Agentic AI Security CMM — D4 Runtime & Guardrails (Deep Dive)
Companion deep-dive to the CMM’s D4 domain, written under the recalibration method. D4 is the Policy Enforcement Point at runtime: it enforces what D3 decides. The runtime threats it answers map to OWASP Agentic AI Threats and Mitigations: Tool Misuse (T2), Intent Breaking and Goal Manipulation (T6), Unexpected RCE and Code Attacks (T11), and Rogue Agents in Multi-Agent Systems (T13), whose playbooks call for execution sandboxing with per-call reset and in-path reasoning-manipulation controls. The recalibration’s main move here is to grade maturity accurately. The L2/L3 input-and-output controls are GA and cheap, but the L4 spine the current CMM names as deployable (chain-of-thought auditing, groundedness checking) is preview or experimental, not GA.
Single-source grounding
Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.
Threat coverage
D4 is the primary domain for ASI01 (Agent Goal Hijack) and ASI05 (Unexpected Code Execution), and the runtime home of Class 2 (APT — cross-version eval continuity), Class 3 (collusion — supervisor agents), and Class 4 (model-version regression — continuous red-teaming). Its effective score is capped by D3, since a guardrail cannot enforce a decision the policy decision point never makes. See the Threat Taxonomy Reconciliation matrix and the threat classes.
Control landscape (dated)
| Capability | What ships today | Status (May 2026) | Platform-native (MS / AWS / GCP) |
|---|---|---|---|
| Input prompt-injection / jailbreak classifier | Meta PromptGuard 2 (OSS); NVIDIA NemoGuard NIM; COTS (Lakera, HiddenLayer) | GA | MS: Azure AI Content Safety Prompt Shields (direct + indirect), GA1. AWS: Bedrock Guardrails prompt-attack filter, GA2. GCP: Model Armor, GA3 |
| Chain-of-thought / alignment auditing (goal-hijack) | Meta AlignmentCheck (OSS) | Experimental4 | MS: Content Safety Task Adherence — public preview5. AWS/GCP: no native equivalent |
| Code-gen static safety | Meta CodeShield (OSS) | GA-equivalent (OSS)4 | none native |
| Output content safety / filtering | NeMo Guardrails; Guardrails AI | GA | MS Content Safety; AWS Bedrock filters; GCP Model Armor — all GA |
| Groundedness / hallucination check | — | MS preview, English-only; AWS GA (US-East) | MS: Content Safety Groundedness Detection, public preview, English-only6. AWS: Bedrock Automated Reasoning checks, GA7. GCP: none native |
| Tool-call interception / gating | Microsoft Agent Governance Toolkit (OSS); AgentShield (OSS) | OSS GA-equivalent | MS: Defender real-time agent runtime protection — preview, GA targeted Q3 20268 |
| Sandboxing of high-risk tasks | MiniClaw (OSS reference); Agent Sandbox (Kubernetes SIG Apps, gVisor) | OSS reference; OSS primitive + managed GKE | MS: Foundry hosted-agent microVM sandbox — preview9. AWS: AgentCore code-interpreter sandbox. GCP: GKE Agent Sandbox (gVisor, portable Kubernetes CRDs)10 + Vertex sandboxed execution |
The honest read: the input/output safety layer (L2/L3) is GA across all three clouds and largely inside Azure entitlements, but the agentic-reasoning layer (L4) — CoT/alignment auditing and groundedness — is preview or experimental, not turnkey GA.
The Microsoft ZT4AI Apps & Workloads pillar (assume breach) supplies the Microsoft-native runtime controls behind these rungs — Prompt Shields, Groundedness Detection, and Task Adherence — crosswalked to D4 in the 2026-Q2 ZT4AI review, which records the same GA-versus-preview split.
Capability-decoupled levels
Stated as capabilities per rule 1; a control counts when it operates in production per rule 2.
- L1 — Initial. No runtime guardrails, or only system-prompt instructions. No enforcement boundary.
