd7e14,color:#000
  classDef pep fill:#f8d7da,stroke:#dc3545,color:#000
  classDef mixed fill:#e2d5f3,stroke:#6f42c1,color:#000
  classDef user fill:#d1e7dd,stroke:#198754,color:#000
  
  class User user
  class Identity pip
  class Control pdp
  class Runtime pep
  class Egress pep
  class Data mixed
  class Obs pip

The six planes map one-to-one onto the CMM’s per-plane domains: Identity ↔ D2, Control ↔ D3, Runtime ↔ D4, Egress ↔ D5, Data ↔ D6, Observability ↔ D7.

The domain recalibration carries six calibration points into this architecture:

  1. Identity-first sequencing. Per-agent identity is the prerequisite for per-agent egress and observability (the D2→D5 and D2→D7 caps), so build the Identity plane before investing in Egress or Observability.
  2. Per-task capability tokens remain leading-edge. As of 2026-Q2 no hyperscaler platform ships them natively; the only implementation is the early-stage Tenuo OSS primitive (see D2, which places them at L5+).
  3. The Control plane now has platform-native PDPs: AWS AgentCore Policy (GA) and the Microsoft Agent Governance Toolkit (OSS).
  4. Runtime’s reasoning-layer controls are preview, not GA: chain-of-thought auditing and groundedness checks.
  5. The Data plane’s load-bearing control for a closed-corpus bot is answer-time entitlement enforcement against oversharing / inference exposure, not corpus attestation; the Azure RAG chatbot security profile works this case end to end.
  6. Licensing is near-zero for an E5 incumbent across most planes; the real cost is labor and SIEM run-rate.

For an all-Microsoft deployment, the 2026-Q2 ZT4AI review maps named, deep-linked controls to each plane: Entra Agent ID and Conditional Access (Identity), least-action design plus the Agent Governance Toolkit PDP (Control), Prompt Shields with preview Groundedness / Task Adherence (Runtime), Entra Internet Access and the APIM AI Gateway (Egress), Purview answer-time entitlement and DSPM (Data), Defender XDR and Sentinel agentic-SOC tooling (Observability). The preview status of the adaptive Runtime and Observability controls is what the recalibration’s grading reflects.

1. Identity plane

The Identity plane binds every agent to a verifiable identity that traces back to a human principal. It covers workload identity, agent and Non-Human Identity (NHI) lifecycle governance, the credential-proxy primitive, action-to-identity tracing, and OAuth 2.1 / OIDC delegation extensions for agents.

CapabilityReference implementationTypeStatus
Workload identity SPIREOSS + StdMature
Agent identity & lifecycleMicrosoft Entra Agent ID + Agent 365 Registry (GA May 1, 2026); AWS Bedrock AgentCore identities (GA); GCP Agent Identity (GA, SPIFFE-based); Okta for AI Agents (Early Access; GA expected FY27)COTSGA platform-native on all three hyperscalers
Non-Human Identity governanceAembit, Astrix Security, CyberArk Conjur, Okta NHI, Oasis SecurityCOTSDeveloping
Credential proxyAgentKeys, Keychains.dev, Aegis (local), OneCLI, AgentSecretsOSS / COTSDeveloping — 5-tool convergence
Action-to-identity tracingMicrosoft Agent 365, Anthropic Compliance API (Mar 24, 2026)COTSMature (vendor-stack-locked)
OAuth 2.1 / OIDC for agentsStandard OIDC + NIST CAISI Concept Paper extensions (Feb 2026)StdDeveloping

The credential proxy is the load-bearing control of this plane. Five OSS and commercial tools converged on the same architecture independently. A credential that never enters the model’s context cannot be extracted by prompt injection. See Credential Proxy Pattern for AI Agents.

2. Control plane

The Control plane adjudicates policy and issues capability tokens before an agent’s tool call reaches the runtime. It evaluates Cedar / OPA Policy Decision Points, issues task-scoped Warrants, runs the OWASP four-tier least-agency engine, gates high-impact actions through HITL, and applies CSA ATF risk-based step-up.

