Skip to content

Agentic risks & mitigations#218

Merged
ColinEberhardt merged 7 commits into
finos:mainfrom
pmerrison:agentic-system-risks
Oct 15, 2025
Merged

Agentic risks & mitigations#218
ColinEberhardt merged 7 commits into
finos:mainfrom
pmerrison:agentic-system-risks

Conversation

@pmerrison

@pmerrison pmerrison commented Sep 1, 2025

Copy link
Copy Markdown
Contributor

This PR adds a number of new risks and mitigations to the framework. I've marked them all as drafts as I imagine we will want to iterate on them a bit. The additions are:

Risks

  • 24: Agent Action Authorization Bypass
  • 25: Tool Chain Manipulation and Injection
  • 26: MCP Server Supply Chain Compromise
  • 27: Agent State Persistence Poisoning
  • 28: Multi-Agent Trust Boundary Violations

Mitigations

  • 18: Agent Authority Least Privilege Framework
  • 19: Tool Chain Validation and Sanitization
  • 20: MCP Server Security Governance
  • 21: Agent Decision Audit and Explainability
  • 22: Multi-Agent Isolation and Segmentation

In general I think I'm happier with the risks than I am the mitigations, I think there's potententially too much detail in there. Regardless, I thought it was worth contributing we can iterate on them together.

Reviewers

In order to spread the load, we are going to assign a lead reviewer to each risk / mitigation. This TODO list is going to be used for tracking, with items 'checked' when review is complete

Signed-off-by: pmerrison <paul@tetrate.io>
@ColinEberhardt ColinEberhardt added the governance-needed indicates that this PR contains substantive changes to the published specification. label Sep 4, 2025
@alvin-c-shih

alvin-c-shih commented Sep 9, 2025

Copy link
Copy Markdown
Contributor

Unlike the OWASP LLM Top 10, there don't seem to be OWASP Agentic Top 10 web pages to link to:

Link to the Markdown files?

While looking at that, I stumbled upon this:

It has groupings / layers which may be helpful.

@pmerrison

Copy link
Copy Markdown
Contributor Author

Unlike the OWASP LLM Top 10, there don't seem to be OWASP Agentic Top 10 web pages to link to:

Link to the Markdown files?

While looking at that, I stumbled upon this:

It has groupings / layers which may be helpful.

Thanks Alvin - that last one looks potentially really interesting. I'll have a read over it.

@pmerrison

Copy link
Copy Markdown
Contributor Author

The OWASP rabbit hole runs deep.

https://genai.owasp.org/resource/securing-agentic-applications-guide-1-0/ - this one goes deep into various agentic deployment patterns and how to deploy them and might be useful

https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/ - this one covers top-level threats and mitigations. We should look through it and check that the current framework, plus these additions, cover them all

@pmerrison

Copy link
Copy Markdown
Contributor Author
Agent Architecture Diagram FINOS Here's the diagram. I've added one more risk/mitigation in my most recent push, but I think this is everything I would suggest adding at present.

Signed-off-by: Paul Merrison <paul@tetrate.io>
@ColinEberhardt

Copy link
Copy Markdown
Contributor

Thanks for presenting yesterday @pmerrison - I've updated the PR description to support assignment of reviewers.

@alvin-c-shih @aateeque @chamindra @vicenteherrera please do put your name forwards as the lead reviewer for a risk / mitigation pair. Thanks!

@ColinEberhardt ColinEberhardt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed MI18, RI-24, minor comments, both are top-notch 👍

Comment thread docs/_risks/ri-24_agent-action-authorization-bypass.md Outdated
Comment thread docs/_risks/ri-24_agent-action-authorization-bypass.md
Comment thread docs/_risks/ri-24_agent-action-authorization-bypass.md
Comment thread docs/_mitigations/mi-18_agent-authority-least-privilege-framework.md Outdated
Comment thread docs/_mitigations/mi-18_agent-authority-least-privilege-framework.md Outdated
@alvin-c-shih

Copy link
Copy Markdown
Contributor

RI-26 / MI-20 are very thorough!

However, I'm not aware of any implementations (in the coding assistant space, anyway) that would be be compliant with everything listed. think adoption is more likely with a tiered approach.