- L2 — Developing. A default safety filter runs on input and a content-safety classifier on output. Single-layer, no agentic-reasoning coverage. Universally reachable GA.
- L3 — Defined. An in-path input classifier detects direct and indirect/document prompt injection; platform lifecycle hooks intercept the agent loop; high-risk-tier actions run in a per-task sandbox; an output content-safety classifier runs. Fully GA across the major stacks (Prompt Shields indirect mode, Bedrock prompt-attack, Model Armor).
- L4 — Managed. Chain-of-thought / alignment auditing on agentic workloads (goal-hijack detection); code-safety static analysis on code-gen agents; output groundedness / hallucination checking; injection-resistant context boundaries (trusted/untrusted segmentation enforced at the framework layer, not in prompt text). Maturity caveat: the CoT-audit and groundedness controls are preview (Task Adherence, Groundedness Detection) or experimental (AlignmentCheck), so an honest L4 today is assembled from preview + OSS components. Per rule 2, a buyer satisfies L4 with a preview control documented in the approved pipeline with a production date.
- L5 — Optimizing. Every L4 control enforced platform-level across every agent surface with no opt-out for “internal-only” agents; multi-language and bypass-class injection coverage measured against a current bypass library with classifier-refresh receipts; response-leak scanning at egress catches credentials echoed in responses; per-guardrail latency/cost budgets enforced with fail-closed on critical paths.
- L5+ — Leading Edge. Cryptographic TEE attestation that guardrails executed in an enclave (reference pilots only); a CaMeL-style quarantined LLM split in production (research); measurable bypass-class evidence with vendor-acknowledged remediation cycles.
The change from the current D4: the level structure is largely intact, but product names move to the tooling map and L4 gains an explicit maturity grade. The current text presents Azure Groundedness and AlignmentCheck as deployable. Both are preview or experimental, so a regulated buyer should not be told to deploy a preview control to claim a GA-grade L4.
Right-sizing by deployment shape
| Deployment shape | Realistic D4 target | Why |
|---|---|---|
| Web/desktop chatbot (no tools) | L3 (L4 only for high-stakes content) | No tool-call surface means no CoT-audit or code-safety need; input PI filter + output content safety suffice. The persona’s bot sits here |
| Copilot / assistant (RAG + light tools) | L3 → L4 | Add groundedness (RAG) and tool-call gating; CoT auditing earns its cost once tools can write |
| MCP / skill provider (real tool reach) | L4 | CoT/alignment auditing, tool-call interception, and sandboxing become first-order |
| Multi-agent mesh | L4 → L5 | Platform-level no-opt-out enforcement and response-leak scanning across every surface |
The lethal-trifecta test lowers the bar. An agent with no private-data access or no exfiltration path is not a viable high-impact injection target, so the CoT-audit and response-leak stack becomes controls-for-controls’-sake. A lower D4 score is then recorded as an intentional trade-off.
Cost model
| Level | Licensing | Operational labor | Run-rate |
|---|---|---|---|
| L2 | ~0 for an E5/Azure incumbent (Prompt Shields, Content Safety are Azure entitlements) | enable defaults | per-call content-safety transaction cost (low) |
| L3 | ~0 incremental (indirect-PI mode, hooks, sandbox are platform features) | hook wiring; sandbox config; tier-to-risk mapping | classifier calls scale with traffic; sandbox compute on high-risk tasks |
| L4 | mostly ~0 on entitlements, but the load-bearing controls are preview/OSS | the real spend: integrating and tuning CoT-audit and groundedness, false-positive triage, context-boundary engineering | per-call cost roughly doubles (input + output + grounding + CoT passes); latency-budget engineering |
| L5 | some off-stack (bypass-class eval tooling; egress response-leak scanning overlaps D5) | continuous multi-language eval; classifier-refresh ops; fail-closed runbook | guardrail inference at every surface × every agent; agent log volume hits the SIEM bill here too |
Licensing is near-zero through L3 and largely zero through L4 for an E5 incumbent: Prompt Shields, Content Safety, Defender runtime protection, and Foundry sandboxing are inside existing entitlements. The spend is guardrail-tuning labor and per-call inference run-rate (each added guardrail pass is another model call). This is why D4 scores well cheaply for this buyer.
Customer critiques folded in
The stress test rated D4 the persona’s strongest domain (raw ~L2–L3, lifting to L3), because the defaults are on and entitled: Prompt Shields (direct + indirect) is GA, and groundedness lifts to L3. One correction applies: Groundedness Detection is public preview and English-only6. That is moot for a US English member bot, but a regulated buyer who cannot deploy preview features should treat the L3 lift as resting on a preview control. Two further critiques addressed:
- “L4 looks GA but isn’t.” The recalibration grades L4 honestly so a regulated buyer is not told to deploy a preview control to hit L4.
- “Cost was invisible.” Licensing is near-zero for E5; the real cost is per-call inference run-rate and tuning labor.
Open questions
- Will CoT / alignment auditing reach GA before the next CMM revision? Today the candidates are AlignmentCheck (experimental) and Task Adherence (preview); if it stays preview, L4 cannot honestly require it as GA.
- Groundedness is English-only — a hard limit for non-English member bases, with no verified multilingual GA date.
- GCP has no native groundedness guardrail; AWS Automated Reasoning is GA but US-East-only. Single-stack GCP buyers go off-platform for L4 groundedness.
- Defender runtime protection is preview, GA targeted Q3 2026 — within a regulated buyer’s procurement window? The cadence qualifier says do not make L5 depend on it until it is production-hardened.
- Response-leak scanning at egress (L5) overlaps D5; score it in one domain to avoid double-counting.
D3→D4 dependency cap
D4’s effective score is capped at D3’s raw score (effective(D4) ≤ raw(D3)): good guardrails on a weak PDP are worth little, because runtime enforcement can only act on decisions the control layer actually makes. For the persona, D4 raw is the strongest domain but D3 sits at L1–L2, so effective D4 is pulled to roughly L1–L2. The headline “strongest domain” is the raw score; the dependency-resolved score is lower. The cheapest high-leverage move is therefore to firm up D3, not to buy more guardrails. D4 should be reported as raw + effective. See the dependency rules.
Notes
Footnotes
-
Microsoft Learn — Content Safety what’s new, 2024–2026. Prompt Shields GA (Aug 2024); Groundedness detection listed under public preview. ↩
-
AWS — Bedrock Guardrails prompt-attack filter, 2026. Jailbreak / injection / leakage filter (Standard tier). ↩
-
Google Cloud — Model Armor overview, 2026. Prompt-injection / jailbreak detection; Vertex / Gemini integration. ↩
-
Meta — LlamaFirewall architecture, 2025. PromptGuard 2; AlignmentCheck (experimental); CodeShield. ↩ ↩2
-
Microsoft Learn — Task Adherence, 2025. Public preview; detects misaligned tool invocations / off-task behavior. ↩
-
Microsoft Learn — Groundedness detection, 2026. Preview status; correction mode; language coverage (English). ↩ ↩2
-
AWS — Automated Reasoning checks, 2026. Formal-logic factuality checks; GA, US East. ↩
-
Microsoft Learn — Real-time agent protection during runtime (preview), 2026. Webhook block-before-execute; preview, GA targeted Q3 2026. ↩
-
Microsoft Learn — Foundry hosted agents, 2026. Per-session microVM sandbox for untrusted code / computer use (preview). ↩
-
Google Cloud blog — Bringing you Agent Sandbox on GKE and kubernetes-sigs/agent-sandbox, May 2026. gVisor-default sandbox as Kubernetes SIG Apps CRDs (Apache 2.0); runs on any cluster; managed GKE adds warm pools (300 sandboxes/sec). Unlike the AWS/Azure managed sandboxes, this is an open primitive, not a platform-bound feature — see GKE Agent Sandbox. The honest read: this is the one row where GCP leads with a portable open primitive rather than trailing. ↩