Source: Federal Register — Request for Information Regarding Security Considerations for Artificial Intelligence Agents (Docket: 2026-00206)
Related: For NIST AI RMF 1.0 alignment, see nist-ai-rmf-alignment.md
The Agent Governance Toolkit provides an application-level governance stack that addresses agent identity, policy enforcement, execution sandboxing, observability, and behavioral monitoring. The repository contains policy-as-code tooling, sandboxing/hypervisor primitives, an inter-agent trust mesh, cryptographic audit primitives, SRE controls (SLOs, circuit breakers), and fuzzing/CI artifacts intended to support secure development and deployment of AI agents.
| Question | Topic | Status |
|---|---|---|
| Q1(a) | Unique threats/risks | Partial — agent-specific risks documented; empirical attack studies limited |
| Q1(d) | Threat evolution | Partial — changelog shows integrity, audit, anomaly features added |
| Q2(a) | Controls & maturity | Yes — policy-as-code, middleware, sandboxing, human-approval, CI |
| Q3(a) | Detection | Yes — fuzzing, anomaly detector, OpenTelemetry traces |
| Q4(a/d) | Constraining & monitoring | Yes — hypervisor rings, resource governors, signed audit, telemetry |
- Generated: Automated repository scan (code search + file reads) performed on 2026-03-11.
- Scope: Repository Markdown, demo code, changelog,
packages/*/docs,fuzz/, and source modules for governance, audit, hypervisor, and SRE features. - Approach: Matches located using repo text search for keywords (identity, policy, audit, sandbox, anomaly, SLO, etc.), file excerpts inspected, and a best-effort mapping (Yes / Partial / Gap) assigned based on explicit references or code examples.
- Limitations: This is an automated, static analysis of repository contents only. It does not validate runtime behavior, operational telemetry, or external dependencies. Reviewers should attach live operational artifacts (logs, OTLP exports, signed audit samples) and confirm mappings before submission.
- Provenance: See docs/internal/nist-rfi-provenance.md for timestamp, commit SHA, search queries, and commands used to generate this mapping.
- Status: Partial
- Rationale: Agent-specific risks (goal hijacking, capability abuse, rogue agents) are documented and mitigations are implemented, but empirical attack studies are limited.
- Evidence:
- Coverage table: README.md
- Risk mapping and mitigation examples: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Demo showing rogue detection/quarantine: demo/maf_governance_demo.py
- Status: Partial
- Rationale: Docs describe deployment boundaries, trust scoring, and identity options; detailed empirical variation analysis is not present.
- Evidence:
- Deployment boundary notes: README.md
- Trust scoring description: README.md
- AgentMesh identity and interoperability: packages/agent-mesh/AGENTS.md
- Status: Gap
- Rationale: Mitigations are provided but the repo lacks adoption studies or metrics showing how risks affect uptake.
- Status: Partial
- Rationale: Changelog and roadmap notes document feature evolution (anomaly detection, integrity verification), but predictive threat modeling is not included.
- Evidence:
- Evolution notes: CHANGELOG.md
- Roadmap / in-progress items: README.md
- Status: Partial
- Rationale: Inter-agent trust and mesh are implemented (AgentMesh), but formal adversary studies for multi-agent dynamics are limited.
- Evidence:
- AgentMesh: README.md
- AgentMesh docs: packages/agent-mesh/AGENTS.md
- Status: Yes
- Rationale: The repo includes model/agent controls, system-level policies, and human-oversight primitives with CI/test tooling.
- Evidence:
- Model/agent capability model &
PolicyEngine: README.md - Middleware & system-level controls: demo/maf_governance_demo.py, demo/README.md
- Human-in-the-loop policies: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Sandboxing / hypervisor: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Model/agent capability model &
- Status: Partial
- Rationale: Alternatives and deployment-boundary notes are present (DID vs mTLS, on-prem vs cloud), but quantitative effectiveness analysis is missing.
- Evidence:
- Identity alternatives: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Status: Partial
- Rationale: Roadmap items indicate ongoing work (anomaly detection, external audit sinks) showing planned evolution of controls.
