Security Controls for AI Stacks
On this page
- Question
- Current position
- The six layers
- What the frameworks cover (and don’t)
- How this position has evolved
- Open sub-questions
Question
What security controls exist for agentic AI stacks, where do they live in the stack, and what are the gaps?
Current position
Working controls converge into six layers. Mature options exist at the identity and observability layers, emerging options at containment and network, and material gaps remain at the model and data layers.
Platform-layer over prompt-layer. The strongest practitioner consensus across the ingested sources (AI Security Standards in Q1 2026: Agentic Threats Outpace Frameworks, Securing the Autonomous Future: Trust, Safety, and Reliability of Agentic AI, Emerging Cybersecurity Practices for Agentic AI Applications) is that security controls must now be enforced at the platform layer, not the prompt layer. Prompt-level guardrails are bypassable; platform-level enforcement (input filtering at the broker, egress control, capability-based authorization, sandboxing) is not.
Evidence from Emerging Cybersecurity Practices for Agentic AI Applications: the APort Agent Guardrail case study states it directly: “pre-action authorization must run in the runtime/platform, so the platform invokes the guardrail for every tool call regardless of what the model outputs.” This mirrors a fundamental security principle: controls must be enforced at a layer below the layer they protect. Network firewalls enforce below the application; tool call interception must enforce below the LLM.
The six layers
1. Identity layer (mature)
This layer assigns verifiable identities to AI agents and traces actions back to invoking humans.
| Control | Page | Status |
|---|---|---|
| Workload identity (SPIFFE/SPIRE) | SPIRE | Stub — adoption growing |
| Non-Human Identity (NHI) governance | Non-Human Identity, NHI Governance for Agents | Developing |
| Reference architecture | AI Agent Identity Architecture | Developing |
| Credential lifecycle (Credential Zero) | NHI Governance for Agents | Developing |
| Capability-based authorization (Warrants) | Task-scoped, signed, ephemeral capability authorizations | Developing |
| Credential proxy (proxy token, vault injection) | Credential Proxy Pattern | Developing — multi-tool convergence confirms this is load-bearing |
Verdict: mature options exist; integration discipline (action-to-identity tracing) distinguishes well-postured organizations from exposed ones. The Credential Proxy Pattern for AI Agents has independently converged across five or more tools in the OpenClaw ecosystem, a signal that credential exposure, not only credential rotation, is a distinct control gap. See Emerging Cybersecurity Practices for Agentic AI Applications.
2. Observability layer (mature)
This layer turns the agent from a black box into a glass box, tracing reasoning, tool calls, and identities.
| Control | Page | Status |
|---|---|---|
| Lifecycle hooks + reference monitors | Agent Observability §1 | Developing |
OpenTelemetry gen_ai.* semantic conventions | Agent Observability §2 | Developing |
| Identity multiplexing in logs | Agent Observability §3 | Developing |
| Cedar policy for action mediation | Agent Observability §4A | Developing |
| Agent Cards (System of Record) | Agent Observability §4C | Developing |
| Context-aware trimming with pinned tags | Agent Observability §5 | Developing |
| Agent behavioral monitoring (anomaly detection) | Agent Observability §7 | Developing |
| AI-BOM runtime discovery (behavioral baseline) | AI-BOM (Miggo DeepTracing) | Developing |
| Behavioral drift detection | Agent Observability §7, AI-BOM §Runtime | Developing |
| Cognitive file integrity monitoring | Supply Chain Security | Developing — extends FIM to identity files |
Verdict: mature catalogue, with strong practitioner consensus and real tooling (the OTel gen_ai.* conventions). From Emerging Cybersecurity Practices for Agentic AI Applications: Miggo’s AI-BOM runtime discovery with DeepTracing adds a continuous behavioral BOM approach, and cognitive file integrity (monitoring SHA-256 drift on identity files) extends traditional FIM to agentic-specific artifacts.
