OWASP Compliance¶
AGT maps to three OWASP standards relevant to agentic AI systems.
| Standard | Scope | Coverage |
|---|---|---|
| OWASP Agentic Security Initiative (ASI) Top 10 | Agent-specific attack classes — prompt injection, tool misuse, privilege escalation, data exfiltration | Full reference architecture with per-risk AGT controls |
| OWASP ASI Policy-Rule Mapping | Cedar/OPA policy rules that enforce each ASI control | Machine-readable policy stubs per ASI risk |
| OWASP LLM Top 10 | LLM application risks — training data poisoning, insecure output, model theft, etc. | 9 of 10 risks detected; enforcement gap noted for 6 |
| OWASP MCP Top 10 | MCP protocol attack surface — server impersonation, tool injection, credential leakage | cMCP gateway + Agent Manifest cover the full attack surface |
AGT security controls by OWASP category¶
Prompt Injection (ASI-01 / LLM-01)¶
AGT enforces at the tool-call boundary, not the prompt layer. Injected instructions that attempt to call unauthorized tools are blocked by the Cedar policy engine before execution — the prompt content is irrelevant to the enforcement decision.
Relevant: MCP Security Gateway tutorial · Prompt Injection Detection tutorial
Excessive Agency / Privilege Escalation (ASI-02 / ASI-03)¶
Agent Manifest carries the authorized scope. cMCP evaluates scope against Cedar policy on every tool call. Delegation chains enforce trust ceilings — a delegated agent cannot exceed the permissions of its delegator.
Relevant: Delegation Chains tutorial · ADR-0016: Trust Ceiling Propagation
Audit and Tamper Evidence (ASI-07)¶
TRACE records are IETF RATS/EAT-compliant attestation evidence produced for every governed action. Records are chained via Merkle tree — any tampering breaks the chain. When produced inside an Opaque TEE, the signing key is hardware-rooted and cannot be forged even by a compromised platform.
Relevant: ADR-0017: Merkle Audit Chain · Audit & Compliance tutorial
Tool and Plugin Security (OWASP MCP Top 10)¶
The cMCP gateway intercepts all tool calls before they reach MCP servers. Server impersonation is blocked by mutual TLS + Agent Manifest verification. Tool injection (a server returning malicious tool definitions) is blocked by Cedar policy evaluation against the allowed tool schema.
Relevant: OWASP MCP Top 10 mapping · MCP Trust Guide
Scope note: This page covers the runtime security controls that address OWASP risks. For compliance framework mapping (EU AI Act, NIST AI RMF, SOC 2, ISO 42001), see the Compliance section.