Agentic AI Security CMM — D4 Runtime & Guardrails (Deep Dive)

Companion deep-dive to the CMM’s D4 domain, written under the recalibration method. D4 is the Policy Enforcement Point at runtime: it enforces what D3 decides. The runtime threats it answers map to OWASP Agentic AI Threats and Mitigations: Tool Misuse (T2), Intent Breaking and Goal Manipulation (T6), Unexpected RCE and Code Attacks (T11), and Rogue Agents in Multi-Agent Systems (T13), whose playbooks call for execution sandboxing with per-call reset and in-path reasoning-manipulation controls. The recalibration’s main move here is to grade maturity accurately. The L2/L3 input-and-output controls are GA and cheap, but the L4 spine the current CMM names as deployable (chain-of-thought auditing, groundedness checking) is preview or experimental, not GA.

Single-source grounding

Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.

Threat coverage

D4 is the primary domain for ASI01 (Agent Goal Hijack) and ASI05 (Unexpected Code Execution), and the runtime home of Class 2 (APT — cross-version eval continuity), Class 3 (collusion — supervisor agents), and Class 4 (model-version regression — continuous red-teaming). Its effective score is capped by D3, since a guardrail cannot enforce a decision the policy decision point never makes. See the Threat Taxonomy Reconciliation matrix and the threat classes.

Control landscape (dated)

CapabilityWhat ships todayStatus (May 2026)Platform-native (MS / AWS / GCP)
Input prompt-injection / jailbreak classifierMeta PromptGuard 2 (OSS); NVIDIA NemoGuard NIM; COTS (Lakera, HiddenLayer)GAMS: Azure AI Content Safety Prompt Shields (direct + indirect), GA1. AWS: Bedrock Guardrails prompt-attack filter, GA2. GCP: Model Armor, GA3
Chain-of-thought / alignment auditing (goal-hijack)Meta AlignmentCheck (OSS)Experimental4MS: Content Safety Task Adherence — public preview5. AWS/GCP: no native equivalent
Code-gen static safetyMeta CodeShield (OSS)GA-equivalent (OSS)4none native
Output content safety / filteringNeMo Guardrails; Guardrails AIGAMS Content Safety; AWS Bedrock filters; GCP Model Armor — all GA
Groundedness / hallucination checkMS preview, English-only; AWS GA (US-East)MS: Content Safety Groundedness Detection, public preview, English-only6. AWS: Bedrock Automated Reasoning checks, GA7. GCP: none native
Tool-call interception / gatingMicrosoft Agent Governance Toolkit (OSS); AgentShield (OSS)OSS GA-equivalentMS: Defender real-time agent runtime protection — preview, GA targeted Q3 20268
Sandboxing of high-risk tasksMiniClaw (OSS reference); Agent Sandbox (Kubernetes SIG Apps, gVisor)OSS reference; OSS primitive + managed GKEMS: Foundry hosted-agent microVM sandbox — preview9. AWS: AgentCore code-interpreter sandbox. GCP: GKE Agent Sandbox (gVisor, portable Kubernetes CRDs)10 + Vertex sandboxed execution

The honest read: the input/output safety layer (L2/L3) is GA across all three clouds and largely inside Azure entitlements, but the agentic-reasoning layer (L4) — CoT/alignment auditing and groundedness — is preview or experimental, not turnkey GA.

The Microsoft ZT4AI Apps & Workloads pillar (assume breach) supplies the Microsoft-native runtime controls behind these rungs — Prompt Shields, Groundedness Detection, and Task Adherence — crosswalked to D4 in the 2026-Q2 ZT4AI review, which records the same GA-versus-preview split.

Capability-decoupled levels

Stated as capabilities per rule 1; a control counts when it operates in production per rule 2.

