Zero Trust,
Verified.

Why it matters

Identity is the foundation every other control rests on. Without a verifiable, cryptographically-rooted identity for each agent, you cannot attribute an action, enforce who may do what, or reconstruct an incident — agents operate in an attribution gap where least agency is impossible. Labels can be forged; cryptographic identity is what makes non-repudiation real.

Framework intent — give every agent instance a persistent identifier backed by cryptographic material, tracked from creation to retirement.

An agent's identity can be attributed, scoped, and revoked — it is a cryptographic fact, not a label that can be spoofed.

Known gapHardware attestation (TPM/HSM remote attestation of agent integrity) is the remaining step to a clean Advanced; the CA is KMS-rooted but workloads are not yet hardware-attested.

Why it matters

Establishing identity is only half the problem — an agent must also prove that identity to every database, API, and service it touches. Static API keys and shared service-account passwords are among the first things AI-assisted code analysis finds in a repository; they no longer count as a baseline. Short-lived, narrowly-scoped tokens shrink the window in which a stolen credential is worth anything.

Framework intent — short-lived tokens from an identity provider, with automatic refresh and no credentials embedded in code.

A stolen token expires in minutes and a rotated refresh family revokes itself on replay — theft buys a vanishing window, not standing access.

Known gapNo online certificate revocation (CRL/OCSP) yet — edge-certificate revocation is currently a database operation. Short-lived certs mitigate, but this is a friction control, not a hard barrier.

Why it matters

A perfectly authenticated agent still causes damage if it holds excessive permissions. Least agency — the agentic extension of least privilege — restricts not just what an agent can reach but what each tool may do, how often, and where. Standing permissions granted at deployment create permanent exposure; scoping them to the task at hand contains the blast radius.

Framework intent — deny-by-default RBAC, advancing to context-aware ABAC and just-in-time, auto-expiring access.

An agent holds the permissions its task needs and no more — and a tool that quietly changes shape is re-gated, not silently trusted.

Known gapAuthorization is largely evaluated at issuance; continuous per-action re-evaluation and just-in-time elevation with auto-expiry are the Advanced increments. Mid-token revocation is not yet wired.

Why it matters

Containment assumes breach. When one agent is compromised, isolation decides whether the damage stops there or pivots into adjacent systems. Identity-based isolation — each service accepting only the specific callers its policy names — is the real boundary; network segmentation is a backstop an agentic attacker will grind through. Server-side request forgery and confused-deputy pivots are the failure modes this closes.

Framework intent — identity-based isolation first, sandboxed execution next, hardware isolation at the top tier.

A cloud-side request to a customer-internal endpoint isn't throttled — it returns “unreachable.” The network path does not exist.

Known gapHardware/confidential-compute isolation of agent workloads (the Advanced tier) is not implemented; isolation today is identity- and network-based.

Why it matters

Access controls prevent unauthorized actions; observability tells you what actually happened. Without comprehensive, tamper-evident logs you cannot prove a control worked, investigate an incident, or satisfy a regulator. Agentic attacks often succeed through quiet persistence rather than a loud exploit — and only an audit trail will surface that.

Framework intent — comprehensive action logs, advancing to immutable trails and real-time correlation, with traceability linking each action to its trigger.

Any audited action can be cryptographically proven untampered, by an auditor, with no access to the platform that produced it.

Known gapImmutable storage is signature-based plus partitioning; true WORM is operator-side. Native SIEM streaming is bring-your-own-consumer, and the agent loop lacks explicit span instrumentation.

Why it matters

Logs are the raw material; detection is knowing what “normal” looks like and noticing when an agent drifts from it. The hardest agentic threats — memory poisoning, slow supply-chain compromise — move gradually, with no single action that trips a rule. The question every security team should be able to answer: would we know within an hour if an agent went rogue?

Framework intent — establish baselines, detect anomalies, and contain at machine speed with automated, scoped response.

Today these raise an attacker's cost but don't autonomously contain — friction, not a barrier.

Known gap — disclosedAnomaly detectors are framework-present but not yet registered in production, and response is operator-initiated. Roadmap: register baseline detectors and wire automated containment into the existing revocation paths — activation work on built infrastructure, not greenfield. This is the platform's most material gap.

Why it matters

Models cannot reliably tell instructions from data — which is exactly what makes indirect prompt injection so effective: a malicious instruction hidden in a web page or document the agent simply reads. Input validation rejects manipulation at the boundary; output filtering stops sensitive data leaving even after a compromise. High-risk actions get a human in the loop.

Framework intent — layered input validation and spotlighting, output filtering for sensitive data, and human approval for high-risk actions.

Untrusted content is delimited and marked as untrusted before the model sees it; sensitive data is caught on the way out, on both the cloud and edge paths.

Known gapHuman-in-the-loop review lives in the Control Plane today; extending enforced approval gates across every high-risk agent path — including the guard and AARM flows — is the Advanced increment.

Why it matters

An attacker who cannot manipulate an agent's inputs will target its configuration instead — and a modified config can disable a control or widen permissions just as effectively as a code vulnerability, often more easily. Signing configurations and verifying them before (and after) deployment makes tampering a rejected operation rather than a detected one.

Framework intent — version-controlled configs, advancing to signed-and-verified deployment and immutable infrastructure.

A tampered bundle is rejected, not flagged. The capability to ship altered policy to an edge does not exist — impossible, not tedious.

Known gapNone material at this tier. Secrets-rotation automation is the next increment.