3. Containment layer (emerging)
This layer prevents an agent from doing damage when other controls fail.
| Control | Page | Status |
|---|---|---|
| Agent sandboxing (OS-level isolation) | Agent Sandboxing | Developing — last-line-of-defense |
| Lethal Trifecta containment (egress control, human confirmation, tool annotation) | Stripe (stub — needs full architecture page) | Stub |
| Human-in-the-Loop primitive | Confirmation gate before high-impact tool calls | Developing |
| Reversible-actions-only constraint | Constrain consequential actions to reversible ones, with circuit breakers | Developing |
| Least agency tiers (auto/notify/confirm/block) | Least Agency Principle | Developing — OWASP-sourced |
| Tool call interception at platform layer | Prompt Injection Containment | Developing |
| AlignmentCheck (chain-of-thought auditing) | Prompt Injection Containment, LlamaFirewall | Developing |
| Kill switches / instant revocation | Credential Proxy Pattern | Developing |
| State rollback (Brain Git) | Supply Chain Security | Developing — agentic-specific |
Containment layer: partially closed
The Stripe Lethal Trifecta architecture is widely cited but not yet documented in the wiki as a standalone reference architecture; worth elevating from the Stripe stub to a dedicated page. Emerging Cybersecurity Practices for Agentic AI Applications supplies substantial containment content: the Least Agency Principle page documents the OWASP four-tier autonomy classification; Prompt Injection Containment for Agentic Systems covers tool-call interception, AlignmentCheck, and platform-level versus prompt-level enforcement; kill-switch and instant-revocation and Brain Git rollback are documented in Supply Chain Security for Agentic AI. The Lethal Trifecta architecture page is the remaining unfilled stub.
4. Network and protocol layer (emerging)
This layer secures inter-agent and agent-to-tool communication.
| Control | Page | Status |
|---|---|---|
| MCP Security taxonomy (CoSAI WS4) | MCP Security, CoSAI | Developing |
| AgentGateway (open-source MCP gateway) | AgentGateway | Stub |
| A2A Protocol with Agent Cards / opacity principle | A2A Protocol | Stub |
| Egress control patterns | (no dedicated page yet) | Gap — see update note |
| Agent-to-agent cryptographic identity (Ed25519) | Agent Identity Architecture, Emerging Practices §2.4 | Developing — Oktsec implementation |
| Multi-rule content scanning on inter-agent messages (Oktsec, 268 rules at v0.15.2) | A2A Protocol, Emerging Practices §2.4 | Developing — Oktsec |
Egress control patterns: partially addressed
Multiple sources reference controlled egress as a Lethal Trifecta containment primitive; a dedicated egress-control-patterns page is still warranted. Emerging Cybersecurity Practices for Agentic AI Applications documents the credential proxy pattern as a practical egress control: the proxy validates outbound requests against allowed targets before injecting credentials, providing destination-based filtering. Docker DOCKER-USER chain rules for container networking and network segmentation for agent runtimes appear in its Section 2.7.
5. Model layer (research-stage / gap)
This layer detects malicious intent or deception inside the model itself.
| Control | Page | Status |
|---|---|---|
| LlamaFirewall (open-source guardrail) | LlamaFirewall | Developing |
| Mechanistic interpretability for “internal EDR” | Agent Observability §6 | Developing — research-stage |
| Prompt-level guardrails | (no dedicated page; widely seen as bypassable) | Acknowledged-weak |
| Prompt injection detection / input filtering | Prompt Injection Containment §Layer 1 | Developing |
| Proof-of-Guardrail (TEE attestation) | Emerging Practices §2.5 | Research-stage — novel primitive |
Model layer is the weakest link. Prompt-level guardrails are not robust controls; platform-layer enforcement is the practical answer. Mechanistic interpretability is promising but research-stage. The honest read: the model layer offers detection, not prevention, and detection itself is unreliable.
Per Emerging Cybersecurity Practices for Agentic AI Applications, LlamaFirewall carries three components: PromptGuard 2 (injection detection, reported substantial reduction in attack success rate), AlignmentCheck (chain-of-thought auditing for goal hijacking, a prospective control), and CodeShield (static analysis for generated code). Proof-of-Guardrail uses AWS Nitro Enclaves to cryptographically attest that guardrails executed, moving from trusting the vendor to verifying the guardrail ran. Both remain research-stage.
