Overview

The first two proofs in this chapter answered a threat model and a requirements framework. This one answers the checklist. When a security team reviews an agent deployment, the framing on the table is usually OWASP’s: the Agentic AI Threats and Mitigations taxonomy from the GenAI Security Project, fifteen threats spanning single agents, multi-agent systems, and the humans around them, alongside the older Top 10 for LLM Applications. If the handbook cannot state its position against that list, threat by threat, the reviewer is right to treat it as unevaluated.

A crosswalk that claims everything has been fitted, not tested, so this one grades itself with three verdicts and accepts the tally it gets:

VerdictWhat it means
ContainedThe threat lands on machinery built for it: a structural control with a draft behind it
BoundedThe cause is out of authorization’s reach, but the blast radius is capped at the action gate
DelegatedNot an authorization problem: a named complement owns it, and the handbook composes with it

The distinction that drives most rows is the one the trifecta post established: the authorization layer does not make the model resistant to anything. It makes the model’s compromise survivable, because authority was fixed at approval and every consequential action is checked against it fresh. Threats that attack authority are contained. Threats that attack the model, its memory, or its inputs are bounded, because a fully fooled agent still cannot out-argue a parameter check. Threats that attack layers the handbook never claimed are delegated, by name.

The Agentic Threats, All Fifteen

ThreatThe attackThe handbook’s answerVerdict
T1 Memory PoisoningPersistent memory is seeded with malicious data that steers future behaviorPoisoned memory can steer proposals, not authority: shaping fails closed on ambiguity, and every consequential action still needs a fresh parameter-bound permit against the approved MissionBounded
T2 Tool MisuseThe agent’s own tools are driven to unauthorized or harmful invocationsPer-action PEP/PDP enforcement with parameters bound into the permit, applied at the tool boundary by the MCP application postContained
T3 Privilege CompromisePermissions escalate beyond what the task requiresNarrowing: every derivation is a strict subset of the Mission’s Authority Set, Child Missions only narrow, and there is no ambient inheritance to escalate intoContained
T4 Resource OverloadUnbounded agent activity exhausts compute, API, or financial budgetsexpires_at on every Mission, fan-out bounded by count and depth, and Consumption Metering (experimental) for spendBounded
T5 Cascading Hallucination AttacksFalse content propagates through memory, messages, and downstream systemsAuthorization does not verify truth. It gates consequence: hallucinated content can only reach the world through consequential actions, each needing its own permitBounded
T6 Intent Breaking and Goal ManipulationInjection or instruction manipulation redirects the agent’s objectivesThe enemy sentence, answered: the injected goal cannot widen the committed one, because the PDP checks actions against the approved Mission, not against the agent’s current intentContained
T7 Misaligned and Deceptive BehaviorsThe agent acts against its intended purpose or conceals what it doesDeception is not detected, it is out-evidenced: only approved action classes execute, and Decision and Execution Evidence come from the gate, not from the agent’s self-reportBounded
T8 Repudiation and UntraceabilityActions cannot be reliably attributed or auditedAttribution end to end: the act chain on every hop, the evidence family joined on mission_id, and SCITT keeping the feed tamper-evidentContained
T9 Identity Spoofing and ImpersonationAttackers assume an agent’s identity or abuse non-human authenticationAttested instance identity, sender-constrained tokens, and mediated custody keeping the credential out of the agent entirely for mediated classesContained
T10 Overwhelming the Human in the LoopApproval volume is weaponized until humans rubber-stampHumans approve Missions, machines approve actions: the grain keeps human decisions rare and consequential, with deferred approval and the batched discovery loop absorbing the volumeBounded
T11 Unexpected RCE and Code AttacksTool invocations achieve code executionSandboxing owns execution. The handbook gates what executed code can reach: consequential effects still need permits, and capabilities are bound to source digests with drift failing closedBounded
T12 Agent Communication PoisoningMalicious instructions ride inter-agent messagesMessages can lie, authority cannot: influence carries no authority between agents, because delegation only narrows and every hop is enforced against its own Child MissionBounded
T13 Rogue AgentsA compromised agent inside the system acts maliciouslyA rogue instance holds only mission-bound, instance-bound, revocable authority, and Termination cascades through the delegation tree to issuance, permits, and the harnessContained
T14 Human Attacks on Multi-Agent SystemsOperators are manipulated into enabling harmSocial engineering is out of authorization’s reach. What holds: a manipulated operator can still only approve what shaping renders, and the approval is attributed to themBounded
T15 Human ManipulationThe agent deceives its own human into approving or enabling harmConsent Evidence commits the disclosure as rendered, so the record shows exactly what the human saw. An accurately disclosed bad idea remains the human’s decision, and the record says soBounded

Six contained, nine bounded, none waved away. The tally is the honest shape of an authorization layer: the threats that attack authority (tools, privilege, goals, attribution, identity, rogue delegates) land on machinery built for them, and the threats that attack the model or the humans are capped rather than cured, because capping is what a deterministic gate can truthfully offer.