CapabilityReference implementationTypeStatus
Policy language / PDP engineCedar, Rego; platform-native PDPs: AWS Bedrock AgentCore Policy (Cedar, GA Mar 2026), Microsoft Agent Governance Toolkit (OSS, sub-0.1 ms)OSS + COTSGA platform-native
Capability tokens / WarrantsTenuo Warrants — task-scoped, signed, ephemeral, holder-bound capability authorizations with monotonic attenuation (the ambient-to-derived authority shift)OSSLeading-edge — no platform-native implementation; single early-stage OSS primitive
Least-agency tier engineOWASP four-tier (auto / notify / confirm / block)StdConceptual; needs reference implementation
Tool annotation enforcementAnthropic tool annotations, OpenAI function-call schemas; Stripe Toolshed annotation PEPCOTSMature
HITL primitiveHuman-in-the-loop confirmation gate before high-impact tool calls; Plan-Validate-Execute deterministic gate (Google Workspace); distributed kill switch for halt authorityConcept + PracticeDeveloping
Risk-based step-upCSA Agentic Trust Framework v1.0 (Feb 2, 2026) — 4 maturity levels gated by 5 promotion gates2StdDeveloping

The control plane breaks the Lethal Trifecta. If a tool call combines private-data scope, untrusted-content provenance, and external-comms reach, the PDP downgrades to a safer tier (notify or confirm) or denies the call.

3. Runtime plane

The Runtime plane defends the agent process itself. It installs lifecycle hooks (Google ADK, Anthropic), filters input for prompt injection, audits chain-of-thought alignment, scans code output statically, classifies content safety, and sandboxes each task. At research stage, it also separates the privileged and quarantined LLMs.

CapabilityReference implementationTypeStatus
Lifecycle hooksGoogle ADK before_model_callback / before_tool_callback; Anthropic tool-use hooksOSS + COTSMature
prompt-injection detectionLlamaFirewall PromptGuard 2, NVIDIA NeMo Jailbreak Detection NIM, Palo Alto Prisma AIRS, Onyx Platform runtime protectionOSS + COTSMature
Chain-of-thought alignment auditingLlamaFirewall AlignmentCheckOSSDeveloping — novel primitive
Code-output static analysisLlamaFirewall CodeShield, GitHub Copilot for SecurityOSS + COTSDeveloping
Topic / content safetyNVIDIA NeMo Content Safety NIM, Lakera Guard, Lasso, Microsoft Prompt ShieldsCOTSMature
Sandbox / containmentFirecracker (per-task VM), gVisor container, WebAssembly sandbox; Agent Sandbox (Kubernetes-native CRDs: SandboxTemplate blueprint + SandboxClaim, gVisor default)OSSMature
Compartmentalized LLMs (CaMeL pattern)Privileged + Quarantined LLM split (Google DeepMind)ResearchResearch-stage
Proof-of-Guardrail attestationAWS Nitro Enclaves + Miggo SecurityCOTSResearch-stage

Note on bypass risk. The Trendyol Tech LlamaFirewall bypass (non-English and leetspeak prompt injections) confirms no single guardrail is sufficient. Defense-in-depth across all six planes is required.

4. Egress plane

The Egress plane mediates an agent’s reach to tools, MCP servers, peer agents, and the open internet. It proxies MCP / A2A / LLM traffic through a gateway, authorizes MCP calls at runtime, defends against tool poisoning and rug-pulls, enforces agent-to-agent cryptographic identity, filters egress destinations, and segments the network per agent.

CapabilityReference implementationTypeStatus
MCP / A2A / LLM proxyAgentGateway (Linux Foundation, July 2025), Solo Enterprise for agentgatewayOSS + COTSMature (OSS)
MCP runtime authorizationOperant MCP Gateway, Natoma; Stripe Toolshed (annotation PEP); AgentCordon (OSS Cedar PDP + MCP gateway)OSS + COTSDeveloping
rug-pull defenseSolo Enterprise tool-server fingerprinting, versioning, runtime policyCOTSDeveloping
Agent-to-agent cryptographic identityA2A v1.0 §8.4 signed Agent Cards (Std baseline); Oktsec (Ed25519 sigs, 268 detection rules, content scanning)Std + COTSDeveloping
Network-layer prompt-injection containmentMicrosoft Entra Internet Access prompt-injection protection (GA Mar 2026); Layer-0 control outside the agent processCOTSGA
Egress destination filteringCredential proxy destination allowlists, Smokescreen SSRF egress proxy (Stripe OSS), Docker DOCKER-USER chainOSSMature
Network segmentationPer-agent subnet, agent VPC isolationInfraMature

The egress plane contains the MCP attack surface. Q1 2026 produced 30+ MCP CVEs (see MCP CVEs Q1 2026), revealing systematic path traversal and injection vulnerabilities across server implementations; AgentGateway’s automatic token exchange limits each tool’s permissions to exactly what it needs.

