Agentic AI Security CMM — D3 Control & Least-Agency (Deep Dive)

Companion deep-dive to the CMM’s D3 domain, written under the recalibration method. D3 is the decide plane: the Policy Decision Point (PDP) outside the model context that authorizes agent actions. D4 is the runtime plane that enforces those decisions. The recalibration adds the platform-native PDP options that shipped since the domain was written and grades the leading-edge tier now that formal-verification tooling has reached open source.

Single-source grounding

Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.

Threat coverage

D3 is the primary domain for ASI02 (Tool Misuse) and ASI08 (Cascading Failures), and carries Class 1 (insider, via dual control) and Class 3 (collusion, via tiered approval gates and monitor isolation). Its policy decision point caps runtime-guardrail effectiveness (D4): a guardrail can only enforce a decision the PDP makes. See the Threat Taxonomy Reconciliation matrix and the threat classes.

Control landscape (dated)

CapabilityWhat ships todayStatus (May 2026)Platform-native (MS / AWS / GCP)
Policy language / PDP engineCedar (OSS, Apache-2.0); OPA / Rego (OSS, CNCF)Stable; both sub-millisecond
Managed PDP serviceAWS Amazon Verified Permissions (Cedar)GA since 20231AWS
Agent-runtime PDP intercepting tool callsAWS Bedrock AgentCore Policy (Cedar; permissive/audit mode; conditional auth)GA Mar 20262AWS
Agent-runtime PDP (OSS)Microsoft Agent Governance Toolkit — Agent OS policy engine, YAML + OPA Rego + Cedar, sub-0.1 ms, ToolPolicy approval/justification/rate-limit guardsOSS, MIT, v3.7.03MS (bridges to Entra Agent ID)
Human-approval gates (HITL)MS Copilot Studio multistage / AI approvals; AWS Bedrock Return-of-Control; LangGraph interrupt()Copilot Studio approvals GA; computer-use supervision preview4MS + AWS; GCP thinner
Per-task capability tokens (cryptographic binding)Tenuo Warrant (OSS; holder-bound, ephemeral, delegation-aware)OSS primitive, no platform-native equivalentNone native
Least-agency action tieringOWASP four-tier (auto/notify/confirm/block); CSA progressive autonomyStandards; stableimplemented via any PDP above
Formal policy verificationCedar Analysis — SMT/Lean symbolic compiler (inconsistency, redundancy, permission-diff)OSS, shipping (was framed research-only)5

The durable D3 capabilities: a PDP mediating every tool call outside the model context; least-agency tiering; per-task scoped authorization with binding; human-approval gates; auto-downgrade on anomaly. The product names are the perishable layer; they live in the tooling map.

The Microsoft ZT4AI least-privilege principle grounds the D3 deny-by-default rung in its least-action design guidance (“start with no permitted actions by default”), crosswalked to D3 in the 2026-Q2 ZT4AI review.

Capability-decoupled levels

Stated as capabilities per rule 1; a control counts when it operates in production per rule 2.

  • L1 — Initial. No tool-call policy; agents may call any tool.
  • L2 — Developing. Per-agent tool allowlist; HITL on destructive actions defined informally.
  • L3 — Defined. A PDP outside the model context mediates every tool call (deny-by-default policy language — Cedar or OPA/Rego); the OWASP four-tier least-agency model is implemented; each action’s risk tier is documented; a decision-rights matrix (action class × decision right × approver × justification × time bound) is operationalized in the PDP. Met platform-native by AWS AgentCore Policy (GA), the Microsoft Agent Governance Toolkit (OSS), or Verified Permissions.
  • L4 — Managed. Four-stage progressive-autonomy promotion with documented criteria; per-action-class HITL coverage measured; a continuous lethal-trifecta breaker auto-downgrades the tier on private-data + untrusted-content + external-comms; time-bounded JIT elevation auto-reverts; segregation of duties (proposer ≠ approver ≠ deployer).
  • L5 — Optimizing. Per-task scoped authorization with cryptographic binding (capability tokens — holder-bound, ephemeral, delegation-aware); risk-adaptive step-up/step-down driven by D7 anomaly scores; a deny-by-default policy compiled and reviewed every release with no drift; SoD enforced cryptographically (the deploying key cannot approve).
  • L5+ — Leading Edge. A CaMeL-style quarantined LLM split for trifecta-positive workloads (research, no shipping vendor); formal verification of policy contradictions / vacuity / shadow subsets wired over MCP to credential and tool-call PDPs at production scale; temporal-logic, trajectory-aware policy (open research — Cedar is stateless).

Two changes from the current D3. First, the platform-native PDP answers (AWS AgentCore Policy, Microsoft Agent Governance Toolkit) are named at L3/L4; the current text named only a generic “Cedar/OPA PDP.” Second, the L5+ formal-verification line is reframed: Cedar Analysis now ships as OSS, so the analyzer itself is no longer leading-edge. What remains leading-edge is wiring it over MCP and the trajectory-aware (temporal-logic) extension.

Per-task tokens: an L5 capability on a single OSS implementation. Per-task holder-bound capability tokens have no platform-native product. The only implementation is an early-stage OSS primitive (Tenuo Warrant). The capability stays at L5 because it is deployable today with available components, but a regulated buyer whose procurement cannot adopt an early-stage single-vendor OSS dependency may treat it as L5+ and record the gap as an intentional trade-off. The same caveat applies in D5.

