SAIL 2.0

/

Build - AI Security Posture Management

/

Failure to Specify or Enforce Secure Agent Posture

3.10

.

Failure to Specify or Enforce Secure Agent Posture

sail
3.10
Risk

Failure to Specify or Enforce Secure Agent Posture

Description

Security, privacy, identity, scope, and operational requirements are not specified or enforced as a posture floor for agents being built, resulting in insecure-by-default agents.

Example

An agent is built without a defined identity, tool-allowlist, or memory-isolation requirement, inheriting whatever the platform provides by default.

Assets Affected

AI Agent

Agent Config

Agent Identity

Tool

Framework

Mitigation
  • Specify and document a posture floor including identity baseline, tool-scope baseline, memory configuration, and human-oversight requirements
  • validate agents against the posture floor during build
  • involve AppSec and GRC in posture review.
Standards Mapping
  • ISO: A.6.2.2, A.6.1.2
  • OWASP agentic: ASI03, ASI10
  • OWASP LLM: LLM06:2025
  • EU AI Act: Art. 15, Art. 9
  • DASF: Agents-Core 13.7, Operations 11.1
  • AIUC-1: B006, E004