Closes peer-review-readiness §4: “No anti-patterns / failure-modes catalog. Every mature framework documents how it goes wrong: BSIMM has activities-not-undertaken; CMMC has appeals; SAMM has scoring caveats.” This page is the wiki’s catalog of how its own recommendations fail in the field, organized by category, with the failure mode that follows and the recovery / prevention mechanism.
Why anti-patterns matter. A framework that doesn’t document its failure modes is a framework that hasn’t been used. Mature frameworks earn legitimacy by naming where they break. The wiki’s RA + CMM are well-argued as designs; this page is what they look like under operational stress. Each entry is the negation of an L3+ control claim — if your program shows the anti-pattern, the L3+ evidence is theater.
Structure of each entry
Every anti-pattern below follows the same shape:
Field
What it captures
Pattern
What it looks like in production
Why it happens
The pressure or incentive that produces it
Failure mode
The concrete bad outcome
Recovery / prevention
What the wiki recommends
Anchor
The wiki page where the positive control is documented
Category 1 — Architecture
A1. PDP becomes a bottleneck
Pattern
Every agent action waits on the central PDP for an authorization decision; the PDP becomes the critical-path latency floor and the single point of failure
Why
Centralization makes policy evaluation easy to audit; defaults to “external service” without sidecar or in-process options
RA’s PDP-location trade-off: default to sidecar for separation + acceptable latency; inline (in-process) for highest-frequency low-risk decisions; external service only when policy spans org boundaries. Cache decisions for repeat patterns; document fail-mode (fail-closed for high-risk-tier; fail-open for read-only)
A2. Sentinel signal flood overwhelms Operative bandwidth
Pattern
Sentinels emit telemetry at agent volume (10–20× human log volume); Operatives can’t keep up; alerts queue or drop
Why
Single-agent observability scales linearly with N agents; pre-aggregation isn’t built in
Failure mode
Real alerts hidden in noise; cascade-detection latency exceeds attack timeline
Recovery
Pre-aggregation at the runtime hook, not in the SIEM. Sample non-anomalous events; compress repeat patterns; rate-limit per signal class. The wiki’s Agent Observability page flags 10–20× log volume as not-optional architecture
All agent egress goes through a single AgentGateway / Smokescreen instance; the broker takes down every agent when it fails
Why
Centralized brokers are the design pattern; HA configuration is post-MVP afterthought
Failure mode
Mesh-wide outage from broker fault; no graceful degradation
Recovery
Broker → mesh transition above ~50 agents (per the RA trade-off); active-active broker pairs with sticky-session affinity for stateful tool calls; per-tier fail-mode — high-risk tools fail-closed (deny rather than bypass), read-only tools can fail-open with audit
Credential proxy intercepts declared tool calls; the agent writes its own code, calls APIs directly, and never hits the proxy
Why
Deep-agent products (Claude Code-style) generate code that runs in their own sandbox; the proxy isn’t on the path
Failure mode
Credentials in agent context; trifecta containment broken at the data plane
Recovery
Per PEP for Non-Tool-Mediated Actions: proxy connections out of agent sandboxes; annotate internal API endpoints; require declared-tool path or block egress entirely; track this as a known coverage hole until CMM D5 / D6 evidence catches up
B1. Cumulative-floor demoralizes teams (largely resolved 2026-05-04)
Pattern
Org has L4 controls in 6 of 9 domains; one weak domain (typically D9 Operations or D7 Observability) drops the headline rating to L1; team disengages
Why
The prior single-floor rule (CMMC 2.0 import) was unforgiving by design and treated all 9 domains as equally load-bearing for cross-domain failure
Failure mode
CMM gets ignored or gamed; honest self-assessment becomes punishing
Recovery (2026-05-04 revision)
The single-floor rule was replaced with dependency-resolved effective scores (v1 = 3 conservative active rules: D2→D5, D2→D7, D3→D4). Operational lag in D9 no longer drags D2 identity controls down; D7 observability gaps in architectural-containment programs (Stripe-style) no longer drag D3+D5 strength down. Headline is now a three-number summary (typical / weakest / strongest) plus the matrix. The pattern is largely resolved; the residual case is a program with a weakness in an upstream-dependency domain (e.g. D2 at L1 with everything else at L4) — there the cap is substantive and the demoralization is honest signal, not punitive aggregation
B2. Cherry-picking — claiming high level on the strong domains (reframed 2026-05-04)
Pattern
Org reports L4 on D2 Identity (where it has Microsoft Agent 365 deployed) without disclosing L1 on D9 Operations
Why
Self-assessment without disclosure discipline is asymmetric reputation gain
Failure mode