The LLM Top 10, Split Honestly

The Top 10 for LLM Applications predates the agentic taxonomy and mixes layers, which makes it the better test of the delegated verdict. Half of it is not an authorization problem, and saying so is the point:

EntryThe handbook’s answerVerdict
LLM01 Prompt InjectionThe trifecta post carries this end to end: the injected instruction cannot widen committed authority, and the external leg needs a fresh parameter-bound permitBounded
LLM02 Sensitive Information DisclosureExposure discipline: bound what the agent may see as deliberately as what it may do, and mediated custody keeps credentials out of the leakable setBounded
LLM03 Supply ChainModel and dependency provenance, owned by the software supply chain. One authorization-shaped edge: capabilities bound to source digests fail closed on driftDelegated
LLM04 Data and Model PoisoningTraining and embedding pipeline security, upstream of any authorization decisionDelegated
LLM05 Improper Output HandlingOutput is only dangerous when it acts. The consequential boundary is where the handbook stands, and nothing crosses it without a permitBounded
LLM06 Excessive AgencyThe direct hit: the entire handbook is the treatment for this entryContained
LLM07 System Prompt LeakageMoot by design: authority lives in the Mission and its tokens, not in the prompt, so a leaked prompt discloses instructions, not powerDelegated
LLM08 Vector and Embedding WeaknessesRetrieval pipeline security. What retrieval returns is untrusted content, and the taint response treats it that wayDelegated
LLM09 MisinformationContent truth is semantic, and the gate is structuralDelegated
LLM10 Unbounded ConsumptionExpiry on every Mission and metering (experimental) on spendBounded

LLM06 deserves the sentence. OWASP’s mitigations for Excessive Agency read like this handbook’s table of contents: minimize the extensions and their permissions, avoid open-ended functions, require human approval for high-impact actions, enforce authorization in downstream systems rather than trusting the model, and log everything. The handbook is what happens when that advice stops being a bullet list and becomes one architecture with wire drafts behind it.

Three Threats Worth a Closer Look

Intent breaking is the taxonomy’s center, and the handbook’s enemy. T6 is prompt injection grown up: the attacker does not need to breach anything, only to change what the agent is trying to do. Every mitigation that asks the model to notice the manipulation is probabilistic. The handbook’s answer is the same one it gives the trifecta: the injection changed the agent’s mind, and the agent’s mind was never the source of authority. The Mission was committed at approval, the permit is checked at execution, and between those two points there is nothing the injected goal can rewrite. Approval is a moment, work is a span, and the span is policed against the moment.

Overwhelming the human in the loop is an argument about grain. T10 is the taxonomy’s sharpest design question, because both naive answers lose: approve every action and fatigue turns humans into rubber stamps, approve nothing and governance is gone. The handbook’s grain is the Mission. A human approves the envelope once, against a committed disclosure, and the per-action volume goes to the PDP, which does not tire. When the work outgrows the envelope, the discovery loop batches the overflow into a governed expansion request instead of a stream of interrupts. The residual is real and stated: at Mission grain, approval fatigue becomes a governance discipline rather than a solved problem, and disclosure quality is what stands between an approver and a reflex.

A rogue agent is an insider, and every agent here is treated as one. T13 assumes the attacker is already inside the system, wearing a legitimate agent. The handbook never trusted that agent more than its paperwork: its authority is a strict subset of its parent’s, its tokens are bound to its attested instance so they do not travel, its consequential actions need permits like everyone else’s, and when it is caught, revocation cascades through the delegation tree it belongs to. The multi-agent threats (T12 through T14) all get the same structural reply: cooperation happens in messages, but authority never does.

What the Crosswalk Does Not Claim

  • Bounded is not prevented. For every bounded row the cause is untouched: the memory is still poisoned, the model is still fooled, the human is still tired. The gate caps what the compromise can reach, and that is the whole claim.
  • The verdicts are only as strong as PEP coverage. An unmediated path is a threat with no verdict at all. The adversary model says this in writing: name your enforcement scope, and count your ATMs.
  • The enforcement is structural, not semantic. An in-bounds action can still be a bad idea. The classes where content is the harm belong under action-bound human approval.
  • The delegated rows are real dependencies. Supply chain, poisoning, retrieval security, and sandboxing are layers the handbook composes with and cannot replace. A deployment that skips them has a contained authorization layer inside an uncontained system.
  • Inside the approved scope, a turned agent is still turned. Tight scope and short expiry are what keep that sentence tolerable.

The taxonomy’s own mitigation columns keep converging on the same words: least privilege, human approval, complete mediation, audit trails. Those are adjectives until something turns them into verifiable artifacts. The crosswalk above is what that looks like, and the tally, six contained and nine bounded, is what an honest authorization layer scores against a framing its authors did not choose. For the reviewer holding this list against any other proposal, the vendor test asks the six questions that separate a verdict from a hand-wave.