Concepts Index
Domain concepts that don’t fit neatly into a framework, architecture, or practice page. Examples: terms of art, evaluation methodologies, theoretical models. Each concept page has a definition, aliases, related concepts, and where it shows up in the literature.
Pages
- Adversarial Reflexion — Adversarial Reflexion is an agentic vulnerability-verification technique that wraps the LLM in a tightly constrained attacker persona and…
- Agency Gap — The non-deterministic disconnect between a user’s actual intent and the autonomous execution performed by an AI agent.
- Agent Availability Threats — Agentic AI’s autonomy multiplies the blast radius of availability failures.
- AI Agent Catalog — The AI agent catalog is a mandatory primitive for any guardian-agent deployment per Gartner.
- Agent Commander: Prompt-Level Command and Control — Agent Commander is a research tool built by Johann Rehberger that implements command-and-control (C2) infrastructure operating entirely a…
- Agent Memory Isolation
- Agentic AI Threat Classes — The wiki’s existing threat coverage — OWASP Agentic AI Top 10 (ASI), OWASP Agentic AI Threats and Mitigations (the T1–T17 reference threa…
- AI Agent Layered Council — The AI Agent Layered Council is a Gartner-coined organizing primitive for co-led scaling of agentic AI across the C-suite.
- AI Agent Management Platform (AMP) — An AI Agent Management Platform (AMP) is a unified interface to securely manage, monitor, govern, acquire, organize, and generate analyti…
- UCON for AI) — Classic access control answers a binary question at access time: “Can I open this file?” Usage control (UCON) continues past that point i…
- Ambient vs Derived Authority — The structural distinction at the root of capability-based authorization.
- Automated Prompt Optimization — Automated prompt optimization is the practice of using an automated search process — a genetic algorithm, an out-of-band reflective LLM,…
- Autonomous Exploit Generation — Autonomous Exploit Generation (AEG) — the automated construction of working, validated exploits from vulnerability descriptions or disclo…
- Behavioral Anomaly Detection for Agents — Behavioral anomaly detection for agents is the practice of profiling what normal looks like for autonomous AI agents — at the agent level…
- CaMeL Pattern (Compartmentalized Machine Learning) — CaMeL (Compartmentalized Machine Learning) is a research-stage architectural pattern from Google DeepMind (March 2025) for defending agen…
- Canary Tokens for LLMs
- Capability-Based Authorization — A family of authorization primitives in which the artifact being passed around is the policy itself, rather than a credential that names…
- Citizen Coders — Citizen Coders — surfaced by the Mythos-ready briefing (April 2026) — names the proliferation of coding agents to non-developer users.
- Cognitive File Integrity (CFI)
- Collaboration Paradox (60% usage, 0-20% delegation) — The collaboration paradox names a quantitative observation from Anthropic’s Societal Impacts research (cited in the 2026 Agentic Coding T…
- Context-Aware Trimming for Security Continuity
- Control-Efficacy Gate — A control-efficacy gate is a CI-time assurance instrument that asserts a control still catches what it is supposed to catch — distinct fr…
- CTI-REALM Benchmark — CTI-REALM is Microsoft Research’s open-source benchmark for end-to-end detection-rule generation — the defender-side counterpart to the o…
- Cyber Poverty Line — The Cyber Poverty Line, introduced by Wendy Nather, is the threshold below which an organization cannot field the resources (people, tool…
- CyberGym Benchmark — CyberGym is a large-scale public benchmark for AI-driven vulnerability analysis — a corpus of 1,507 real-world vulnerability reproduction…
- Decision Rights for AI Agents — The documented authority of an AI agent to take a class of action without further human approval — specifying who approved that authority…
- Delayed Tool Invocation — Delayed tool invocation (DTI) is an attack technique that exploits the time-dependent availability of agent tools to bypass security cont…
- Differential Privacy — Differential privacy (DP) is a mathematical framework for guaranteeing that the output of a computation reveals approximately the same in…
- Evidence Centered Benchmark Design
- ExploitBench & ExploitGym — ExploitBench and ExploitGym are two academic benchmarks for AI exploit-development capability, released in May 2026 and surfaced in Anthr…
- Glass-Box Security — A paradigm for AI agent defense introduced by Carl Hurd (Starseer) at Unprompted March 2026.
- Google Agentic SOC — Google’s agentic SOC is a set of Gemini-powered agents embedded in Google Security Operations (SecOps) and Google Threat Intelligence tha…
- Guardian Agent — A guardian agent (GA) is an AI agent that supervises other AI agents.