The asymmetric program looks mature when its weakest domain is exploitable; observers cannot tell whether the cited domain is representative or selectively reported
Recovery (2026-05-04 revision)
Disclosure discipline replaces the single-floor rule. Any rating claim MUST publish the full per-domain matrix (raw + effective scores under the active dependency-rule version) and the active rule-set version. Reports that cite a single domain’s score without the matrix are non-compliant with the measurement protocol. The cross-domain attack-path concern that the floor rule was approximating is now captured substantively by the active dependency rules (e.g. D2 weakness genuinely caps D5 effective score because identity gates per-agent egress enforcement) — so an org claiming D5 L4 with D2 L1 will see its D5 effective score capped at L1 and cannot honestly headline as L4 in egress
Artifacts produced for the audit (Cedar policy repo, AI-BOM document, IR runbook) exist but don’t reflect operational reality; nobody runs the IR runbook in a drill
Why
Auditor evidence requirements are document-shaped; operational use is process-shaped; the two diverge over time
Failure mode
Audit-passing programs that fail under real attack
Recovery
The measurement protocol’s live observation requirement at L3+: assessor MUST observe at least one live action per high-risk-tier agent. Static configs alone do not satisfy L3+; L4 requires live behavioral-drift event + live red-team eval; L5 requires live attestation + closed-loop incident replay
B4. Stub-as-evidence — claiming AIUC-1 readiness without doing the assessment
Pattern
D1 L4 evidence cites “AIUC-1 readiness assessment complete” but the assessment is a self-checklist, not a Schellman-conducted readiness review
Why
”Readiness” is ambiguous — the difference between “we read the standard” and “Schellman reviewed our gap” is large
Failure mode
L4 evidence collapses on first independent audit
Recovery
The AIUC-1 page documents the two-actor audit model — readiness assessment must be conducted by the accredited auditor (Schellman), not self-attested. CMM D1 L4 evidence requires the readiness report, not the self-checklist
Guardian agent is operational, but the meta-controls that govern it (sandboxing, immutable audit, dry-run mode for new policies, intervention-frequency tracking) drift over time as the GA is treated as “trusted infrastructure”
Why
The supervisor of supervisors gets less attention than the supervised; metagovernance is not on anyone’s primary KPI
Failure mode
A GA failure or compromise has the same blast radius as a privileged insider, with no oversight
Recovery
The five metagovernance controls (separation of identity / sandboxing / audit / monitoring / dry-run) are on a quarterly review cadence at L3+; GA-on-GA disagreement detection at L4 surfaces drift early. Gartner Note 4 explicitly flags this regression risk
Per-agent baselines established at L4 deployment time; agent population churns; new agents inherit the old baseline; drift detection alerts on legitimate change
Why
Baseline maintenance is a job nobody owns; the team that built the L4 monitoring isn’t the team that adds new agents
Failure mode
Alert volume rises until the team disables the rule; D7 L4 evidence becomes false
Recovery
Baselines are owned by the agent’s product team, not security; baseline-refresh cadence (e.g., 30-day rolling) documented in the agent catalog entry; baseline-staleness as a D7 KPI
The team optimizes the agent to pass the L4 eval suite; novel attacks not in the suite remain undetected
Why
Eval suites are observable; novel-attack coverage is not; the metric becomes the goal
Failure mode
High eval scores; production exploited by attacks the eval doesn’t cover
Recovery
Independent benchmark anchor (AgentDojo) at D7 L4 — vendor self-eval alone is not L4. Quarterly threat-modeling refresh to update the eval; red-team team distinct from product team; explicit “what would we miss?” exercise on every release
Quarterly red-team eval is a checkbox; attackers don’t actually try novel things because the report has to look familiar
Why
Quarterly cadence, vendor-tool-driven coverage, fixed scope — all push toward repeatable rather than adversarial
Failure mode
Red-team report becomes documentation, not signal
Recovery
Distinct attack categories at L4 — orchestration (PyRIT) × probe library (Garak) × CI regression (Promptfoo) × continuous CART (Mindgard) — single-tool coverage is not L4; rotate scope per quarter (one quarter focused on multi-agent, next on supply-chain, etc.); allocate budget for novel-attack research
Org reports “we split the trifecta” — research agent has untrusted-content + external-comms; personal-assistant agent has private-data + external-comms — but the agents share state via blackboard, RAG, or memory
Why
The split is documented at the agent-definition level but not at the data-flow level; shared state propagates the trifecta back together
Failure mode
Indirect injection in research-agent input → assistant-agent acts on the contaminated state → exfiltration via assistant’s external comms