5. Data plane

The Data plane attributes trust and enforces integrity across training data, retrieval corpora, knowledge bases, per-session memory, and the AI Bill of Materials. It generates and reconciles the ML-BOM, attests RAG provenance, defends against memory poisoning, maintains cognitive file integrity for agent identity files, rolls back corrupted state, and scans the supply chain.

OpenClaw provenance. Five rows in this table (RAGShield, TrustRAG, SecureClaw / cognitive file integrity, Brain Git, Aguara Watch) come from the OpenClaw ecosystem, which indicates where agentic data-plane security is heading rather than providing battle-tested controls. They are retained because they identify real capability gaps and likely future directions, but they are classified Exploratory and are not foundational evidence on par with OWASP AIBOM, sigstore, or Miggo Security. Treat them as emerging indicators and validate independently before production deployment.

CapabilityReference implementationTypeStatus
Answer-time entitlement enforcement / oversharing remediationMicrosoft Purview DSPM for AI + oversharing assessments; label-aware DLP for M365 Copilot; Restricted SharePoint Search (site-capped stopgap); generalizes to the usage-control (UCON) model of continuous authorizationCOTSGA — the load-bearing control against inference exposure for closed-corpus member/customer bots (see D6 deep dive)
AI/ML-BOM generationOWASP AIBOM Generator (CycloneDX ML-BOM, v1.7 current), SPDX 3.0 AI extensions, IBM Granite 4.0 disclosuresOSS + StdDeveloping
Runtime AI-BOMMiggo Security DeepTracing (behavioral baseline)COTSDeveloping — novel
RAG provenance / attestationRAGShield (cryptographic doc attestation), TrustRAGExploratoryExploratory — OpenClaw ecosystem; not production-validated
Memory poisoning defenseMicrosoft Defender for Cloud Apps memory-injection detector (50+ examples found, March 2026); namespace isolation (structural — memory keyed by code, not LLM-assertable)COTS + ConceptDeveloping
Cognitive file integritySHA-256 monitoring of SOUL.md, IDENTITY.md; SecureClawExploratoryExploratory — OpenClaw ecosystem; emerging indicator, not foundational control
State rollbackBrain Git (SlowMist)ExploratoryExploratory — OpenClaw ecosystem; no production adoption evidence
Skill / model registry signingsigstore / cosign, OWASP AIBOMOSSDeveloping
Supply-chain scanningJFrog ML scan, ReversingLabs; AgentShield (OSS — scans the agent-harness config tree: secrets, hooks, MCP, permissions)OSS + COTSDeveloping
Supply-chain scanning (emerging)Aguara Watch (5 registries daily, SlowMist)ExploratoryExploratory — OpenClaw ecosystem; forward indicator for registry hygiene direction

The data plane sustained the most damage in Q1 2026: ClawHavoc (1,184+ malicious skills), SANDWORM_MODE (npm worm into MCP), LiteLLM compromise. Defense requires registry, pre-install, checksum, and cognitive-file integrity controls layered together.

6. Observability plane

The Observability plane provides full-stack visibility across the five upstream planes. It implements OpenTelemetry gen_ai.* semantic conventions, agent-aware tracing, AI-SPM, agent behavioral monitoring, identity multiplexing in logs, and SIEM/SOAR with agent playbooks. It integrates AI red-teaming as a continuous feed rather than a point-in-time exercise.

CapabilityReference implementationTypeStatus
OpenTelemetry gen_ai.* semantic conventionsOTel SemConv v1.37+ (CNCF standard; SIG contributors: Amazon, Elastic, Google, IBM, Langtrace, Microsoft, OpenLIT, Scorecard, Traceloop)StdMature (experimental status, broad adoption)
Agent-aware tracingLangSmith, Langtrace, Traceloop, HeliconeOSS + COTSMature
AI-SPM (Security Posture Management)Wiz AI-SPM, Palo Alto Prisma AIRS, Orca AI-SPM, Reco, Onyx Platform, Google Agent Security dashboard (Security Command Center, preview)COTSMature
Agent behavioral monitoring (anomaly detection on agent activity)Vectra AI, Miggo behavioral drift, Google SecOps Agent Anomaly Detection (LLM-as-a-judge on agent reasoning, preview); pattern: three-level behavioral anomaly detection over a cost-ordered detection cascadeCOTSDeveloping
Agent behavioral monitoring (emerging)SecureClaw nightly auditsExploratoryExploratory — OpenClaw ecosystem; forward indicator for agent audit direction
Trip-wire / canary detectionCanary tokens planted in system prompts and RAG wrappers; fires on injection / system-prompt exfil at the post-LLM hookConceptDeveloping
Security-event preservationContext-aware trimming — pin tagged security events so a multi-attempt injection cannot hide across the context-window trim boundaryConceptDeveloping
Identity multiplexing in logsAgent Observability §3ConceptDeveloping
SIEM / SOAR with agent playbooksSplunk + agent IOCs, Sentinel + Defender for Cloud, Falcon AIDR + NeMo GuardrailsCOTSDeveloping
AI red-teaming integrationPromptfoo, Mindgard CART, PyRIT (Microsoft), Garak (NVIDIA), Palo Alto Prisma AIRS (continuous CART)OSS + COTSMature