- Harness Config as Supply-Chain Artifact — The agent harness configuration tree —
~/.claude/and analogous directories for OpenCode, Codex, Gemini, dmux, and similar agentic deve… - Human-in-the-Loop (HITL) for Agentic AI — Human-in-the-loop (HITL) is the architectural requirement that an agent pause execution and obtain explicit human approval before taking…
- Human Parity Line — The human parity line is Gartner’s name for the threshold at which human judges prefer AI’s output exactly as often as they do industry-p…
- Identity-Credential Coupling — A property of certain Non-Human Identities where the credential string IS the identity — the authentication material is not separable fro…
- Indirect Prompt Injection
- Inference Exposure (and Retrieval Exposure) — Two paired AI-specific failure modes that bypass traditional file/network access controls.
- Inline Gateway vs Runtime Instrumentation
- Jagged Frontier (AI Cybersecurity Capability) — AI capability is jagged: it does not rise smoothly with model size, model generation, or price.
- Jason’s Mental Model: Security Architecture Breakdown — A four-layer functional breakdown of an enterprise Security Architecture organization: Governance / Conceptual / Domain / (with the impli…
- Least Agency Principle
- Lethal Bifecta
- Lethal Trifecta
- LLM-as-a-Judge — An evaluation methodology in which a language model scores or rubric-grades the output of another (typically agentic) system.
- MCP Security
- Mechanistic Interpretability for Defense — The application of mechanistic interpretability techniques — originally developed to understand how neural networks encode knowledge and…
- Memory Poisoning (Agentic AI) — Memory poisoning is the injection of adversarial content into an agent’s persistent memory stores — conversation history, episodic memory…
- METR RCT: AI Productivity Counter-Evidence — In July 2025, METR (Model Evaluation and Threat Research) published a randomized controlled trial showing that enabling early-2025 AI too…
- Model-Layer Attacks — A family of three named attack classes that target the deployed model rather than the agent’s surrounding orchestration.
- Monotonic Attenuation — The protocol-level invariant of capability-based delegation: a child capability is always a subset of its parent.
- Network-Layer Prompt Injection Containment — A defensive primitive that intercepts and filters indirect prompt injection payloads at the network egress / ingress layer rather than at…
- Non-Human Identity (NHI) — Non-Human Identities (NHIs) are digital credentials assigned to software workloads — services, bots, automation scripts, and AI agents —…
- Operational XAI for Action Gating — The runtime requirement that an agent produces a human-readable justification of its reasoning before executing a high-impact action — an…
- Orchestration Hijacking — A class of attack against agentic systems in which the orchestration layer — the LLM (or LLM-driven planner) responsible for sequencing t…
- Oversight Layer (PDP + PEP for Agentic AI) — The oversight layer is this wiki’s architectural primary term for the system that monitors, evaluates, and intervenes on the behavior of…
- Prompt as Code — A structural framing for why LLM security cannot rely on syntactic filtering: in an LLM, every token in the input stream is a potential i…
- Prompt Injection
- Prompt-Volume-to-Alert Ratio — The prompt-volume-to-alert ratio is a signal-to-noise metric for agentic AI security operations: the number of AI prompts processed per t…
- Promptware — Promptware is the class of adversarial prompt payloads that go beyond simple injection to function as structured, multi-stage malware: co…
- Recursive Prompt Injection (and Semantic Gaslighting) — Recursive prompt injection is the structural failure mode of the LLM-as-a-judge defense pattern: when a secondary LLM is used to review o…
- Auditor Pipeline
- Security Data Pipeline Architecture — A shift in security-operations architecture: the security data layer is decoupled from the SIEM, so storage, detection, and search no lon…
- Sentinel Tokens (Prompt Delimitation) — A prompt-engineering technique that uses dedicated marker tokens — sentinels — to encapsulate untrusted content within the LLM’s prompt w…
- Sentinels and Operatives — A runtime architectural split introduced in Gartner’s Figure 1, separating the assurance/posture surface from the enforcement surface wit…
- Shadow AI — Shadow AI is the use of unauthorized AI tools in the workplace: the AI-era counterpart of Shadow IT.
- Shadow Automation — The agent-era equivalent of shadow IT: developers, engineering teams, or business units spin up AI agents (coding agents, data-science co…
- Slopsquatting — Slopsquatting is a supply chain attack technique in which an adversary registers packages with names that AI coding assistants consistent…
- SPIRE —
- Threat Modeling for AI — Threat modeling for AI extends classical design-time threat modeling to systems that include models and agents.
- Three Retrieval Paths for Injection Payloads
- Tiered Detection Cascade
- Tool-Abuse Chains
- Tool Poisoning and Rug-Pull Attacks — Tool poisoning is an attack class in which an adversary manipulates the tools available to an AI agent — either by injecting malicious in…
- Vibe Coding — Vibe coding is an informal term for generating or modifying code by describing the “vibe” or high-level intent in natural language, relyi…
- Vulnerability Operations Center (VOC)
- VulnOps: Vulnerability Operations — VulnOps is an emerging operational model that fuses previously-separate security functions into a single agent-augmented discipline.
- Zero Day Clock — The Zero Day Clock is a data-and-visualization instrument that tracks Time-to-Exploit (TTE) — the gap between CVE disclosure and first ob…