OWASP Compliance

Coverage Summary¶

Mappings in place for all 10 risk categories. Coverage is provided through the combined governance stack; deployers should pair these controls with the layered defenses described in docs/LIMITATIONS.md for production use.

Detailed Mapping¶

ASI-01: Agent Goal Hijack¶

Attackers manipulate the agent's objectives via indirect prompt injection or poisoned inputs.

Mitigation: Agent OS enforces policy-based action interception at the application layer. Every agent action passes through the policy engine before execution. Unauthorized goal changes are blocked before they reach the agent's tools.

• Policy Engine — declarative rules controlling what agents can and cannot do
• Action Interception — governance middleware intercepts agent actions before execution
• Policy Modes — strict (deny by default), permissive (allow by default), audit (log only)
• MCP Governance Proxy — policy enforcement for MCP tool calls

from agent_os import StatelessKernel, ExecutionContext

kernel = StatelessKernel()
ctx = ExecutionContext(agent_id="my-agent", policies=["read_only"])

# This action is blocked by policy — goal hijack prevented
result = await kernel.execute(
    action="delete_database",
    params={"target": "production"},
    context=ctx,
)
# result.success = False, result.error = "Policy violation: read_only"

Component: Agent OS — src/agent_os/policy/, extensions/mcp-server/src/services/policy-engine.ts

ASI-02: Tool Misuse & Exploitation¶

An agent's authorized tools are abused in unintended ways, such as exfiltrating data via read operations.

Mitigation: Agent OS provides capability-based security inspired by POSIX. Agents are granted specific, scoped capabilities — not blanket tool access. Tool inputs are sanitized for injection patterns.

• Capability Sandboxing — agents receive explicit capability grants (read, write, execute, network)
• Tool Allowlists/Denylists — built-in strict mode blocks run_shell, execute_command, eval
• Input Sanitization — command injection detection, shell metacharacter blocking
• verify_code_safety MCP tool — checks generated code before execution

Component: Agent OS — capability model, MCP proxy policy rules

ASI-03: Identity & Privilege Abuse¶

Agents escalate privileges by abusing identities or inheriting excessive credentials.

Mitigation: AgentMesh implements zero-trust identity using Decentralized Identifiers (DIDs). Every agent has a cryptographic identity with scoped capabilities. Trust is earned, not assumed.

• DID Identity — did:agentmesh:{agentId}:{fingerprint} with Ed25519 key pairs
• Trust Scoring — tiered model: Untrusted → Provisional → Trusted → Verified
• Delegation Chains — track trust inheritance with verifiable credentials
• Challenge-Response Handshake — cryptographic authentication at connection time
• Trust Decay — scores degrade over time without positive signals

from agentmesh import AgentIdentity

identity = AgentIdentity.create(
    name="data-analyst",
    sponsor="admin@company.com",
    capabilities=["read:data"],  # Scoped — cannot write or delete
)

Component: AgentMesh — agent-governance-typescript/src/identity.ts, agent-governance-typescript/src/trust.ts

ASI-04: Agentic Supply Chain Vulnerabilities¶

Vulnerabilities in third-party tools, plugins, agent registries, or runtime dependencies that agents use to act, plan, or delegate.

Mitigation: AgentMesh implements the AI-BOM (AI Bill of Materials) — a comprehensive standard for tracking the full AI supply chain including model provenance, dataset lineage, weights versioning, and software dependencies.

• Model Provenance — base model ancestry, fine-tuning history, training cutoff dates
• Dataset Tracking — training data, RAG sources, and evaluation benchmarks with data cards (PII status, bias assessment, consent tracking)
• Weights Versioning — cryptographic hashes (SHA-256), quantization records, LoRA adapter metadata, SLSA build provenance
• Software Dependencies — SPDX-aligned package tracking, CI security scanning (Bandit)
• Compliance Mapping — tracks coverage against OWASP, CSA ATF, EU AI Act frameworks
• Cryptographic Signing — Ed25519 signatures from sponsor and platform

# AI-BOM tracks the full supply chain
ai_bom = {
    "modelProvenance": {
        "primary": {"provider": "anthropic", "model": "claude-3-sonnet"},
        "fineTuning": {"method": "LoRA", "evaluationMetrics": {"accuracy": 0.94}},
    },
    "datasets": [
        {"name": "FAQ KB", "type": "fine-tuning", "dataCard": {"piiStatus": "redacted"}},
        {"name": "Product Docs", "type": "rag-source", "updateFrequency": "weekly"},
    ],
    "weights": {"hash": "sha256:...", "format": "safetensors", "precision": "bf16"},
}

Component: AgentMesh — docs/RFC_AGENT_SBOM.md (AI-BOM v2.0 specification)

ASI-05: Unexpected Code Execution¶

Agents trigger remote code execution through tools, interpreters, or APIs.

Mitigation: Agent Runtime implements CPU ring-inspired execution isolation. Agents run in restricted rings with resource limits and can be terminated instantly.