Observability scaling is a primary engineering constraint for agentic workloads. At production volume, pre-aggregation at the runtime hook is required: raw per-span emission overruns the SIEM.

Mapping to deployment shapes

The six-plane structure applies to every deployment shape; the active controls and their relative weight differ by shape. The table below specifies which planes are exercised and which controls are load-bearing for each shape.

Deployment shapeIdentityControlRuntimeEgressDataObservability
Web/desktop chatbot (no tools)OIDC for human; agent runs as bot identityTopic-control, content-safety policiesNeMo Content Safety, Lakera GuardNone (no tools)RAG corpus onlyOTel gen_ai.*
Generative coding tool (Copilot, Cursor, Claude Code)Workspace identity + per-repo scope; agent rules files (.cursorrules / IDENTITY.md) baselinedPre-commit hooks, Cedar policy on file mutation; destructive-action classification routes force-push / mass refactor / prod-config writes to confirm or blockLlamaFirewall CodeShield + AlignmentCheck; per-task sandbox; rogue IDE extension detection (Kirin / equivalent)Source-control + LSP only; typosquat-aware dependency install gateRepo content + skill registry; cognitive file integrity for rules files AND IDENTITY.mdLangSmith / Langtrace; tool-call audit; MCP usage + rule changes + policy-violations dashboard (Kirin-class)
Data-science copilot (Jupyter, notebooks)User identity passthroughSandbox-resource policy; HITL on dataset writesPer-notebook sandbox (Firecracker)Internal data warehouse via credential proxyDataset lineage + AI-BOMOTel + behavioral drift
RAG application (Azure worked example)Per-tenant agent identitySource-trust attribution; lethal-trifecta breakerInput filter on prompts; output classifier + groundedness checkVector store + per-source allowlistClosed corpus: answer-time entitlement enforcement + oversharing remediation (the live risk); open/multi-writer corpus: document attestation + PoisonedRAG defenseRetrieval-pattern behavioral monitoring
MCP server (consumed by agents)mTLS + workload identity (SPIFFE)OAuth 2.1 token exchange (CoSAI / NIST CAISI)Tool-fingerprinting, rug-pull detection (Solo Enterprise)n/a (server-side)Skill/server signing, version pinningMCP CVE feed integration
Agent skill (e.g., Claude skill, Anthropic plugin)Skill author identity (signed)Skill-scoped Cedar policySkill manifest validation; runtime sandboxPer-skill egress allowlistSkill registry signing (sigstore); cognitive file integritySkill execution telemetry
Multi-agent mesh (A2A v1.0)Per-agent Ed25519 identity (Oktsec-side; not in spec); SPIFFE/SPIRE workload identityCross-agent ACL (Oktsec default-deny); A2A opacity principle; per-skill authorization advertised in Agent Card; stop-mesh-vs-isolate containment doctrine (Multi-Agent Runtime Security)Per-agent runtime sandbox; AgentGateway broker betweenA2A v1.0 over HTTPS / TLS 1.3 + signed Agent Cards (§8.4) + content scanning (Oktsec 268 rules); replay protection layered by impl (timestamps + nonces)Shared memory / blackboard with provenance; cross-agent OTel gen_ai.* trace propagationPairwise/triadic traffic baselines; graph-walk anomaly detection (SentinelAgent / TraceAegis-class, prototype); cross-agent drift correlation; cascade detection per ASI08 doctrine

Opinionated tool selections per plane for two common org profiles. Neither stack is exhaustive — treat each as a starting point extensible per deployment shape and risk profile.

Enterprise stack (COTS-heavy)

Suited for large organizations with existing vendor relationships, centralized IAM, and SOC/SIEM infrastructure. Prioritizes vendor SLAs, support contracts, and integrations with Microsoft 365 / AWS / GCP environments.

