Risk
Failure to Specify or Enforce Secure Agent Posture
Description
Security, privacy, identity, scope, and operational requirements are not specified or enforced as a posture floor for agents being built, resulting in insecure-by-default agents.
Example
An agent is built without a defined identity, tool-allowlist, or memory-isolation requirement, inheriting whatever the platform provides by default.
Assets Affected
AI Agent
Agent Config
Agent Identity
Tool
Framework
Mitigation
- Specify and document a posture floor including identity baseline, tool-scope baseline, memory configuration, and human-oversight requirements
- validate agents against the posture floor during build
- involve AppSec and GRC in posture review.
Standards Mapping
- ISO: A.6.2.2, A.6.1.2
- OWASP agentic: ASI03, ASI10
- OWASP LLM: LLM06:2025
- EU AI Act: Art. 15, Art. 9
- DASF: Agents-Core 13.7, Operations 11.1
- AIUC-1: B006, E004