• Execution Rings (Ring 0–3) — privilege tiers from kernel (0) to untrusted (3)
• Resource Limits — CPU, memory, time bounds per agent execution
• Kill Switch — instant termination of runaway agents
• Saga Compensation — automatic rollback when execution fails
• Sandboxed Execution — code runs in isolated contexts

Component: Agent Runtime — execution rings, resource management, saga orchestration

ASI-06: Memory & Context Poisoning¶

Persistent memory or long-running context is poisoned with malicious instructions.

Mitigation: Agent OS provides policy-controlled virtual filesystem (VFS) for agent memory with read-only policy enforcement and multi-model claim verification.

• VFS Memory Policies — vfs://{agent_id}/mem/* with per-agent access control
• Policy-Protected Context — vfs://{agent_id}/policy/* is read-only
• CMVK (Cross-Model Verification Kernel) — verifies claims across multiple AI models to detect poisoned context
• Prompt Injection Detection — sanitizer blocks ignore previous instructions, disregard prior patterns
• PII Protection — detects and redacts sensitive data in agent context

Component: Agent OS — VFS, CMVK verification, MCP proxy sanitizer

ASI-07: Insecure Inter-Agent Communication¶

Agents collaborate without adequate authentication, confidentiality, or validation.

Mitigation: AgentMesh provides IATP (Inter-Agent Trust Protocol) and E2E encrypted channels using the Signal protocol (X3DH + Double Ratchet) for secure multi-agent communication.

• IATP Sign/Verify — cryptographic trust attestations for every message
• E2E Encrypted Channels — Signal protocol (X3DH key agreement + Double Ratchet) provides per-message forward secrecy and post-compromise security
• Trust-Gated Encryption — EncryptedTrustBridge requires successful trust handshake before encrypted channel establishment
• Trust Scoring at Connection — agents evaluated before communication is established
• Reputation System — ongoing trust tracking with decay and penalty
• Mutual Authentication — both sides must prove identity via Ed25519 challenge-response

from agentmesh.encryption.bridge import EncryptedTrustBridge

bridge = EncryptedTrustBridge(agent_did="did:mesh:alice", key_manager=keys)
channel = await bridge.open_secure_channel("did:mesh:bob", bob_bundle)
ciphertext = channel.send(b"governed action")  # E2E encrypted

Component: AgentMesh — IATP protocol, trust scoring, E2E encryption (Tutorial 32)

ASI-08: Cascading Failures¶

An initial error or compromise triggers multi-step compound failures across chained agents.

Mitigation: Agent SRE provides production-grade reliability engineering specifically designed for agent fleets.

• Circuit Breakers — automatic isolation of failing agents before failures cascade
• Cascading Failure Detection — monitors dependency chains for propagation patterns
• SLO Enforcement — Service Level Objectives with error budgets per agent
• Error Budgets — quantified failure tolerance that triggers automatic intervention
• Canary Deploys — gradual rollout of agent changes to detect issues early
• OpenTelemetry Integration — distributed tracing across multi-agent workflows

Component: Agent SRE — circuit breakers, SLO engine, cascading failure detection, chaos testing

ASI-09: Human-Agent Trust Exploitation¶

Attackers leverage misplaced user trust in agents' autonomy to authorize dangerous actions.

Mitigation: Agent OS implements approval workflows that require explicit human confirmation for high-risk agent actions.

• Approval Workflows — configurable human-in-the-loop for sensitive operations
• Risk Assessment — automatic classification: critical, high, medium, low
• Quorum Logic — critical actions require multiple approvals
• Expiration Tracking — approval requests time out to prevent stale authorizations
• require_approval Policy Action — built-in policy rule for human review gates

Component: Agent OS — extensions/mcp-server/src/services/approval-workflow.ts

ASI-10: Rogue Agents¶

Agents operating outside their defined scope by configuration drift, reprogramming, or emergent misbehavior.

Mitigation: Agent Runtime provides runtime behavioral monitoring with instant kill capability, combined with AgentMesh trust decay.

• Ring Isolation — rogue agents are confined to their execution ring and cannot escalate
• Kill Switch — immediate termination of agents exhibiting rogue behavior
• Behavioral Monitoring — trust score decay on failures, anomaly tracking
• Immutable Audit Trail — hash-chain audit logs detect tampering
• Shapley-Value Fault Attribution — identify which agent in a multi-agent system is responsible for failures
• Merkle Audit Trails — cryptographic proof of agent action history

Component: Agent Runtime + AgentMesh trust decay

One Install, Nine Protections¶

pip install agent-governance-toolkit[full]

This single command installs the complete governance stack:

Cross-Cutting Principle: Least Agency¶

The Least Agency principle is emphasized throughout the OWASP Agentic Top 10 as a foundational design principle for secure agentic systems. It states:

Agents should be granted the minimum capabilities, permissions, and autonomy necessary to complete their assigned tasks.

Our stack enforces Least Agency at every layer:

# Example: Least Agency in action
identity = AgentIdentity.create(
    name="report-generator",
    sponsor="admin@company.com",
    capabilities=["read:reports"],  # Only what's needed — not "read:*"
)

# Delegation MUST narrow, never widen
child = identity.delegate(
    name="chart-helper",
    capabilities=["read:reports:charts"],  # Subset of parent
)

Alignment with Other Frameworks¶