Security Controls for AI Stacks

On this page

Question

What security controls exist for agentic AI stacks, where do they live in the stack, and what are the gaps?

Current position

Working controls converge into six layers. Mature options exist at the identity and observability layers, emerging options at containment and network, and material gaps remain at the model and data layers.

Platform-layer over prompt-layer. The strongest practitioner consensus across the ingested sources (AI Security Standards in Q1 2026: Agentic Threats Outpace Frameworks, Securing the Autonomous Future: Trust, Safety, and Reliability of Agentic AI, Emerging Cybersecurity Practices for Agentic AI Applications) is that security controls must now be enforced at the platform layer, not the prompt layer. Prompt-level guardrails are bypassable; platform-level enforcement (input filtering at the broker, egress control, capability-based authorization, sandboxing) is not.

Evidence from Emerging Cybersecurity Practices for Agentic AI Applications: the APort Agent Guardrail case study states it directly: “pre-action authorization must run in the runtime/platform, so the platform invokes the guardrail for every tool call regardless of what the model outputs.” This mirrors a fundamental security principle: controls must be enforced at a layer below the layer they protect. Network firewalls enforce below the application; tool call interception must enforce below the LLM.

The six layers

1. Identity layer (mature)

This layer assigns verifiable identities to AI agents and traces actions back to invoking humans.

ControlPageStatus
Workload identity (SPIFFE/SPIRE) SPIREStub — adoption growing
Non-Human Identity (NHI) governanceNon-Human Identity, NHI Governance for AgentsDeveloping
Reference architectureAI Agent Identity ArchitectureDeveloping
Credential lifecycle (Credential Zero)NHI Governance for AgentsDeveloping
Capability-based authorization (Warrants)Task-scoped, signed, ephemeral capability authorizationsDeveloping
Credential proxy (proxy token, vault injection)Credential Proxy PatternDeveloping — multi-tool convergence confirms this is load-bearing

Verdict: mature options exist; integration discipline (action-to-identity tracing) distinguishes well-postured organizations from exposed ones. The Credential Proxy Pattern for AI Agents has independently converged across five or more tools in the OpenClaw ecosystem, a signal that credential exposure, not only credential rotation, is a distinct control gap. See Emerging Cybersecurity Practices for Agentic AI Applications.

2. Observability layer (mature)

This layer turns the agent from a black box into a glass box, tracing reasoning, tool calls, and identities.

ControlPageStatus
Lifecycle hooks + reference monitorsAgent Observability §1Developing
OpenTelemetry gen_ai.* semantic conventionsAgent Observability §2Developing
Identity multiplexing in logsAgent Observability §3Developing
Cedar policy for action mediationAgent Observability §4ADeveloping
Agent Cards (System of Record)Agent Observability §4CDeveloping
Context-aware trimming with pinned tagsAgent Observability §5Developing
Agent behavioral monitoring (anomaly detection)Agent Observability §7Developing
AI-BOM runtime discovery (behavioral baseline)AI-BOM (Miggo DeepTracing)Developing
Behavioral drift detectionAgent Observability §7, AI-BOM §RuntimeDeveloping
Cognitive file integrity monitoringSupply Chain SecurityDeveloping — extends FIM to identity files

Verdict: mature catalogue, with strong practitioner consensus and real tooling (the OTel gen_ai.* conventions). From Emerging Cybersecurity Practices for Agentic AI Applications: Miggo’s AI-BOM runtime discovery with DeepTracing adds a continuous behavioral BOM approach, and cognitive file integrity (monitoring SHA-256 drift on identity files) extends traditional FIM to agentic-specific artifacts.

3. Containment layer (emerging)

This layer prevents an agent from doing damage when other controls fail.