PlanePrimary choicesNotes
IdentityMicrosoft Entra Agent ID + Microsoft Agent 365 Registry (GA), AWS Bedrock AgentCore, or GCP Agent Identity (all GA); Okta for AI Agents (Early Access, GA expected FY27); CyberArk Conjur or Aembit for NHI governancePer-agent identity is GA platform-native on all three hyperscalers; build this plane first (it gates Egress and Observability); per-task capability tokens remain off-stack / leading-edge
ControlAWS Cedar managed policy service (March 2026 AI governance release); Anthropic Compliance API or Microsoft Agent Governance Toolkit (Apr 2026); Permit.io for RBAC UICedar is the enterprise-grade choice; COTS wrappers add audit + workflow tooling
RuntimeLlamaFirewall (Meta OSS — no license cost) + NVIDIA NeMo NIMs (commercial inference); Microsoft Prompt Shields for content safety; per-task Firecracker VM or Hyper-V sandboxMix OSS guardrail (LlamaFirewall) with COTS NIM delivery for SLA coverage
EgressAzure API Management AI Gateway (Microsoft stack: LLM token governance + inline Content Safety + MCP brokering with Entra/OAuth authorization, GA) or Entra Internet Access for network-layer PI / Shadow-AI filtering; Solo Enterprise for AgentGateway, Kong AI Gateway, or Cloudflare AI Gateway; Operant MCP Gateway for MCP-specific authorization; mTLS via Istio / LinkerdAll-Microsoft shops have a native LLM gateway (APIM); MCP tool-integrity / rug-pull defense and per-task capability tokens still require an off-stack tool (Solo / Operant / Tenuo)
DataMicrosoft Purview AI (M365 environments); Wiz AI-SPM or Palo Alto Prisma AIRS; JFrog ML Catalog for AI-BOM; ReversingLabs for supply-chain scanningStack assumes M365 + cloud environment; swap Purview for CASB equivalent if GCP/AWS-native
ObservabilityDataDog AI Monitoring or New Relic AI Monitoring (OTel-native); LangSmith for agent-specific tracing; Mindgard CART for continuous red-teaming; Vectra AI or Palo Alto Cortex XSIAM for behavioral monitoringOTel gen_ai.* spans feed into existing SIEM; Mindgard replaces point-in-time red-team for CARTS programs

FOSS / small-team stack

Suited for research teams, security teams running internal agent experiments, startups, or orgs with open-source mandates. Prioritizes zero licensing cost, community support, and composability. Requires more operational ownership.

PlanePrimary choicesNotes
Identity SPIRE for workload identity; standard OAuth 2.1 + OIDC (any provider) for delegation; Aegis or AgentKeys for credential proxySPIFFE is the vendor-neutral workload-identity standard; pairs with any OIDC-compatible IdP
ControlRego or Cedar (open-source distribution); Tenuo Warrants (Rust OSS) for task-scoped capability tokens; OWASP least-agency four-tier guidance for tier designBoth Cedar and OPA are fully OSS; Tenuo adds cryptographic delegation without a license
RuntimeLlamaFirewall PromptGuard 2 + AlignmentCheck + CodeShield (Meta OSS); NVIDIA NeMo Guardrails (OSS portion); Firecracker or gVisor for per-task sandboxingFull LlamaFirewall stack is zero-cost; Firecracker is AWS OSS (Apache 2.0); gVisor is Google OSS
EgressAgentGateway (Linux Foundation, Apache 2.0); mTLS via Istio (CNCF OSS) or Linkerd (CNCF OSS); Docker DOCKER-USER iptables chain for egress filteringAgentGateway is the canonical OSS agent proxy; Istio adds mTLS with near-zero operational overhead vs DIY
DataOWASP AIBOM Generator (CycloneDX ML-BOM, OSS); sigstore / cosign for artifact signing; lockfile enforcement + SCA for slopsquatting; RAGShield or TrustRAG for RAG attestation; Brain Git (SlowMist) for state rollbackAll zero-cost; for a closed-corpus bot the load-bearing control is answer-time entitlement enforcement (no strong FOSS option — this is a COTS/platform gap); RAGShield/TrustRAG are research-grade
ObservabilityOpenTelemetry gen_ai.* SemConv (CNCF standard, v1.37+); Langtrace or Traceloop (OSS) for agent-aware tracing; PyRIT (Microsoft OSS) + Garak (NVIDIA OSS) + Promptfoo (OSS) for red-team coverageOTel is the zero-cost observability foundation; the three red-team tools cover orchestration / probe / regression — all open-source

The enterprise stack exceeds the FOSS stack primarily in operational overhead reduction (vendor support, pre-built integrations), not raw security capability: at L4 CMM a well-operated FOSS stack reaches comparable controls. The FOSS stack is production-viable at D3–D4 of the CMM for most deployment shapes. The Research-type items (CaMeL, RAGShield at scale) are not yet production-ready for either stack.