6. Data layer (gap)
This layer protects training data, RAG sources, and model artifacts, and provides supply-chain assurance.
| Control | Page | Status |
|---|---|---|
| AI-BOM / ML-BOM | AI-BOM | Developing — gap closed |
| Supply-chain multi-layer defense | Supply Chain Security for Agents | Developing — gap closed |
| Supply-chain attack disclosure | ClawHavoc, SANDWORM_MODE, LiteLLM | Incident pages |
| Cognitive file integrity (SOUL.md / IDENTITY.md) | Supply Chain Security §Layer 4 | Developing — new category |
| Data poisoning defenses | (no dedicated page) | Gap — still open |
| RAG poisoning defenses | (no dedicated page) | Gap — still open |
Data layer: partially closed
Three Q1 2026 incidents are pure supply-chain compromises: ClawHavoc, SANDWORM_MODE npm worm, and LiteLLM Supply Chain Compromise. The AI-BOM page documents the AI Bill of Materials control (static and runtime, CycloneDX format, Miggo runtime-discovery pattern), and Supply Chain Security for Agentic AI covers the multi-layer defense model: registry scanning, pre-install scanning, checksum verification, cognitive file integrity, and behavioral drift detection. Cognitive file integrity (SHA-256 monitoring of SOUL.md and IDENTITY.md, Brain Git rollback) is an agentic-specific category from that source.
Still open: data poisoning defenses and RAG poisoning defenses have no dedicated pages; both need a separate source or working session.
What the frameworks cover (and don’t)
| Framework | Layers covered well | Layers under-covered |
|---|---|---|
| NIST AI RMF | Governance overlay; risk-management process | Technical controls per layer |
| MITRE ATLAS | Threat taxonomy (attacker perspective) | Defender controls |
| OWASP LLM Top 10 | Model-layer awareness | Identity, network, data |
| OWASP Agentic AI Top 10 | Agent-orchestration risks | Implementation guidance |
| IEC 42001 | Management system and governance | Technical security controls |
| Google SAIF | Lifecycle conceptual model | Concrete operational controls |
| CoSAI (MCP white paper; secure-by-design) | Network/protocol layer (MCP); secure-by-design concepts | Reference implementations |
| Microsoft RAI / ZT4AI | Broad control coverage across the Zero Trust pillars | Microsoft-stack-specific |
| ATF | Cross-layer threat model; autonomy promotion gates | Operational tooling |
How this position has evolved
- 2026-04-30 — Initial synthesis from three ingested sources identified the six layers and flagged the model and data layers as material gaps.
- 2026-04-30 — Emerging Cybersecurity Practices for Agentic AI Applications closed several gaps. The identity layer gained the Credential Proxy Pattern with multi-tool convergence evidence. The observability layer gained AI-BOM runtime discovery (Miggo DeepTracing) and cognitive file integrity. The containment layer gained the OWASP four-tier autonomy model (see Least Agency Principle) and Prompt Injection Containment with AlignmentCheck. The data layer gained AI-BOM and Supply Chain Security for Agentic AI, though RAG and data poisoning defenses stayed open. The network layer gained Ed25519 agent-to-agent signing (Oktsec, vendor-side, not in the A2A v1.0 spec) and Oktsec content scanning.
Open sub-questions
Open sub-questions
- Egress control patterns — which egress mechanisms work: OPA/Cedar at the broker, a separate egress proxy, or network-segment isolation? Partially addressed: the credential proxy provides destination-based filtering and Docker DOCKER-USER chain rules are documented in Emerging Cybersecurity Practices for Agentic AI Applications; a dedicated page is still needed.
- AI-BOM operationalization — beyond the CycloneDX ML extension, what is the production workflow? Partially addressed in AI-BOM (runtime AI-BOM via Miggo DeepTracing); full enterprise integration is still thin.
- Per-agent authorization at scale — how does capability-based authorization (warrants) interact with traditional RBAC/ABAC at enterprise scale?
- Detection versus prevention for prompt injection — Prompt Injection Containment documents the two-layer model: input detection plus execution containment. Detection reduces attack success but cannot eliminate it; containment limits blast radius when detection fails, and HITL confirmation closes the prevention gap for high-risk-tier actions.
- Data poisoning and RAG poisoning defenses — no dedicated practice page exists. Three incidents and the CMM D6 (Data, Memory & RAG) reference these, with the CMM at L4 calling for RAGShield/TrustRAG-class document attestation, a memory-poisoning detector, and PoisonedRAG defense.
- Emergent multi-agent behaviors — ASI07 (Insecure Inter-Agent Comms), ASI08 (Cascading Failures), and ASI10 (Rogue Agents) have no traditional equivalent. Partially addressed: see Multi-Agent Runtime Security for cascade detection, behavioral baselining, and inter-agent IR, and A2A Protocol for the v1.0.0 spec analysis. Cascade detection at scale is still at the academic-prototype stage.