Skip to content

[Contribution] VASP v1.0 — Open taxonomy for agentic AI behavioral failure modes #156

Description

@dom-omg

Hi,

I'd like to propose VASP v1.0 (Veritas Agent Security Protocol) as a referenced taxonomy in the AI Exchange,
specifically in the agentic AI threats section.

VASP is an open taxonomy (CC BY 4.0) that formally classifies behavioral failure modes specific to AI agent systems —
not model weights or training, but runtime configuration and architectural patterns.

10 failure modes (VAF-001 → VAF-010):

┌─────────┬─────────────────────────────────────────────────┬─────────┐
│ ID │ Title │ CWE │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-001 │ Approval Gate Bypass │ CWE-285 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-002 │ Financial Position Limit Bypass │ CWE-284 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-003 │ Prompt Injection via External Input │ CWE-77 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-004 │ Goal Misgeneralization Under Distribution Shift │ CWE-682 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-005 │ Tool Scope Escalation │ CWE-269 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-006 │ Context Window Constraint Drop │ CWE-119 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-007 │ Multi-Agent Collusion / Context Injection │ CWE-362 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-008 │ PII Exfiltration via Unguarded Output Channel │ CWE-359 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-009 │ RAG Retrieval Poisoning │ CWE-346 │
├─────────┼─────────────────────────────────────────────────┼─────────┤
│ VAF-010 │ Persistent Memory Bias Accumulation │ CWE-400 │
└─────────┴─────────────────────────────────────────────────┴─────────┘

Each mode has a formal Z3 SMT proof condition (SAT = vulnerable, UNSAT = fixed). Findings in LangChain and CrewAI have
already been disclosed under responsible disclosure using this taxonomy.

Public standard: veritas-chi-rosy.vercel.app/vasp
License: CC BY 4.0
Citation: Dominik Blain (2026). VASP v1.0 — QreativeLab.

Happy to contribute this as a PR to the relevant section if the maintainers agree it's a fit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions