Concepts Index

Domain concepts that don’t fit neatly into a framework, architecture, or practice page. Examples: terms of art, evaluation methodologies, theoretical models. Each concept page has a definition, aliases, related concepts, and where it shows up in the literature.

Pages

• Agency Gap — The non-deterministic disconnect between a user’s actual intent and the autonomous execution performed by an AI agent.
• Agent Availability Threats (Runaway, Recursion, Resource Exhaustion) — Agentic AI’s autonomy multiplies the blast radius of availability failures.
• AI Agent Catalog — The AI agent catalog is a mandatory primitive for any guardian-agent deployment per Gartner.
• Agent Commander — Prompt-Level Command and Control — Agent Commander is a research tool built by Johann Rehberger that implements command-and-control (C2) infrastructure operating entirely a…
• Agent Memory Isolation
• Agentic AI Threat Classes — 2026 Expansion — The wiki’s existing threat coverage — OWASP Agentic AI Top 10 (ASI), MITRE ATLAS, CSA MAESTRO, the Lethal Trifecta — is well-developed fo…
• AI Agent Layered Council — The AI Agent Layered Council is a Gartner-coined organizing primitive for co-led scaling of agentic AI across the C-suite.
• AI Agent Management Platform (AMP) — An AI Agent Management Platform (AMP) is a unified interface to securely manage, monitor, govern, acquire, organize, and generate analyti…
• UCON for AI) — Classic access control answers a binary question at access time: “Can I open this file?” Usage control (UCON) continues past that point i…
• Ambient vs Derived Authority — The structural distinction at the root of capability-based authorization.
• Behavioral Anomaly Detection for Agents — Behavioral anomaly detection for agents is the practice of profiling what normal looks like for autonomous AI agents — at the agent level…
• CaMeL Pattern (Compartmentalized Machine Learning) — CaMeL (Compartmentalized Machine Learning) is a research-stage architectural pattern from Google DeepMind (March 2025) for defending agen…
• Canary Tokens for LLMs
• Capability-Based Authorization — A family of authorization primitives in which the artifact being passed around is the policy itself, rather than a credential that names…
• Collaboration Paradox (60% usage, 0-20% delegation) — The collaboration paradox names a quantitative observation from Anthropic’s Societal Impacts research (cited in the 2026 Agentic Coding T…
• Context-Aware Trimming for Security Continuity
• CyberGym Benchmark — CyberGym is a public benchmark for AI-driven vulnerability reproduction — a corpus of 1,507 real-world vulnerability reproduction tasks d…
• Decision Rights for AI Agents — The documented authority of an AI agent to take a class of action without further human approval — specifying who approved that authority…
• Delayed Tool Invocation — Delayed tool invocation (DTI) is an attack technique that exploits the time-dependent availability of agent tools to bypass security cont…
• Differential Privacy — Differential privacy (DP) is a mathematical framework for guaranteeing that the output of a computation reveals approximately the same in…
• Evidence Centered Benchmark Design
• Glass-Box Security — A paradigm for AI agent defense introduced by Carl Hurd (Starseer) at [un]prompted March 2026.
• Guardian Agent — A guardian agent (GA) is an AI agent that supervises other AI agents.
• Human-in-the-Loop (HITL) for Agentic AI — Human-in-the-loop (HITL) is the architectural requirement that an agent pause execution and obtain explicit human approval before taking…
• Human Parity Line — The human parity line is Gartner’s name for the threshold at which human judges prefer AI’s output exactly as often as they do industry-p…
• Identity-Credential Coupling — A property of certain Non-Human Identities where the credential string IS the identity — the authentication material is not separable fro…
• Indirect Prompt Injection
• Inference Exposure (and Retrieval Exposure) — Two paired AI-specific failure modes that bypass traditional file/network access controls.
• Inline Gateway vs Runtime Instrumentation
• Jason’s Mental Model — Security Architecture Functional Breakdown — A four-layer functional breakdown of an enterprise Security Architecture organization: Governance / Conceptual / Domain / (with the impli…
• Least Agency Principle
• Lethal Bifecta
• Lethal Trifecta
• LLM-as-a-Judge — An evaluation methodology in which a language model scores or rubric-grades the output of another (typically agentic) system.
• MCP Security
• Mechanistic Interpretability for Defense — The application of mechanistic interpretability techniques — originally developed to understand how neural networks encode knowledge and…
• Memory Poisoning (Agentic AI) — Memory poisoning is the injection of adversarial content into an agent’s persistent memory stores — conversation history, episodic memory…
• METR 2025 RCT — AI Productivity Counter-Evidence — In July 2025, METR (Model Evaluation and Threat Research) published a randomized controlled trial showing that enabling early-2025 AI too…
• Model-Layer Attacks (Extraction, Inversion, Membership Inference) — A family of three named attack classes that target the deployed model rather than the agent’s surrounding orchestration.
• Monotonic Attenuation — The protocol-level invariant of capability-based delegation: a child capability is always a subset of its parent.
• Network-Layer Prompt Injection Containment — A defensive primitive that intercepts and filters indirect prompt injection payloads at the network egress / ingress layer rather than at…
• Non-Human Identity (NHI)
• Operational XAI for Action Gating — The runtime requirement that an agent produces a human-readable justification of its reasoning before executing a high-impact action — an…
• Orchestration Hijacking — A class of attack against agentic systems in which the orchestration layer — the LLM (or LLM-driven planner) responsible for sequencing t…
• Oversight Layer (PDP + PEP for Agentic AI) — The oversight layer is this wiki’s architectural primary term for the system that monitors, evaluates, and intervenes on the behavior of…
• Prompt as Code — A structural framing for why LLM security cannot rely on syntactic filtering: in an LLM, every token in the input stream is a potential i…
• Prompt-Volume-to-Alert Ratio — The prompt-volume-to-alert ratio is a signal-to-noise metric for agentic AI security operations: the number of AI prompts processed per t…
• Promptware — Promptware is the class of adversarial prompt payloads that go beyond simple injection to function as structured, multi-stage malware — c…
• Recursive Prompt Injection (and Semantic Gaslighting) — Recursive prompt injection is the structural failure mode of the LLM-as-a-judge defense pattern: when a secondary LLM is used to review o…
• Sentinel Tokens (Prompt Delimitation) — A prompt-engineering technique that uses dedicated marker tokens — sentinels — to encapsulate untrusted content within the LLM’s prompt w…
• Sentinels and Operatives — A runtime architectural split introduced in Gartner’s Figure 1, separating the assurance/posture surface from the enforcement surface wit…
• Shadow AI — Shadow AI is the use of unauthorized AI tools in the workplace — the AI-era counterpart of Shadow IT.
• Shadow Automation — The agent-era equivalent of shadow IT: developers, engineering teams, or business units spin up AI agents (coding agents, data-science co…
• SPIRE
• Tenuo Warrant — The Tenuo Warrant is a cryptographic capability artifact for AI-agent authorization, specified by Niki Aimable Niyikiza and shipped as th…
• Three Retrieval Paths for Injection Payloads
• Tool-Abuse Chains
• Tool Poisoning and Rug-Pull Attacks — Tool poisoning is an attack class in which an adversary manipulates the tools available to an AI agent — either by injecting malicious in…
• Vibe Coding — Vibe coding is an informal term for generating or modifying code by describing the “vibe” or high-level intent in natural language, relyi…