AI Agent Security
AI Agent Security
Cryptographic enforcement for autonomous AI agents. Two-process mandatory separation, signed receipts for every tool call, and offline-verifiable evidence for incident response.
The AI Agent Threat Landscape
Supply Chain Injection
Compromised dependencies, poisoned tool configurations, and malicious MCP server responses can subvert agent behavior before execution begins. Without sealed configuration baselines, injection is undetectable at runtime.
Silent Drift
Gradual behavioral divergence from an approved baseline goes undetected by periodic audits. Drift compounds over time: each small deviation shifts the agent further from its authorized operating envelope without triggering threshold-based alerts.
Tool-Call Authorization Gaps
Agents invoke tools without cryptographic proof of authorization. Permissions checked at deploy time do not survive runtime reconfiguration. No mechanism links a specific tool invocation back to a sealed authorization decision.
Forensic Evidence Gap
No tamper-evident record exists of what the agent actually did versus what it reported. Application logs are mutable, post-hoc, and share the same trust boundary as the agent itself. Incident response lacks chain-of-custody evidence.
Cryptographic Enforcement for AI Agent Security
The core enforcement primitive is a two-process mandatory separation boundary. The agent process handles inference, reasoning, and tool-call intent. A separate process, the Portal, holds all signing keys, enforces the sealed policy, and generates cryptographic receipts. The agent holds no keys and cannot bypass the Portal. Every action the agent takes must pass through the Portal before reaching external resources.
This is fundamentally different from application-level guardrails that share the same trust boundary as the agent. When guardrails run inside the agent process, a compromised agent can disable or circumvent them. The Portal operates as an independent enforcement point: it validates every tool call against the sealed configuration, blocks unauthorized actions, and writes signed proof of each decision. The agent cannot suppress or modify this evidence.
This architecture implements Cryptographic Runtime Governance for the agentic AI domain. For a full architecture walkthrough, see the technology page.
MCP Governance Architecture
Seal Tool Configs into Policy Artifact
Authorized tool names, parameter schemas, and invocation constraints are cryptographically sealed into a Policy Artifact before the agent executes. The sealed artifact is the single source of truth for what the agent is permitted to call. Any modification invalidates the signature.
Portal Intercepts and Validates
The Portal process intercepts every MCP tool call at the protocol level before it reaches an external resource. Each call is validated against the sealed configuration: tool name, parameters, and invocation context must match. Unauthorized calls are blocked. The agent never communicates directly with tool servers.
Signed Receipt per Invocation
Every validated tool call produces a signed receipt containing the tool name, parameter hash, timestamp, and authorization reference. Receipts are hash-linked into a tamper-evident continuity chain. The chain provides a complete, immutable audit trail of every tool interaction the agent performed.
Evidence Generation for Incident Response
Every enforcement decision produces evidence structured for SOC and incident-response workflows. Evidence bundles contain the sealed Policy Artifact, the complete receipt chain, and Merkle inclusion proofs linking individual receipts to the continuity chain root. Bundles are self-contained: a responder can verify the entire chain of custody without access to the producing system.
Forensic verification is fully offline. Artifact signatures, receipt signatures, and Merkle proofs validate using standard cryptographic primitives with no network dependency. This satisfies chain-of-custody requirements for environments where evidence must be examined in air-gapped forensic labs. See offline verification for tooling details.
Standards Alignment
OWASP Agentic AI Top 10
Addresses tool misuse, prompt injection, and unauthorized agent actions through sealed authorization and runtime enforcement.
NIST NCCoE AI Agent Identity
Two-process separation provides distinct identity boundaries for the agent and the enforcement layer, satisfying agent identity isolation requirements.
CoSAI
Signed receipt chains and evidence bundles align with the Coalition for Secure AI guidance on provable AI system behavior.
NIST AI RMF
Sealed artifacts map to Govern and Map functions; continuous measurement satisfies Measure; autonomous remediation addresses Manage.
EU AI Act Articles 9 & 12
Tamper-evident receipt chains and offline-verifiable evidence bundles satisfy risk management and automatic logging requirements for high-risk AI systems.
Not a certification or compliance framework. Describes architectural design alignment only.
Frequently Asked Questions
Explore the Architecture
See how two-process mandatory separation, sealed artifacts, and signed receipt chains secure autonomous AI agents against the threats described above.