Risk
Missing Action-Level Authorization at Runtime
Description
Actions are not authorized per invocation; only session-level auth is enforced, letting an agent chain unrestricted actions after one valid session check.
Example
An agent passes session auth, then chains 200 tool invocations including high-sensitivity actions; none is individually authorized at runtime.
Assets Affected
AI Agent
Tool
AI Policy
Agent Communication Protocol (ACP)
Mitigation
- Per-action authorization at runtime
- classify actions by sensitivity and route high-sensitivity through secondary auth or HITL
- align runtime gates with build-time policy.
Standards Mapping
- ISO: A.9.4, A.6.2.5
- OWASP agentic: ASI02, ASI03
- OWASP LLM: LLM06:2025
- EU AI Act: Art. 14, Art. 15(5)
- DASF: Model Serving 9.13, Agents-MCP Server 13.22
- AIUC-1: B006, D003