Threat-control matrix (OWASP Agentic AI Top 10 → planes)

Maps OWASP Agentic AI Top 10 (ASI01ASI10) risk categories to the planes that primarily mitigate them. Most categories have controls in multiple planes; the following table identifies the primary control surface and lists reference controls for each.

flowchart LR
    subgraph Threats[Threats]
        ASI01[ASI01: Goal Hijack]
        ASI02[ASI02: Tool Misuse]
        ASI03[ASI03: Identity & Privilege]
        ASI04[ASI04: Supply Chain]
        ASI05[ASI05: Unexpected Code Execution]
        ASI06[ASI06: Memory Poisoning]
        ASI07[ASI07: Inter-Agent Comms]
        ASI08[ASI08: Cascading Failures]
        ASI09[ASI09: Human-Agent Trust]
        ASI10[ASI10: Rogue Agents]
    end
    subgraph Planes[Planes]
        ID[Identity]
        CTL[Control]
        RT[Runtime]
        EG[Egress]
        DT[Data]
        OBS[Observability]
    end
    ASI01 --> RT & CTL
    ASI02 --> CTL & EG
    ASI03 --> ID
    ASI04 --> DT
    ASI05 --> RT & CTL
    ASI06 --> DT
    ASI07 --> EG
    ASI08 --> CTL & OBS
    ASI09 --> OBS & CTL
    ASI10 --> ID & OBS
OWASP ASIPrimary planeReference controls
ASI01 Goal HijackRuntime + ControlLlamaFirewall AlignmentCheck; HITL on goal-changing actions
ASI02 Tool MisuseControl + EgressCedar/OPA tool-call policy; AgentGateway runtime authz
ASI03 Identity & PrivilegeIdentityOkta for AI Agents; Microsoft Entra Agent ID; credential proxy
ASI04 Supply ChainDataOWASP AIBOM Generator; sigstore; Aguara Watch
ASI05 Unexpected Code Execution (RCE)Runtime + ControlSandboxed execution (e.g. mcp-run-python); ban eval / safe interpreters; code-generation/execution separation with validation gates; LlamaFirewall CodeShield
ASI06 Memory PoisoningDataRAGShield; cognitive file integrity; M365 memory-injection detector
ASI07 Insecure Inter-AgentEgressA2A v1.0 over HTTPS + signed Agent Cards (§8.4); Oktsec Ed25519 message signing + content scanning (268 rules)
ASI08 Cascading FailuresControl + ObservabilityStep-up gates (CSA ATF); pairwise/triadic baselines; graph-walk anomaly detection; stop-mesh-vs-isolate doctrine (Multi-Agent Runtime Security)
ASI09 Human-Agent Trust ExploitationObservability + ControlPlan-divergence detection; provenance UI with risk-differentiated prompts; HITL confirmation on sensitive actions; oversight-personnel training
ASI10 Rogue AgentsIdentity + ObservabilityBehavioral drift detection; Okta Agent Discovery; distributed kill switch

The ASI categories above are the awareness-level labels; the underlying reference threat model the RA defends against is the T1–T17 catalog in OWASP Agentic AI Threats and Mitigations, which places each threat on a single-agent and multi-agent reference architecture and resolves them into six defensive playbooks that map cleanly onto these planes. For the certification view of where these controls are required, the OWASP ASI to AIUC-1 crosswalk maps each ASI category to specific AIUC-1 requirements and records eight areas — inter-agent authentication, agent identity attestation, cascading-failure containment, tool-call observability, runtime monitoring, resource-abuse controls, supply-chain attestation, and I/O schema controls — where AIUC-1 has no requirement the plane controls here address.

Threat classes beyond the ASI list

The ASI categories are per-component risks. The five threat classes are cross-cutting adversary models that no single plane absorbs. The table below places each class against the planes that carry its controls; the full plane-and-domain mapping for every taxonomy is consolidated in the Threat Taxonomy Reconciliation matrix.