Recovery
Trifecta split is a data-flow assertion, not an agent-definition assertion. CMM D6 (Data, Memory & RAG) L3+ evidence must include cross-agent provenance and trust-label propagation. Auditors should walk the data flow, not just read the agent manifest
Org claims D7 L3+ cascade detection but the rules name categories (rapid fan-out, queue storm) without numeric thresholds; nothing actually fires
Why
OWASP ASI08 / Adversa describe categories; rule SQL/YAML is not public; vendor implementations don’t surface thresholds
Failure mode
Detection rules look complete in the rubric; never produce alerts
Recovery
Per the multi-agent runtime security page: org MUST establish thresholds from a 30-day baseline period (rolling p99 + 3σ); rule-firing rate is a D7 KPI; missing-threshold rules are L2 evidence at best
Org runs Garak quarterly, calls it “comprehensive AI red team,” reports D7 L4
Why
Single tool is operationally simple; vendor tool sales push single-vendor coverage
Failure mode
Coverage gaps the wiki documents — Garak is probe library not orchestration; multi-turn attacks (PyRIT territory) and CI regression (Promptfoo territory) and continuous (Mindgard) are uncovered
Recovery
The four-quadrant rule is non-optional at L4. Single-tool coverage is explicitly not L4. Add at minimum one tool from each of the other three quadrants plus an independent benchmark anchor
D7 L4 evidence requires alerts wired to SIEM/SOAR — drift alerts feed the same on-call rotation as other security alerts; agent-aware SIEM playbooks (Falcon AIDR + NeMo Guardrails or Sentinel + Defender for Cloud Apps) at L5
Org achieves AIUC-1 certification at quarterly refresh N; doesn’t update at refresh N+1 / N+2; still cites “AIUC-1 certified” months later
Why
Quarterly refresh cadence is unusual; standards-fatigue makes maintaining the cert deprioritized
Failure mode
”Certified” claim becomes false; D1 L5 evidence stale
Recovery
The AIUC-1 page makes the freshness requirement explicit: D1 L5 means “certified against the most recent quarterly refresh.” Auditors must check the refresh date; freshness >2 quarters drops the rating
The standards crosswalk matrix exists but L4+ findings don’t actually carry the per-standard anchors (Annex IV item, AIUC-1 safeguard, ISO 42001 Annex A control, NIST SP 800-53 ID)
Why
The crosswalk is a one-time deliverable; per-finding tagging is ongoing work
Failure mode
The crosswalk doesn’t help compliance because nothing operationalizes it
Recovery
ID-tagged evidence at L3+ — every finding MUST carry the standards-anchor IDs (CMM §Global evidence rule). Untagged findings are L2 at best. The crosswalk is consumed per-finding, not authored once
Org cites whichever framework supports the current claim — NIST AI RMF for governance, CSA ATF for autonomy gates, AIUC-1 for certification, ISO 42001 for management — but doesn’t reconcile contradictions
Why
Multiple frameworks all in the air; consistent crosswalk is hard
Failure mode
Two parts of the org’s evidence contradict each other; auditors find inconsistency
Recovery
The wiki’s validation page documents per-standard verdict and contradictions; the crosswalk is the unified surface; orgs cite the same framework across related findings rather than rotating
D2 L3 evidence (every agent has its own identity) is met; identities are issued at agent creation and never rotated
Why
Rotation breaks running workflows; the team prioritized issuance over lifecycle
Failure mode
Compromised credential is forever-valid; revocation has no fail-safe
Recovery
NHI lifecycle bound to code-deploy pipeline, not HR events (Oasis sharpening at D2 L3); rotation cadence + dependency map at D2 L4. Per-credential rotation is the failure mode the NHI page documents
Org claims D2 L4 with credential proxy in use, but production has SAS tokens, storage access keys, PATs, Snowflake API keys — where the credential IS the identity. Proxy can’t help
Why
Credential proxy works for decoupled credentials; coupled credentials require structural migration
Failure mode
”Credential proxy in use” is true at the workflow boundary; some workflows route around it
Recovery
D2 L4 evidence requires a coupled-credential migration plan (Identity-Credential Coupling). Audit reports must call out which credentials remain coupled and what the planned migration is
Mesh-wide quarantine is the only documented recovery; “selective rollback” and “rolling restart” are unimplemented
Why
Mesh-wide is operationally simpler; selective recovery requires per-agent state isolation that wasn’t built
Failure mode
Every multi-agent incident triggers full-mesh outage; cost of false positive is hours of downtime
Recovery
The three recovery shapes (selective rollback / rolling restart / mesh-wide quarantine) require infrastructure; build them in the order of severity. D7 L4+ evidence includes per-agent rollback drill
H1. Buying the platform = considering coverage complete
Pattern