  • L1 — Initial. No runtime guardrails, or only system-prompt instructions. No enforcement boundary.
  • L2 — Developing. A default safety filter runs on input and a content-safety classifier on output. Single-layer, no agentic-reasoning coverage. Universally reachable GA.
  • L3 — Defined. An in-path input classifier detects direct and indirect/document prompt injection; platform lifecycle hooks intercept the agent loop; high-risk-tier actions run in a per-task sandbox; an output content-safety classifier runs. Fully GA across the major stacks (Prompt Shields indirect mode, Bedrock prompt-attack, Model Armor).
  • L4 — Managed. Chain-of-thought / alignment auditing on agentic workloads (goal-hijack detection); code-safety static analysis on code-gen agents; output groundedness / hallucination checking; injection-resistant context boundaries (trusted/untrusted segmentation enforced at the framework layer, not in prompt text). Maturity caveat: the CoT-audit and groundedness controls are preview (Task Adherence, Groundedness Detection) or experimental (AlignmentCheck), so an honest L4 today is assembled from preview + OSS components. Per rule 2, a buyer satisfies L4 with a preview control documented in the approved pipeline with a production date.
  • L5 — Optimizing. Every L4 control enforced platform-level across every agent surface with no opt-out for “internal-only” agents; multi-language and bypass-class injection coverage measured against a current bypass library with classifier-refresh receipts; response-leak scanning at egress catches credentials echoed in responses; per-guardrail latency/cost budgets enforced with fail-closed on critical paths.
  • L5+ — Leading Edge. Cryptographic TEE attestation that guardrails executed in an enclave (reference pilots only); a CaMeL-style quarantined LLM split in production (research); measurable bypass-class evidence with vendor-acknowledged remediation cycles.

The change from the current D4: the level structure is largely intact, but product names move to the tooling map and L4 gains an explicit maturity grade. The current text presents Azure Groundedness and AlignmentCheck as deployable. Both are preview or experimental, so a regulated buyer should not be told to deploy a preview control to claim a GA-grade L4.

Right-sizing by deployment shape

Deployment shapeRealistic D4 targetWhy
Web/desktop chatbot (no tools)L3 (L4 only for high-stakes content)No tool-call surface means no CoT-audit or code-safety need; input PI filter + output content safety suffice. The persona’s bot sits here
Copilot / assistant (RAG + light tools)L3 → L4Add groundedness (RAG) and tool-call gating; CoT auditing earns its cost once tools can write
MCP / skill provider (real tool reach)L4CoT/alignment auditing, tool-call interception, and sandboxing become first-order
Multi-agent meshL4 → L5Platform-level no-opt-out enforcement and response-leak scanning across every surface

The lethal-trifecta test lowers the bar. An agent with no private-data access or no exfiltration path is not a viable high-impact injection target, so the CoT-audit and response-leak stack becomes controls-for-controls’-sake. A lower D4 score is then recorded as an intentional trade-off.

Cost model

LevelLicensingOperational laborRun-rate
L2~0 for an E5/Azure incumbent (Prompt Shields, Content Safety are Azure entitlements)enable defaultsper-call content-safety transaction cost (low)
L3~0 incremental (indirect-PI mode, hooks, sandbox are platform features)hook wiring; sandbox config; tier-to-risk mappingclassifier calls scale with traffic; sandbox compute on high-risk tasks
L4mostly ~0 on entitlements, but the load-bearing controls are preview/OSSthe real spend: integrating and tuning CoT-audit and groundedness, false-positive triage, context-boundary engineeringper-call cost roughly doubles (input + output + grounding + CoT passes); latency-budget engineering
L5some off-stack (bypass-class eval tooling; egress response-leak scanning overlaps D5)continuous multi-language eval; classifier-refresh ops; fail-closed runbookguardrail inference at every surface × every agent; agent log volume hits the SIEM bill here too

Licensing is near-zero through L3 and largely zero through L4 for an E5 incumbent: Prompt Shields, Content Safety, Defender runtime protection, and Foundry sandboxing are inside existing entitlements. The spend is guardrail-tuning labor and per-call inference run-rate (each added guardrail pass is another model call). This is why D4 scores well cheaply for this buyer.

