AI Security Documentation. Aligned with OWASP GenAI Security Project.

AI Security & Trust

Honest security documentation for security engineers and CISOs

What CapiscIO protects, what it does not, and how we map to OWASP Top 10 for Agentic Applications 2026.

OWASP Top 10 for Agentic Applications (2026)

OWASP Agentic Security Coverage

How CapiscIO addresses the OWASP Top 10 for Agentic Applications 2026 threats

OWASP RiskDescriptionCapiscIO Coverage
AG01: Agent Identity SpoofingAttacker impersonates a trusted agent
Direct
AG02: Tool MisuseAgents invoke tools with malicious parameters
Partial
AG03: Excessive AgencyAgent performs actions beyond intended scope
Partial
AG04: Resource ExhaustionRunaway agents consume excessive resources
-
AG05: Insufficient SandboxingAgents escape execution boundaries
Roadmap
AG06: Communication TamperingInter-agent messages modified in transit
Direct
AG07: Replay AttacksValid requests captured and repeated
Direct
AG08: Model InversionExtracting training data via queries
-
AG09: Prompt InjectionMalicious inputs hijack agent behavior
-
AG10: Audit Trail GapsMissing or insufficient logging
Direct
4
Direct coverage
2
Partial coverage
1
On roadmap (RFC-005)
3
Out of scope

Threat Model

CapiscIO Guard addresses specific threats in agent-to-agent communication

Agent Spoofing
Mitigated by RFC-001/002/006/007

Threat: An attacker impersonates a trusted agent (e.g., "billing-agent") to trigger unauthorized actions.

Mitigation: When Guard is deployed, it verifies Ed25519 signatures on incoming A2A requests. RFC-006 extends this to MCP tool invocations with per-call authorization. RFC-007 enables mutual authentication so clients can verify MCP server identity.

Replay Attacks
Mitigated by RFC-001/003

Threat: An attacker captures a valid signed request and replays it multiple times.

Mitigation: Strict iat/exp timestamp validation with a 60-second default window and 5-second clock skew tolerance. Requests outside this window are rejected.

Payload Tampering
Mitigated by RFC-001/003

Threat: A man-in-the-middle modifies the request body (e.g., changes transfer amount) after signing.

Mitigation: The signature covers a SHA-256 hash of the body (bh claim). Any modification to the body invalidates the signature.

Delegated Authority Abuse
RFC-004 Roadmap

Threat: An agent delegates authority to a sub-agent, which then exceeds its granted scope.

Future: RFC-004 introduces chain-of-custody tracing to verify delegation chains and detect missing or unauthorized hops.

Shadow Agents
RFC-004 Roadmap

Threat: Agents are deployed without registration, making them invisible to governance and audit.

Future: RFC-004 enables telemetry reconstruction to detect unregistered agents participating in flows.

Policy Violations
RFC-005 Planned

Threat: Agents perform actions that violate organizational policies (e.g., accessing restricted data).

Planned: RFC-005 introduces policy bundles with obligations, allowing declarative enforcement of access rules.

What Guard Verifies Today

RFC-001003 are generally available. These checks run per request when Guard is deployed inline.

Identity

  • • Ed25519 signature verification
  • • Trust Badge validation (Levels 0–4)
  • • Key ID (kid) resolution
  • • Issuer (iss) claim verification

Integrity

  • • SHA-256 body hash binding
  • bh claim verification
  • • Compact JWS format validation
  • • Protected header integrity

Freshness

  • iat issued-at validation
  • exp expiry enforcement
  • • 60s default time window
  • • 5s clock skew tolerance

What Guard Doesn't Do

Honest boundaries. No false promises. Guard does one thing well.

Not a prompt filter

Guard doesn't inspect or sanitize prompt content. It verifies the caller, not the message semantics. Use dedicated prompt security tools for content filtering.

Not rate limiting

Guard doesn't throttle requests. Pair with your existing API gateway, Kong, Envoy, or rate limiter for request volume controls.

Not authorization

Guard proves who is calling, not what they're allowed to do. Authorization is your business logic. Guard handles authentication.

Not content moderation

Guard doesn't block toxic content or policy violations. Use appropriate content filters upstream. Guard focuses on identity, integrity, and freshness.

Not a replacement for IAM

CapiscIO handles agent-to-agent identity, not user authentication. Continue using Okta, AWS IAM, or your existing identity provider for user login.

Not LLM safety

We verify which agent sent a request and whether the payload was tampered with. We do not detect jailbreaks or prevent harmful model outputs.

Guard does one thing well: cryptographic identity verification with tamper detection and replay protection.

Telemetry & Privacy

How Guard handles logging and what it never logs

What Guard logs (when enabled)

  • Decision outcomes (allow/deny)
  • Agent ID (iss claim)
  • Key ID (kid) used for signing
  • Timestamps and decision duration
  • Failure reasons (signature invalid, expired, body mismatch)

What Guard never logs

  • Request body content or payloads
  • Full JWS tokens
  • Private keys or key material
  • User PII or credentials

Example Telemetry Schema

If you log Guard outcomes, we recommend a structured JSON event like:

{
  "ts": "2025-01-15T14:32:10.847Z",
  "event": "guard.decision",
  "decision": "allow",          // or "deny"
  "agent_id": "billing-agent",
  "key_id": "billing-prod-2025",
  "latency_ms": 2,
  "endpoint": "/api/ledger/credit",
  "method": "POST",
  // Only present on deny:
  "deny_reason": null,          // or "signature_invalid", "expired", "body_mismatch"
  "error_code": null            // or "SG-001", "SG-002", etc.
}

Exact fields depend on your integration. This format works well with Datadog, Splunk, and OpenTelemetry.

Trust Levels (RFC-002)

Progressive identity assurance for different deployment scenarios

LevelNameVerificationUse Case
0
Self-Signed (SS)Agent generates and signs its own keysDev/test environments
1
Registered (REG)Agent registered with CapiscIO CA (account verification)Internal agents, staging
2
Domain Validated (DV)Agent proves control of domain via DNS or HTTP challengePublic agents, APIs
3
Organization Validated (OV)Verified business entity informationB2B integrations
4
Extended Validation (EV)Full organizational audit, security review, and legal agreementFinancial, healthcare

Enforcement in Guard

Guard verifies the badge and returns the trust level in claims. Enforce requirements in your middleware:

# Verify badge and enforce minimum trust level
claims = guard.verify_inbound(badge_token, body=request.body)

# claims["trust_level"] contains the badge's trust level (0-4)
if claims["trust_level"] < 3:
    raise HTTPException(403, "Organization Validated badge required")

Ready to evaluate CapiscIO for your environment?

Start with the open source Guard and CLI. Contact us for security architecture reviews and enterprise deployments.

Deploy Guard Enterprise Security