Org buys Microsoft Agent 365 (or AWS Bedrock Guardrails, or Google Vertex AI Agent Builder) and treats the hyperscaler-embedded controls as full coverage
Cross-cloud agent interactions remain ungoverned (per Gartner’s explicit warning: “vendor safeguards typically stop at their own cloud borders”)
Recovery
Independent oversight layer for cross-vendor coverage; treat hyperscaler-embedded as one tier, not the only tier. The Guardian Agent page documents the cross-vendor argument explicitly
D4 L4 evidence cites vendor self-eval (“LlamaFirewall PromptGuard 2: 97.5% recall”) as the L4 standard
Why
Vendor numbers are what the marketing publishes; finding independent benchmarks takes effort
Failure mode
”L4” claims rest on vendor numbers that don’t replicate on independent benchmarks (per source triangulation §Claim 5: AgentDojo is the cleanest independent comparator)
Recovery
Vendor self-eval is insufficient at L4. Independent benchmark anchor (AgentDojo / InjecAgent / WASP) required at L4. Wiki’s source-triangulation audit is the standing reference for what’s vendor-self-eval vs independent
H3. Decision rights skipped in favor of access policies
Pattern
D1 L3 evidence has Cedar/OPA policy repo; doesn’t have a decision-rights matrix (action class × decision right × approver × justification × time bound). Access policies cover what’s allowed; decision rights cover who decides
Why
Security thinks in access; governance thinks in authority; D1 L3 demands both
Failure mode
Per Knostic: governance ≠ security. An org with strong access controls and no decision-rights documentation has unresolvable accountability after an incident
Recovery
D1 L3 evidence requires both — access policy AND decision-rights matrix. The two are complements, not alternatives
I2. AI security on traditional security team with no AI training
Pattern
The reverse anti-pattern — the security team handles AI risk with classical-security primitives only; misses AI-specific threats
Why
Org chart treats AI security as a security workload; AI-specific knowledge as out of scope
Failure mode
Prompt injection treated as input validation; supply-chain treated as SBOM-only; novel agentic threats missed
Recovery
Same as I1 — joint capability. Security team training on agentic-AI-specific threats; AI platform team training on threat-modeling and IR. The wiki itself is one input to that training
Single AI security person owns the program; everything depends on their continuity
Why
New domain; small market for AI security talent; teams form around individuals
Failure mode
Personnel change breaks the program; institutional knowledge lost
Recovery
D9 L3+ evidence includes named deputy plus runbook continuity test (every L3+ runbook executable by the deputy without the primary). Bus factor ≥ 2 is a D9 L3 hard requirement
In self-assessment. Walk this list before claiming L3+ evidence. If your program shows the anti-pattern, the L3+ evidence is theater — downgrade or remediate.
In audit. External assessors should ask “what’s your version of these anti-patterns?” — orgs that name 3+ that apply to them are operating in good faith. Orgs that claim none probably aren’t paying attention.
In peer review. This catalog is the wiki’s “where it goes wrong” appendix. Mature frameworks have these (BSIMM activities-not-undertaken; CMMC appeals; SAMM scoring caveats); the wiki now does too.
In post-incident. Every incident review should ask “which of these patterns were operating?” — if the catalog covers it, the recovery is documented. If not, that’s a new entry.
Mapping to BSIMM / CMMC / SAMM precedents
Mature framework
Equivalent feature
What the wiki imports
BSIMM
Activities-not-undertaken — what good orgs don’t do
Several entries (single-tool red-team, vendor-promise-as-evidence) are wiki’s version
CMMC 2.0
Appeals process for rating disputes
Floor-rule + per-domain matrix gives transparency for disagreements
OWASP SAMM
Scoring caveats — when the score doesn’t fit
Multiple anti-patterns (cumulative-floor demoralizes; cherry-picking; evidence theatre) are scoring-caveat shaped
NIST CSF 2.0
”Implementation Tier” gap framing
This page’s anti-patterns are the Implementation Tier failures the CMM is meant to surface
Open issues
What this catalog doesn't yet cover
Cross-org / federated anti-patterns — when two orgs share an agent mesh, whose anti-patterns dominate? Not addressed.
Empirical incident anchors — most entries are first-principles + practitioner knowledge. Production-incident anchors would strengthen each. The wiki’s GTG-1002 is the only public agentic incident anchor; more are needed before the catalog is empirically validated.
Quantitative thresholds for the recovery mechanisms — when is “approval-rate-without-comment” too high? When is “baseline-staleness” too stale? These need numbers.
Anti-patterns of this catalog itself — meta-failure: catalog becomes ceremonial / used as a checklist rather than as ongoing reflection. The bar for adding a new anti-pattern is “we’ve seen it in the field” — not “it’s theoretically possible.”