Customer critiques folded in

The stress test rated D4 the persona’s strongest domain (raw ~L2–L3, lifting to L3), because the defaults are on and entitled: Prompt Shields (direct + indirect) is GA, and groundedness lifts to L3. One correction applies: Groundedness Detection is public preview and English-only6. That is moot for a US English member bot, but a regulated buyer who cannot deploy preview features should treat the L3 lift as resting on a preview control. Two further critiques addressed:

  • “L4 looks GA but isn’t.” The recalibration grades L4 honestly so a regulated buyer is not told to deploy a preview control to hit L4.
  • “Cost was invisible.” Licensing is near-zero for E5; the real cost is per-call inference run-rate and tuning labor.

Open questions

  • Will CoT / alignment auditing reach GA before the next CMM revision? Today the candidates are AlignmentCheck (experimental) and Task Adherence (preview); if it stays preview, L4 cannot honestly require it as GA.
  • Groundedness is English-only — a hard limit for non-English member bases, with no verified multilingual GA date.
  • GCP has no native groundedness guardrail; AWS Automated Reasoning is GA but US-East-only. Single-stack GCP buyers go off-platform for L4 groundedness.
  • Defender runtime protection is preview, GA targeted Q3 2026 — within a regulated buyer’s procurement window? The cadence qualifier says do not make L5 depend on it until it is production-hardened.
  • Response-leak scanning at egress (L5) overlaps D5; score it in one domain to avoid double-counting.

D3→D4 dependency cap

D4’s effective score is capped at D3’s raw score (effective(D4) ≤ raw(D3)): good guardrails on a weak PDP are worth little, because runtime enforcement can only act on decisions the control layer actually makes. For the persona, D4 raw is the strongest domain but D3 sits at L1–L2, so effective D4 is pulled to roughly L1–L2. The headline “strongest domain” is the raw score; the dependency-resolved score is lower. The cheapest high-leverage move is therefore to firm up D3, not to buy more guardrails. D4 should be reported as raw + effective. See the dependency rules.

Notes

Footnotes

  1. Microsoft Learn — Content Safety what’s new, 2024–2026. Prompt Shields GA (Aug 2024); Groundedness detection listed under public preview.

  2. AWS — Bedrock Guardrails prompt-attack filter, 2026. Jailbreak / injection / leakage filter (Standard tier).

  3. Google Cloud — Model Armor overview, 2026. Prompt-injection / jailbreak detection; Vertex / Gemini integration.

  4. Meta — LlamaFirewall architecture, 2025. PromptGuard 2; AlignmentCheck (experimental); CodeShield. 2

  5. Microsoft Learn — Task Adherence, 2025. Public preview; detects misaligned tool invocations / off-task behavior.

  6. Microsoft Learn — Groundedness detection, 2026. Preview status; correction mode; language coverage (English). 2

  7. AWS — Automated Reasoning checks, 2026. Formal-logic factuality checks; GA, US East.

  8. Microsoft Learn — Real-time agent protection during runtime (preview), 2026. Webhook block-before-execute; preview, GA targeted Q3 2026.

  9. Microsoft Learn — Foundry hosted agents, 2026. Per-session microVM sandbox for untrusted code / computer use (preview).

  10. Google Cloud blog — Bringing you Agent Sandbox on GKE and kubernetes-sigs/agent-sandbox, May 2026. gVisor-default sandbox as Kubernetes SIG Apps CRDs (Apache 2.0); runs on any cluster; managed GKE adds warm pools (300 sandboxes/sec). Unlike the AWS/Azure managed sandboxes, this is an open primitive, not a platform-bound feature — see GKE Agent Sandbox. The honest read: this is the one row where GCP leads with a portable open primitive rather than trailing.