Version History

V1.2 - April 2026

Sections updated: Risk Landscape, Data/RAG/Memory, Orchestration and Tools, Frontend and UX, Guardrails and RAI, References.

Extended XPIA coverage with a breakdown of injection attack vectors organized by where they enter the agent's operational cycle. Added latent memory poisoning and contextual learning trap distinctions to the memory security section. Added agent-aware dynamic cloaking as a seventh MCP threat category. Added web-standard obfuscation as a specific test target for agent-facing interface reviews. Added human oversight as an attack surface to the guardrails section. All five additions cite Franklin et al. (2025), "AI Agent Traps," SSRN preprint, Google DeepMind.

V1.1 - April 2026

Sections updated: Risk Landscape, Core Principles, Identity and Access, Orchestration and Tools, Data/RAG/Memory, Infrastructure, Monitoring and Incident Response, SDLC and Testing.

New pages: References, Changelog.

Added OWASP Agentic Top 10 mapping, MCP security coverage (1,000+ words), non-human identity governance, Least Agency and Strong Observability as core principles, agentic incident response practices, and agentic-specific testing methodology. Introduced per-section citations with a master references page. Added version labeling across the guide.

V1.0 - December 2025

All sections.

Initial publication. Covers risk landscape, core design principles, secure architecture, identity and access control, frontend and UX security, orchestration and tool security, data/RAG/memory security, guardrails and responsible AI, infrastructure and sandboxing, monitoring and incident response, secure SDLC and testing, and a security checklist.