Right-sizing by deployment shape

Deployment shapeRealistic D3 targetWhy
Internal RAG / member-facing chatbot (few/no tools)L2 → L3An allowlist + PDP + four-tier tiering suffices. With no external-comms reach the trifecta is broken by architecture, so per-task tokens, JIT elevation, and crypto-SoD are controls-for-controls’-sake. The persona’s bot sits here
Data-science / coding copilotL3 → L4Touches the SDLC: SoD (proposer ≠ approver ≠ deployer) and JIT elevation become load-bearing
MCP / skill provider serving othersL4 → selective L5Third-party blast radius justifies per-task scoped tokens and crypto-SoD
High-autonomy multi-agent meshL5 (+L5+ where resourced)Delegation-aware capability tokens freeze blast radius at the chain top; the CaMeL split earns its cost only here

The lethal-trifecta test is the primary instrument for lowering the required level: removing the sensitive-action or external-comms capability costs less than buying controls to govern it.

Cost model

LevelLicensingOperational laborRun-rate
L2~0~0.1–0.25 FTE: allowlists, informal HITL
L3~0 for an E5 incumbent (the Agent Governance Toolkit is MIT/OSS; Copilot Studio and Entra are in entitlements); AWS path is consumption-priced but smallthe dominant cost: writing the decision-rights matrix and tier assignments per agent type, standing up the PDP, recurring policy reviewnegligible PDP eval cost (sub-millisecond)
L4~0 incremental (MS) / small (AWS)the dominant cost: the progressive-autonomy promotion rubric, HITL-coverage measurement, trifecta-breaker tuning, SoD pipeline separationtrifecta-breaker + JIT-elevation logging into the SIEM (couples to D7 ingest spend)
L5per-task tokens are OSS (~0 license) but integration is a real engineering project; step-down leans on a preview productper-release policy-compile / no-drift discipline; crypto-SoD key managementstep-up / anomaly-signal logging
L5+OSS (Cedar Analysis)research-grade integration labor (formal verification over MCP; CaMeL pilot)

D3 licensing is near-zero through L4 for an incumbent; the dominant cost is policy-authoring and promotion-rubric labor, not tools.

Customer critiques folded in

  • “D3 today is L1–L2; informal HITL on writes.” Addressed: the recalibrated L3 (PDP + four-tier + decision-rights matrix) is the near-term target and is met platform-native — Copilot Studio approvals plus the Agent Governance Toolkit (OSS) for an all-Microsoft shop, with no off-stack purchase.
  • “L5 names just-GA’d products.” Addressed by capability-decoupling: L5 states “per-task scoped authorization with cryptographic binding,” not a product. The slow procurement cadence is the examiner-approved behavior.
  • “Microsoft is thin on per-task tokens and A2A authorization.” Confirmed and narrowed: the Agent Governance Toolkit’s ToolPolicy adds declarative approval/justification guards but is not a holder-bound capability token. That is the genuine residual D3 gap, at L5/L5+.
  • “Cost was invisible.” Addressed: licensing is near-zero through L4; the spend is decision-rights and promotion-rubric labor.

Open questions

  • Per-task holder-bound tokens have no platform-native product; whether L5 is reachable for a regulated buyer without an OSS-integration project, or should be treated as L5+, is the open calibration question (shared with D5).
  • The Microsoft step-down control (Defender Predictive Shielding) is preview; the L5 step-down capability leans on it.
  • GCP exposes Agent Identity and Model Armor but no Cedar/OPA-class declarative decision-rights PDP or first-class approval-gate primitive surfaced; treat its D3 platform-native column as thin.
  • No FFIEC/GLBA/NCUA mapping yet for SoD and approval-gate controls (model-risk-management expectations); deferred to the crosswalk.

D3→D4 dependency cap

The active rule set caps D4’s effective score at D3’s raw score (effective(D4) ≤ raw(D3)): runtime guardrails (D4 / PEP) can only enforce decisions a competent PDP (D3) actually makes. A program with strong D4 guardrails but no out-of-context PDP has its D4 effective score capped at the D3 level. For the persona (D4 raw L2–L3 from Prompt Shields and Groundedness, but D3 L1–L2), the cap pulls effective D4 down to roughly L1–L2. The cheapest high-leverage D4 investment is therefore not more guardrails but standing up the PDP (D3-L3), which makes the already-owned guardrails load-bearing. See the dependency rules.

Notes

Footnotes

  1. AWS — Amazon Verified Permissions now generally available, 2023. Cedar policy-as-a-service.

  2. AWS — Policy controls for Bedrock AgentCore generally available, 2026. Cedar-based agent-runtime PDP; GA March 2026.

  3. Microsoft — Introducing the Agent Governance Toolkit, 2026. Agent OS sub-millisecond PEP/PDP (OPA Rego / Cedar / YAML), MIT; v3.7.0 ToolPolicy guards.

  4. Microsoft Learn — Advanced approvals in Copilot Studio, 2026. Multistage / AI approvals; human-supervision for computer use in preview.

  5. AWS — Introducing Cedar Analysis open-source tools, 2026. SMT/Lean verification of authorization policies.