- Evidence:
- Roadmap/in-progress: README.md
- Status: Yes
- Rationale: Policy-as-code CI, schema versioning, bootstrap integrity verification are implemented to support safe updates.
- Evidence:
- Policy-as-code CI mention: CHANGELOG.md
- Bootstrap integrity verification: CHANGELOG.md
- Status: Partial
- Rationale: The project maps to SPIFFE, DID, OpenTelemetry, OWASP guidance; adoption metrics are not included.
- Evidence:
- Identity frameworks: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Observability: CHANGELOG.md
- Status: Yes
- Rationale: Fuzzing, policy CI, benchmarking, telemetry, and anomaly detection are present.
- Evidence:
- Fuzz harnesses: fuzz/fuzz_policy_yaml.py
- Anomaly detector: packages/agent-sre/src/agent_sre/anomaly/rogue_detector.py
- Telemetry/tracing: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md, CHANGELOG.md
- Status: Yes
- Evidence: Auto-quarantine demo and audit logs — demo/maf_governance_demo.py
- Status: Partial
- Rationale: The repo aligns with traditional observability and supply-chain good practices, but a formal comparison document and consolidated resources list are not present.
- Status: Partial
- Rationale: Tools such as
PolicyCI, benchmarks, and audit logs support assessment; a standardized scoring rubric is not present. - Evidence: CHANGELOG.md, benchmark references in README.md
- Status: Partial
- Rationale: Supply-chain integrity features (IntegrityVerifier, AI-BOM references) exist; standardized upstream disclosures are not enforced by repo.
- Evidence: CHANGELOG.md, AI-BOM mention (CHANGELOG.md)
- Status: Yes
- Evidence: Deployment patterns, demo scenarios, and policy examples: demo/README.md,
demo/policies/research_policy.yaml(demo/policies)
- Status: Yes
- Rationale: Capability guards, ring isolation, resource governors, and network/tool restrictions are implemented.
- Evidence:
- Hypervisor / sandbox designs: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- ResourceGovernor usage: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Status: Partial
- Rationale: Circuit breakers, SLOManager, and error budgets exist; explicit automated undo/transactional rollback semantics are not documented.
- Evidence: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md
- Status: Partial
- Rationale: Demo scenarios illustrate interaction controls and audit; a formal counterparty risk playbook is not present.
- Evidence: demo/maf_governance_demo.py, README.md
- Status: Yes
- Rationale: OpenTelemetry metrics, signed/Merkle audit logs, and anomaly detection are implemented; privacy/legal guidance is limited.
- Evidence: packages/agent-compliance/docs/analyst/owasp-agentic-mapping.md, CHANGELOG.md
- Status: Partial
- Rationale: Patterns for safer deployment are present; longitudinal traffic-tracking for open internet deployments is not addressed.
- Status: Yes
- Evidence:
PolicyCI, fuzz harnesses, demo policies and examples — seeCHANGELOG.mdmentions andfuzz/,demo/folders.
- Status: Partial
- Rationale: The codebase contains building blocks useful for standards (identity, audit, policy) and would benefit from gov collaboration on disclosure standards and audit sinks.
- Status: Partial
- Rationale: In-repo roadmap items highlight anomaly detection and external audit sinks as priorities.
- Status: Gap
- Rationale: No formal comparative policy analyses or cross-discipline mappings present; recommend adding if RFI response addresses international practices.
| Section | Yes | Partial | Gap |
|---|---|---|---|
| 1 — Threats & Risks | 0 | 4 | 1 |
| 2 — Security Practices | 2 | 3 | 0 |
| 3 — Assessing Security | 3 | 3 | 0 |
| 4 — Deployment Environments | 2 | 3 | 0 |
| 5 — Additional | 1 | 2 | 1 |
| Total | 8 | 15 | 2 |
- Collect and attach operational artifacts (OTLP dumps, signed audit samples, benchmark outputs) with commit SHAs for provenance.
- Internal review: security, legal, product sign-off.
- Address the 2 gaps (adoption barriers Q1c, international practices Q5d/e) with supporting evidence.
- Confirm all evidence links point to current file locations before submission.
Prepared by automated repository mapping — review for accuracy and add live operational evidence before submission.