Overview
The first two proofs in this chapter answered a threat model and a requirements framework. This one answers the checklist. When a security team reviews an agent deployment, the framing on the table is usually OWASP’s: the Agentic AI Threats and Mitigations taxonomy from the GenAI Security Project, fifteen threats spanning single agents, multi-agent systems, and the humans around them, alongside the older Top 10 for LLM Applications. If the handbook cannot state its position against that list, threat by threat, the reviewer is right to treat it as unevaluated.
A crosswalk that claims everything has been fitted, not tested, so this one grades itself with three verdicts and accepts the tally it gets:
| Verdict | What it means |
|---|---|
| Contained | The threat lands on machinery built for it: a structural control with a draft behind it |
| Bounded | The cause is out of authorization’s reach, but the blast radius is capped at the action gate |
| Delegated | Not an authorization problem: a named complement owns it, and the handbook composes with it |
The distinction that drives most rows is the one the trifecta post established: the authorization layer does not make the model resistant to anything. It makes the model’s compromise survivable, because authority was fixed at approval and every consequential action is checked against it fresh. Threats that attack authority are contained. Threats that attack the model, its memory, or its inputs are bounded, because a fully fooled agent still cannot out-argue a parameter check. Threats that attack layers the handbook never claimed are delegated, by name.
The Agentic Threats, All Fifteen
| Threat | The attack | The handbook’s answer | Verdict |
|---|---|---|---|
| T1 Memory Poisoning | Persistent memory is seeded with malicious data that steers future behavior | Poisoned memory can steer proposals, not authority: shaping fails closed on ambiguity, and every consequential action still needs a fresh parameter-bound permit against the approved Mission | Bounded |
| T2 Tool Misuse | The agent’s own tools are driven to unauthorized or harmful invocations | Per-action PEP/PDP enforcement with parameters bound into the permit, applied at the tool boundary by the MCP application post | Contained |
| T3 Privilege Compromise | Permissions escalate beyond what the task requires | Narrowing: every derivation is a strict subset of the Mission’s Authority Set, Child Missions only narrow, and there is no ambient inheritance to escalate into | Contained |
| T4 Resource Overload | Unbounded agent activity exhausts compute, API, or financial budgets | expires_at on every Mission, fan-out bounded by count and depth, and Consumption Metering (experimental) for spend | Bounded |
| T5 Cascading Hallucination Attacks | False content propagates through memory, messages, and downstream systems | Authorization does not verify truth. It gates consequence: hallucinated content can only reach the world through consequential actions, each needing its own permit | Bounded |
| T6 Intent Breaking and Goal Manipulation | Injection or instruction manipulation redirects the agent’s objectives | The enemy sentence, answered: the injected goal cannot widen the committed one, because the PDP checks actions against the approved Mission, not against the agent’s current intent | Contained |
| T7 Misaligned and Deceptive Behaviors | The agent acts against its intended purpose or conceals what it does | Deception is not detected, it is out-evidenced: only approved action classes execute, and Decision and Execution Evidence come from the gate, not from the agent’s self-report | Bounded |
| T8 Repudiation and Untraceability | Actions cannot be reliably attributed or audited | Attribution end to end: the act chain on every hop, the evidence family joined on mission_id, and SCITT keeping the feed tamper-evident | Contained |
| T9 Identity Spoofing and Impersonation | Attackers assume an agent’s identity or abuse non-human authentication | Attested instance identity, sender-constrained tokens, and mediated custody keeping the credential out of the agent entirely for mediated classes | Contained |
| T10 Overwhelming the Human in the Loop | Approval volume is weaponized until humans rubber-stamp | Humans approve Missions, machines approve actions: the grain keeps human decisions rare and consequential, with deferred approval and the batched discovery loop absorbing the volume | Bounded |
| T11 Unexpected RCE and Code Attacks | Tool invocations achieve code execution | Sandboxing owns execution. The handbook gates what executed code can reach: consequential effects still need permits, and capabilities are bound to source digests with drift failing closed | Bounded |
| T12 Agent Communication Poisoning | Malicious instructions ride inter-agent messages | Messages can lie, authority cannot: influence carries no authority between agents, because delegation only narrows and every hop is enforced against its own Child Mission | Bounded |
| T13 Rogue Agents | A compromised agent inside the system acts maliciously | A rogue instance holds only mission-bound, instance-bound, revocable authority, and Termination cascades through the delegation tree to issuance, permits, and the harness | Contained |
| T14 Human Attacks on Multi-Agent Systems | Operators are manipulated into enabling harm | Social engineering is out of authorization’s reach. What holds: a manipulated operator can still only approve what shaping renders, and the approval is attributed to them | Bounded |
| T15 Human Manipulation | The agent deceives its own human into approving or enabling harm | Consent Evidence commits the disclosure as rendered, so the record shows exactly what the human saw. An accurately disclosed bad idea remains the human’s decision, and the record says so | Bounded |
Six contained, nine bounded, none waved away. The tally is the honest shape of an authorization layer: the threats that attack authority (tools, privilege, goals, attribution, identity, rogue delegates) land on machinery built for them, and the threats that attack the model or the humans are capped rather than cured, because capping is what a deterministic gate can truthfully offer.