ControlPageStatus
Agent sandboxing (OS-level isolation)Agent SandboxingDeveloping — last-line-of-defense
Lethal Trifecta containment (egress control, human confirmation, tool annotation)Stripe (stub — needs full architecture page)Stub
Human-in-the-Loop primitiveConfirmation gate before high-impact tool callsDeveloping
Reversible-actions-only constraintConstrain consequential actions to reversible ones, with circuit breakersDeveloping
Least agency tiers (auto/notify/confirm/block)Least Agency PrincipleDeveloping — OWASP-sourced
Tool call interception at platform layerPrompt Injection ContainmentDeveloping
AlignmentCheck (chain-of-thought auditing)Prompt Injection Containment, LlamaFirewallDeveloping
Kill switches / instant revocationCredential Proxy PatternDeveloping
State rollback (Brain Git)Supply Chain SecurityDeveloping — agentic-specific

Containment layer: partially closed

The Stripe Lethal Trifecta architecture is widely cited but not yet documented in the wiki as a standalone reference architecture; worth elevating from the Stripe stub to a dedicated page. Emerging Cybersecurity Practices for Agentic AI Applications supplies substantial containment content: the Least Agency Principle page documents the OWASP four-tier autonomy classification; Prompt Injection Containment for Agentic Systems covers tool-call interception, AlignmentCheck, and platform-level versus prompt-level enforcement; kill-switch and instant-revocation and Brain Git rollback are documented in Supply Chain Security for Agentic AI. The Lethal Trifecta architecture page is the remaining unfilled stub.

4. Network and protocol layer (emerging)

This layer secures inter-agent and agent-to-tool communication.

ControlPageStatus
MCP Security taxonomy (CoSAI WS4)MCP Security, CoSAIDeveloping
AgentGateway (open-source MCP gateway)AgentGatewayStub
A2A Protocol with Agent Cards / opacity principleA2A ProtocolStub
Egress control patterns(no dedicated page yet)Gap — see update note
Agent-to-agent cryptographic identity (Ed25519)Agent Identity Architecture, Emerging Practices §2.4Developing — Oktsec implementation
Multi-rule content scanning on inter-agent messages (Oktsec, 268 rules at v0.15.2)A2A Protocol, Emerging Practices §2.4Developing — Oktsec

Egress control patterns: partially addressed

Multiple sources reference controlled egress as a Lethal Trifecta containment primitive; a dedicated egress-control-patterns page is still warranted. Emerging Cybersecurity Practices for Agentic AI Applications documents the credential proxy pattern as a practical egress control: the proxy validates outbound requests against allowed targets before injecting credentials, providing destination-based filtering. Docker DOCKER-USER chain rules for container networking and network segmentation for agent runtimes appear in its Section 2.7.

5. Model layer (research-stage / gap)

This layer detects malicious intent or deception inside the model itself.

ControlPageStatus
LlamaFirewall (open-source guardrail)LlamaFirewallDeveloping
Mechanistic interpretability for “internal EDR”Agent Observability §6Developing — research-stage
Prompt-level guardrails(no dedicated page; widely seen as bypassable)Acknowledged-weak
Prompt injection detection / input filteringPrompt Injection Containment §Layer 1Developing
Proof-of-Guardrail (TEE attestation)Emerging Practices §2.5Research-stage — novel primitive

Model layer is the weakest link. Prompt-level guardrails are not robust controls; platform-layer enforcement is the practical answer. Mechanistic interpretability is promising but research-stage. The honest read: the model layer offers detection, not prevention, and detection itself is unreliable.

Per Emerging Cybersecurity Practices for Agentic AI Applications, LlamaFirewall carries three components: PromptGuard 2 (injection detection, reported substantial reduction in attack success rate), AlignmentCheck (chain-of-thought auditing for goal hijacking, a prospective control), and CodeShield (static analysis for generated code). Proof-of-Guardrail uses AWS Nitro Enclaves to cryptographically attest that guardrails executed, moving from trusting the vendor to verifying the guardrail ran. Both remain research-stage.

6. Data layer (gap)

This layer protects training data, RAG sources, and model artifacts, and provides supply-chain assurance.