ClassPlanes that carry the controlNote
1 — AI-aware insiderIdentity, Control, Data, ObservabilityAbsorbed by the AI-BOM plus continuously-executed customer eval harness on the Data plane
2 — Long-running APT campaignRuntime, Egress, ObservabilityCross-version eval continuity and sustained threat hunting; an operations function, not a single control
3 — CollusionControl, Runtime, ObservabilityRequires monitor isolation and output canonicalization; multi-agent cascade detection is research-stage (see Gaps)
4 — Model-version degradationRuntime, DataCustomer eval suite versioned independently of the vendor; pin-by-hash
5 — Jurisdictional adversaryGovernance onlyNo technical plane control mitigates a legal cutoff; resolves to governance and vendor-abstraction, an honest plane gap

Two coverage limits are deliberate, not oversights. Multi-agent cascade containment (ASI08) and agent collusion (Class 3) rest on research-stage detectors: the wiki tracks the stop-mesh-versus-isolate doctrine in Multi-Agent Runtime Security, but no integrated product ships with documented thresholds. Model-layer attacks (extraction, membership inference, trojaned weights) are named under the Data plane and Class 4 but carry thinner controls than the prompt- and tool-layer risks, because the customer-side defense is the eval-harness delta, not a runtime guardrail. Both limits are recorded in Gaps below and on the threat-classes page.

Trade-offs

Architectural trade-offs that vary with deployment scale, latency tolerance, and risk profile. Each row names the decision axis and the recommended default; deviations should be documented with a strategic-rationale field per the CMM reporting convention.

  • Single broker vs mesh. AgentGateway-as-broker is simpler and provides a single policy chokepoint. Mesh (per-service AgentGateway sidecar) scales better but multiplies the policy surface. Default to broker for up to roughly 50 agents; move to mesh above that.
  • PDP location. Inline (in-process with the agent) has the lowest latency but couples policy to runtime. Sidecar gives clean separation. External service is the standard zero-trust answer but adds a network round-trip, typically single-digit to low-tens of milliseconds per call. Default to sidecar.
  • Sandbox grain. Per-call sandbox is safest but expensive; per-task sandbox is the practical default; per-agent sandbox is too coarse for high-risk-tier actions.
  • Fail-closed vs fail-open. Default to fail-closed for high-risk-tier actions, fail-open for read-only / informational tier. CSA ATF Promotion Gates encode this directly.

Gaps in the architecture

Known unfilled spots

  1. Compartmentalized LLM (CaMeL) reference pattern. Privileged-LLM-coordinates-quarantined-LLM is theoretically sound but lacks a vendor-neutral reference implementation. (Google DeepMind research-stage.)
  2. Cross-tenant MCP server signing. MCP CVE rate (30+ in Q1 2026) suggests the ecosystem is pre-supply-chain-hardening. sigstore-for-MCP-servers is needed but not standardized.
  3. Multi-agent failure containment. ASI08 (Cascading Failures) and ASI10 (Rogue Agents) have no traditional cybersecurity equivalent. Multi-Agent Runtime Security covers the cascade-detection / behavioral-baseline / inter-agent IR depth, but 2026 remains the academic-prototype era: graph-walk monitors (SentinelAgent, TraceAegis) ship as papers, and vendor primitives exist (Oktsec rate limits + ACLs) without an integrated cascade-detection product shipping documented thresholds.
  4. AI-BOM operationalization gap. CycloneDX 1.6 ML-BOM is the format; the operational workflow (CI/CD integration, vendor disclosure norm, AI-VEX equivalent) is thin.
  5. Identity binding when humans are decommissioned. When the human owner of an agent leaves, the agent must be rotated or revoked. Okta and Microsoft Agent 365 cover this for managed agents; orphaned shadow agents are still discoverable but not always governable.

Prior work and comparison

None of the six comparison frameworks below combines a vendor-neutral stance with a control-architecture specification for agentic deployments. Prior work falls into two categories: cloud-specific operational guidance (hyperscaler “how to secure AI on our platform” documents) and vendor-neutral threat taxonomies (threat enumeration without control specification). The table summarizes each and the gap it leaves.

