Agentic AI Security Guide

Security Maturity Assessment

Rate your agentic AI security posture across nine domains. Items are grouped into three tiers: Foundational (non-negotiable before production), Operational (within 90 days of deployment), and Advanced (leading practice from real-world assessments). Check what applies, share the results with your team.

1. Threat Modeling & Risk Awareness

F O A

Foundational

We have a documented threat model that includes agentic-specific risks: prompt injection, memory poisoning, tool misuse, and privilege escalation.

The threat model distinguishes between traditional LLM risks and agentic risks (persistent memory, tool access, multi-step workflows, inter-agent communication).

Indirect prompt injection (XPIA) is explicitly modeled for every data source agents ingest: RAG, emails, tool outputs, web content.

Operational

Threat models are reviewed and updated when agents gain new tools, data sources, or inter-agent communication paths.

Multi-step attack chains are explicitly modeled - sequences of individually harmless actions that combine into data exfiltration or privilege escalation.

Advanced

We have formally mapped our agentic threat model against the OWASP Agentic Top 10 (ASI01-ASI10) and identified coverage gaps.

We model AI-augmented attacks - threat actors using agentic AI to accelerate reconnaissance, credential harvesting, and lateral movement at machine speed.

2. Architecture & Design Principles

F O A

Foundational

The orchestration layer - not the model - enforces all security policies. Model outputs are advisory, not authoritative.

Each agent has a narrow, defined scope with a minimal tool set. No agent has broad "figure it out" latitude.

Defense-in-depth is applied at every boundary: UI, orchestration, tools, data, and infrastructure. Each layer assumes the layers above it may be compromised.

Operational

Plan-verify-execute or controlled breakpoints are used for high-risk actions. The model proposes, deterministic code decides.

Multi-agent workflows have schema-validated communication channels with explicit trust boundaries between agents.

Advanced

The "lethal trifecta" constraint is enforced: no single component ever has access to sensitive data, untrusted content, and broad network access simultaneously.

Least Agency is applied as a design principle - agents default to read-only mode and every write, external call, or code execution capability is individually justified and opt-in.

3. Identity & Access Control

F O A

Foundational

Every agent is a first-class identity with a unique ID, registered owner, defined environment, and risk level - not a shared service account.

RBAC and ABAC policies constrain which data and tools each agent can access, scoped per user and per tenant.

Agent credentials are never exposed to model context windows or client-side code. Secrets live in a centralized secrets manager.

Operational

High-privilege access is granted just-in-time with short-lived, task-scoped tokens that auto-expire on completion.

All privilege escalation events, delegation chains, and high-risk actions are logged with full identity attribution traceable to the originating user.

Advanced

Non-human identity governance is implemented at enterprise scale: agent identity lifecycle management, shadow agent detection, orphaned credential cleanup, and delegation chain auditing.

Behavioral baselines are calibrated for machine identity patterns (API call frequency, tool usage mix, request timing) rather than human UBA assumptions.

4. Orchestration & Tool Security

F O A

Foundational

Tools are atomic, single-purpose functions with server-side JSON schema validation on every invocation. No generic "run SQL" or "make HTTP request" tools.

Per-agent and per-tenant tool allowlists are enforced with default deny. If a tool is not on the list, the agent cannot call it.

High-impact tools (write, delete, transfer, execute) require human approval or propose-confirm flows before execution.

Operational

Network egress from agents and tool servers is restricted to approved endpoints only. No agent can reach arbitrary external services.

All MCP servers and plugins go through security review before production deployment and are registered in a centralized inventory.

Advanced

MCP servers are code-signed and schema-pinned. Tool descriptor changes trigger alerts. Automated discovery surfaces shadow MCP deployments not in the registry.

Defenses address the full MCP threat taxonomy: tool poisoning, full schema poisoning, resource content poisoning, impersonation/typosquatting, session ID leakage, and cross-component context poisoning.

5. Data, RAG & Memory

F O A

Foundational

Data is classified and access-controlled at the record and document level with tenant-aware filters.

We minimize what is sent to models - no secrets, no raw PII, no full tables when summaries suffice.

RAG ingestion includes content validation, and retrieval controls prevent untrusted content from overriding system instructions.

Operational

Memory stores have tiered security treatments (session, short-term, long-term) with promotion rules and poisoning detection.

PII and secrets are detected and redacted before storage. Retention and deletion policies meet regulatory requirements. Agents access data through mediation layers, never raw SQL.