The LLM Top 10, Split Honestly
The Top 10 for LLM Applications predates the agentic taxonomy and mixes layers, which makes it the better test of the delegated verdict. Half of it is not an authorization problem, and saying so is the point:
| Entry | The handbook’s answer | Verdict |
|---|---|---|
| LLM01 Prompt Injection | The trifecta post carries this end to end: the injected instruction cannot widen committed authority, and the external leg needs a fresh parameter-bound permit | Bounded |
| LLM02 Sensitive Information Disclosure | Exposure discipline: bound what the agent may see as deliberately as what it may do, and mediated custody keeps credentials out of the leakable set | Bounded |
| LLM03 Supply Chain | Model and dependency provenance, owned by the software supply chain. One authorization-shaped edge: capabilities bound to source digests fail closed on drift | Delegated |
| LLM04 Data and Model Poisoning | Training and embedding pipeline security, upstream of any authorization decision | Delegated |
| LLM05 Improper Output Handling | Output is only dangerous when it acts. The consequential boundary is where the handbook stands, and nothing crosses it without a permit | Bounded |
| LLM06 Excessive Agency | The direct hit: the entire handbook is the treatment for this entry | Contained |
| LLM07 System Prompt Leakage | Moot by design: authority lives in the Mission and its tokens, not in the prompt, so a leaked prompt discloses instructions, not power | Delegated |
| LLM08 Vector and Embedding Weaknesses | Retrieval pipeline security. What retrieval returns is untrusted content, and the taint response treats it that way | Delegated |
| LLM09 Misinformation | Content truth is semantic, and the gate is structural | Delegated |
| LLM10 Unbounded Consumption | Expiry on every Mission and metering (experimental) on spend | Bounded |
LLM06 deserves the sentence. OWASP’s mitigations for Excessive Agency read like this handbook’s table of contents: minimize the extensions and their permissions, avoid open-ended functions, require human approval for high-impact actions, enforce authorization in downstream systems rather than trusting the model, and log everything. The handbook is what happens when that advice stops being a bullet list and becomes one architecture with wire drafts behind it.
Three Threats Worth a Closer Look
Intent breaking is the taxonomy’s center, and the handbook’s enemy. T6 is prompt injection grown up: the attacker does not need to breach anything, only to change what the agent is trying to do. Every mitigation that asks the model to notice the manipulation is probabilistic. The handbook’s answer is the same one it gives the trifecta: the injection changed the agent’s mind, and the agent’s mind was never the source of authority. The Mission was committed at approval, the permit is checked at execution, and between those two points there is nothing the injected goal can rewrite. Approval is a moment, work is a span, and the span is policed against the moment.
Overwhelming the human in the loop is an argument about grain. T10 is the taxonomy’s sharpest design question, because both naive answers lose: approve every action and fatigue turns humans into rubber stamps, approve nothing and governance is gone. The handbook’s grain is the Mission. A human approves the envelope once, against a committed disclosure, and the per-action volume goes to the PDP, which does not tire. When the work outgrows the envelope, the discovery loop batches the overflow into a governed expansion request instead of a stream of interrupts. The residual is real and stated: at Mission grain, approval fatigue becomes a governance discipline rather than a solved problem, and disclosure quality is what stands between an approver and a reflex.
A rogue agent is an insider, and every agent here is treated as one. T13 assumes the attacker is already inside the system, wearing a legitimate agent. The handbook never trusted that agent more than its paperwork: its authority is a strict subset of its parent’s, its tokens are bound to its attested instance so they do not travel, its consequential actions need permits like everyone else’s, and when it is caught, revocation cascades through the delegation tree it belongs to. The multi-agent threats (T12 through T14) all get the same structural reply: cooperation happens in messages, but authority never does.
What the Crosswalk Does Not Claim
- Bounded is not prevented. For every bounded row the cause is untouched: the memory is still poisoned, the model is still fooled, the human is still tired. The gate caps what the compromise can reach, and that is the whole claim.
- The verdicts are only as strong as PEP coverage. An unmediated path is a threat with no verdict at all. The adversary model says this in writing: name your enforcement scope, and count your ATMs.
- The enforcement is structural, not semantic. An in-bounds action can still be a bad idea. The classes where content is the harm belong under action-bound human approval.
- The delegated rows are real dependencies. Supply chain, poisoning, retrieval security, and sandboxing are layers the handbook composes with and cannot replace. A deployment that skips them has a contained authorization layer inside an uncontained system.
- Inside the approved scope, a turned agent is still turned. Tight scope and short expiry are what keep that sentence tolerable.
The taxonomy’s own mitigation columns keep converging on the same words: least privilege, human approval, complete mediation, audit trails. Those are adjectives until something turns them into verifiable artifacts. The crosswalk above is what that looks like, and the tally, six contained and nine bounded, is what an honest authorization layer scores against a framing its authors did not choose. For the reviewer holding this list against any other proposal, the vendor test asks the six questions that separate a verdict from a hand-wave.