ControlPageStatus
AI-BOM / ML-BOMAI-BOMDeveloping — gap closed
Supply-chain multi-layer defenseSupply Chain Security for AgentsDeveloping — gap closed
Supply-chain attack disclosureClawHavoc, SANDWORM_MODE, LiteLLMIncident pages
Cognitive file integrity (SOUL.md / IDENTITY.md)Supply Chain Security §Layer 4Developing — new category
Data poisoning defenses(no dedicated page)Gap — still open
RAG poisoning defenses(no dedicated page)Gap — still open

Data layer: partially closed

Three Q1 2026 incidents are pure supply-chain compromises: ClawHavoc, SANDWORM_MODE npm worm, and LiteLLM Supply Chain Compromise. The AI-BOM page documents the AI Bill of Materials control (static and runtime, CycloneDX format, Miggo runtime-discovery pattern), and Supply Chain Security for Agentic AI covers the multi-layer defense model: registry scanning, pre-install scanning, checksum verification, cognitive file integrity, and behavioral drift detection. Cognitive file integrity (SHA-256 monitoring of SOUL.md and IDENTITY.md, Brain Git rollback) is an agentic-specific category from that source.

Still open: data poisoning defenses and RAG poisoning defenses have no dedicated pages; both need a separate source or working session.

What the frameworks cover (and don’t)

FrameworkLayers covered wellLayers under-covered
NIST AI RMFGovernance overlay; risk-management processTechnical controls per layer
MITRE ATLASThreat taxonomy (attacker perspective)Defender controls
OWASP LLM Top 10Model-layer awarenessIdentity, network, data
OWASP Agentic AI Top 10Agent-orchestration risksImplementation guidance
IEC 42001Management system and governanceTechnical security controls
Google SAIFLifecycle conceptual modelConcrete operational controls
CoSAI (MCP white paper; secure-by-design)Network/protocol layer (MCP); secure-by-design conceptsReference implementations
Microsoft RAI / ZT4AIBroad control coverage across the Zero Trust pillarsMicrosoft-stack-specific
ATFCross-layer threat model; autonomy promotion gatesOperational tooling

How this position has evolved

Open sub-questions

Open sub-questions

  1. Egress control patterns — which egress mechanisms work: OPA/Cedar at the broker, a separate egress proxy, or network-segment isolation? Partially addressed: the credential proxy provides destination-based filtering and Docker DOCKER-USER chain rules are documented in Emerging Cybersecurity Practices for Agentic AI Applications; a dedicated page is still needed.
  2. AI-BOM operationalization — beyond the CycloneDX ML extension, what is the production workflow? Partially addressed in AI-BOM (runtime AI-BOM via Miggo DeepTracing); full enterprise integration is still thin.
  3. Per-agent authorization at scale — how does capability-based authorization (warrants) interact with traditional RBAC/ABAC at enterprise scale?
  4. Detection versus prevention for prompt injectionPrompt Injection Containment documents the two-layer model: input detection plus execution containment. Detection reduces attack success but cannot eliminate it; containment limits blast radius when detection fails, and HITL confirmation closes the prevention gap for high-risk-tier actions.
  5. Data poisoning and RAG poisoning defenses — no dedicated practice page exists. Three incidents and the CMM D6 (Data, Memory & RAG) reference these, with the CMM at L4 calling for RAGShield/TrustRAG-class document attestation, a memory-poisoning detector, and PoisonedRAG defense.
  6. Emergent multi-agent behaviors — ASI07 (Insecure Inter-Agent Comms), ASI08 (Cascading Failures), and ASI10 (Rogue Agents) have no traditional equivalent. Partially addressed: see Multi-Agent Runtime Security for cascade detection, behavioral baselining, and inter-agent IR, and A2A Protocol for the v1.0.0 spec analysis. Cascade detection at scale is still at the academic-prototype stage.