Advanced

Cross-session memory poisoning is defended against: memory stores are segmented by user/tenant/task, writes carry provenance metadata, and periodic re-baselining removes unverified entries.

Agent outputs that are re-ingested as future context carry lower trust scores than primary source material. The system distinguishes between verified sources and its own prior outputs.

6. Frontend & UX Security

F O A

Foundational

Standard web security is in place: strong auth, CSRF protection, strict CSP, security headers, and hardened session management.

All model output is treated as untrusted. No raw model output touches the DOM via innerHTML or equivalent. Security-focused sanitization runs before rendering.

The UI clearly communicates agent capabilities and limitations. Domain-specific disclaimers are present for health, legal, and financial contexts.

Operational

Export and sharing flows (email, tickets, analytics) show users exactly what will be transmitted and apply PII/secret scrubbing before sending.

Users can flag harmful or incorrect outputs and escalate to humans. Feedback is tracked and routed to the right team.

Advanced

Diagram renderers, code blocks, and rich content from agents are rendered in sandboxed iframes with dedicated origins and strict CSP. Untrusted specs are stripped of HTML, event handlers, and link directives.

Prompt injection-aware UI design visually separates system content, user input, and external/untrusted content with distinct backgrounds and labels.

7. Infrastructure & Sandboxing

F O A

Foundational

Agent workloads run in hardened, least-privilege containers with network segmentation preventing direct access to core data stores.

A model gateway mediates all LLM traffic with authentication, rate limits, request/response logging, and provider credential management.

High-risk tools (code execution, file access) run in additional sandboxing (gVisor, Firecracker, Kata) with no default network access and strict resource limits.

Operational

Supply chain risks are managed: SBOMs for agent dependencies, vulnerability scanning, model version tracking, and provenance verification.

Cloud resources follow provider-specific security best practices: workload identity, managed key vaults, network policies, and service mesh with mTLS.

Advanced

All agent-generated code is treated as untrusted input: subject to static analysis before execution, run in ephemeral per-task environments destroyed after completion.

Control plane and data plane are strictly segregated. Agent runtime environments cannot access infrastructure management APIs or modify their own configuration.

8. Guardrails & Responsible AI

F O A

Foundational

Pre-input, mid-execution, and post-output guardrails are implemented as independent services, not as prompt instructions.

Responsible AI harm categories relevant to the use case have been assessed: toxicity, bias, misinformation, privacy violations, and domain-specific risks.

When a guardrail fires or a classifier is uncertain, the system defaults to block or escalate - not "allow and hope." Fail-safe, not fail-open.

Operational

Guardrails are configurable per product, per agent, and per domain. Different use cases get different strictness levels.

Bias and fairness considerations are explicitly addressed in sensitive contexts with regular evaluation and documented mitigations.

Advanced

Domain-specific constraints (financial regulations, clinical safety, legal privilege, security classification) are encoded as deterministic policies, not model-dependent behavior.

Hallucination and grounding checks run on every output where correctness is critical. Agents cite sources and confidence is tracked as a measurable metric.

9. Monitoring, IR & Testing

F O A

Foundational

End-to-end structured audit logging captures identity, request, actions, and outcome for every agent interaction in immutable stores.

AI-specific incident response runbooks are defined for data leakage, tool misuse, memory poisoning, and harmful outputs - integrated with existing security operations.

Automated security tests (prompt injection, tool authorization, data isolation, RAI harms) run in CI/CD pipelines and catch regressions before deployment.

Operational

Behavioral baselines and anomaly detection monitor agents in production. Alerts fire for injection attempts, tool misuse patterns, data exfiltration signals, and behavioral drift.

Periodic adversarial red teaming is performed, including AI-specific attack scenarios. Findings feed back into automated test suites and guardrail updates.

Advanced

Decision-layer forensics are in place: full reasoning context, tool selection rationale, and goal state changes are logged. Agentic IR includes automated containment triggers and memory store preservation before re-baselining.

Testing covers agentic-specific scenarios: multi-step attack chains across agent boundaries, cross-session memory poisoning, cascading failure simulation, supply chain integrity, and goal drift over extended interactions.

Want a professional assessment?

This self-assessment is a starting point. We perform in-depth agentic AI security assessments that go deeper than any checklist - testing the attack paths your team hasn't thought of yet.

Talk to us

Agentic AI Security Guide V1.1 · Changelog