Security¶
This is the canonical home for all security documentation in Agent Governance Toolkit.
Start here¶
| Topic | Page |
|---|---|
| How threats are modeled across AGT's trust boundaries | Threat Model |
| Multi-tenant isolation guarantees and operator checklist | Tenant Isolation · Checklist |
| Trust score calibration methodology and thresholds | Trust Score Calibration |
| Plugin and dependency scanning that runs on every PR | Security Scanning |
| How AGT maps to the OWASP Agentic Top 10 | OWASP ASI coverage |
| Dated security audit notes (additive contracts, sandbox extensions, etc.) | Audits |
| Reporting a vulnerability | Disclosure |
Scope¶
This section covers the runtime security posture of AGT: how the policy engine, identity, sandbox, and audit subsystems defend against the threats documented in the threat model, and how operators verify that posture in production.
It does not cover:
- Compliance framework mapping (NIST AI RMF, EU AI Act, SOC2, ISO 42001 et al.) — see the per-framework pages under
docs/compliance/, e.g. NIST AI RMF alignment and SOC2 mapping. - Release security or supply-chain attestation for shipped artifacts — see the release notes under
docs/releases/and the SBOM workflow at.github/workflows/sbom.yml.
Reporting a vulnerability¶
If you believe you have found a security vulnerability in this repository, please follow the disclosure process in disclosure.md. Do not file a public GitHub issue.