FrameworkPublishedVendor neutral?Agentic-specific?What it coversKey gap
Microsoft ZT4AIMarch 2026No (Azure / Microsoft stack)Strong yes — agent identity, MCP governance, multi-agent verificationSeven-pillar Zero Trust applied to AI (the “700 controls / 116 groups” figure is the whole Zero Trust Workshop, not an AI-pillar count — see ZT4AI review); Entra Agent ID, Agent 365 registry, Purview DSPM, Content Safety, APIM AI Gateway, Sentinel/Defender agentic SOCAzure-tooling-locked; no per-task capability tokens; MCP tool-integrity is guidance-only (no single Azure service); much of the adaptive agent-runtime layer is preview as of May 2026
Azure OpenAI Reference ArchitectureOngoing (Feb 2026 update)No (Azure)Partial — adds Entra Agent ID, scoped tokens, HITL via Logic Apps5-layer: Network isolation · Identity/access · Content/prompt · Data protection · MonitoringAssumes static LLM API invocations; no multi-agent orchestration architecture; no MCP, A2A, or memory/state security
Microsoft MCRAApril 2025No (Microsoft ecosystem)MinimalEnterprise security architecture diagrams across ZT pillars; AI section = Microsoft Security Copilot as a security toolNot a defense-of-AI architecture; treats AI as defender-assistant, not as a class of workloads to secure
AWS Well-Architected Generative AI LensNovember 2025No (AWS)Partial — names “excessive agency” as a risk; adds an agentic AI preamble6 WAF pillars applied to GenAI lifecycle; security pillar covers: endpoint protection, output risk, prompt security, monitoring, model integrity”Excessive agency” named but mitigations unspecified; no agent identity, tool sandboxing, agent-to-agent trust, or MCP coverage
Google Cloud AI Security Foundations2025 (ongoing)No (GCP)Partial — 6-layer model includes “Agents and Applications” layer6 architectural layers: foundation → infrastructure → models → data → tools → agents; Model Armor for runtime guardrails; VPC/IAM/CMEK controls”Agents and Applications” layer exists as a named category but is underspecified; no agent identity governance, tool execution sandboxing, inter-agent trust, or memory security
CSA MAESTROFebruary 2025YesFull — built exclusively for agentic AI systems7-layer threat taxonomy: Foundation Models → Data Operations → Agent Frameworks → Deployment/Infra → Evaluation/Observability → Security/Compliance → Agent Ecosystem3Taxonomy only — identifies threats but specifies no controls, no implementation guidance, and no compliance mapping

What this RA adds

The six-plane model occupies the gap between cloud-specific operational guides and vendor-neutral threat taxonomies. Four contributions distinguish it:

Vendor-neutral control architecture. Unlike ZT4AI, the Azure RA, the AWS GenAI Lens, and the Google Cloud guidance, this RA specifies how to implement controls without mandating a particular hyperscaler. Reference implementations are labeled OSS / COTS / Std / Exploratory so organizations can substitute equivalent tools per plane.

Agentic-throughout. Unlike MCRA (AI = security tool) and the AWS / Google guidance (agentic = a paragraph), all six planes assume autonomous multi-step agent loops: credential proxy in the identity plane, per-task sandboxing in the runtime plane, A2A v1.0 in the egress plane, Warrant-based delegation in the control plane, memory-poisoning defense in the data plane, and behavioral-drift detection in the observability plane.

MCP-specific surface. The MCP attack surface — with 30+ disclosed CVEs in Q1 2026 (see MCP CVEs Q1 2026) — is absent or underspecified across the comparison frameworks above. The egress plane addresses MCP runtime authorization, tool fingerprinting, and rug-pull defense, controls absent from all six comparison frameworks above.

Tool supply chain. The data plane covers AI-BOM generation, skill / model registry signing, and supply-chain scanning. This surface is absent in the cloud-specific guides and only named (not addressed) in MAESTRO’s Agent Frameworks layer.

Inherited inputs. The RA synthesizes rather than originates; it inherits from:

  • ZT4AI’s principle of per-agent scoped identity with cryptographic binding
  • CSA MAESTRO’s 7-layer threat taxonomy as the threat-model input
  • CSA ATF’s promotion gates as the basis for the least-agency tier model
  • OWASP ASI Top 10 as the explicit control-to-threat mapping
  • NIST CAISI Concept Paper’s OAuth 2.1 extensions for agent delegation

The primary contribution is the synthesis: a single vendor-neutral document connecting a threat taxonomy (MAESTRO + OWASP ASI Top 10) to a plane-by-plane control library (this RA) to a maturity model (Agentic AI Security CMM 2026), a chain that none of the six comparison frameworks provides end-to-end.

Footnotes

  1. LlamaFirewall PromptGuard 2 / AlignmentCheck attack-success-rate reductions come from Meta’s evaluation on the AgentDojo benchmark (arXiv:2406.13352); the Constitutional Classifiers jailbreak-success figure is Anthropic’s reported result (2025). Both reductions are restated and contextualized in Wiki Novelty and Counter-Arguments §Thesis 1.

  2. CSA — The Agentic Trust Framework: Zero Trust Governance for AI Agents, retrieved 2026-06-22. Four maturity levels (Intern → Junior → Senior → Principal) advanced through five promotion gates; see the 2026-Q2 review.

  3. CSA — Agentic AI Threat Modeling Framework: MAESTRO, retrieved 2026-06-22. Seven layers L1–L7, verified in the 2026-Q2 standards review.