One simplifying assumption would be that all MCP clients must use the centrally-administered MCP proxy, and the proxy is configured to use trusted implementations of MCP servers.

Another simplifying assumption would be for systems with human-in-the-loop controls.

Full on many-to-many MCP would be the harder scenario that we'd still want to solve, but as a different tier, would give the industry time to work out the details while still allowing limited use in the meantime.

@alvin-c-shih

Copy link
Copy Markdown
Contributor

Here's the link for the GitHub's implementation of central administration:
https://docs.github.com/en/copilot/how-tos/administer-copilot/configure-mcp-server-access

Ideally that + HITL would make it easier for granting MCP access for SDLC-related work.

Hopefully not too hard to refactor RI-26 / MI-20 for this. But if in the process, you discover serious gaps, would be good to discuss on an AIGF call.

@chamindra chamindra left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added my comments on multi-agent trust boundaries and isolation. Some good thoughts on access controls for multi-agent communication which I think is definitely needed. However feasibility comes with being able to monitor in a scalable way and this is likely to need other agents to monitor and red flag attacks.


* **DNS/Infrastructure Attacks**
Redirecting agent MCP server connections to attacker-controlled servers through DNS poisoning, BGP hijacking, or other network-level attacks.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is addressed in the mitigation but I think we need to add the use of the MCP beyond the scope of the use-case MCP client. ie. this is privilege escalation. There needs to be clear access control on MCP server to MCP client / use-case

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried to address this in the MCP updates that I made, please take a look

Comment thread docs/_risks/ri-26_mcp-server-supply-chain-compromise.md Outdated

* **Credential Harvesting**: Compromised MCP servers collect and exfiltrate authentication credentials or sensitive data sent by agents.

* **Agent Tracking**: MCP servers log and profile agent behavior to build intelligence about the financial institution's operations and decision-making patterns.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also add Privilage Escalation, Access to Sensative data beyond scope of approved use-case based on the risk mentioned about

@@ -0,0 +1,91 @@
---

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed looks good for a first draft.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep lgtm too

@@ -0,0 +1,101 @@
---

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed. Agreed the hidden manipulation of long term and short term memory of the agent can have unintended effects. It is similar prompt injection attack in that it provides the system context

* **Resource Access Compartmentalization**: Shared resources such as APIs, databases, and external services are accessed through controlled interfaces with appropriate isolation.
* **Trust Boundary Enforcement**: Clear definition and enforcement of trust boundaries between different agent types and privilege levels.
* **Failure Isolation**: System design ensures that failures or compromises in one agent don't propagate to other agents or core systems.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might potentially add that a scope of response needs to be added for the agent to prevent unintended behaviour and it needs to be tested with prompts that attempt to take it our of the scope of it's intended behaviour.

* **Key Management**: Establish secure key management procedures for inter-agent communication encryption.

* **Communication Access Controls**:
* **Allowed Communications Matrix**: Define and enforce a matrix of which agent types are permitted to communicate with each other.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good idea, however complex to maintain. It might be easier to approve what agents can be used for a use-case and permit access by use-case application that propagates through agent to agent communication, such that effectively intent of use flows and can be checked.

### 5. Trust Boundary Definition and Enforcement

* **Agent Classification Framework**:
* **Security Classifications**: Classify agents based on data sensitivity, privilege levels, and risk profiles.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good Idea. This could simplify access control. Any communication with agents at higher classification levels would require permission. Again if the application intent and access classification can flow through agent to agent communication this could prevent access control by use-case application that have lower clearance

### 6. Failure Isolation and Recovery

* **Circuit Breaker Implementation**:
* **Agent Circuit Breakers**: Implement circuit breakers to isolate failing agents and prevent cascade failures.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agent Circuit breakers triggered by observability and deviation from expected threshold would be good. However how would we detect failure. This gets back to using the benchmarking metrics for that use-case as a measure of deviation


* **Audit Trail Maintenance**:
* **Cross-Agent Audit Logs**: Maintain comprehensive audit logs of all cross-agent interactions and boundary enforcement actions.
* **Security Event Correlation**: Correlate security events across multiple agents to detect coordinated attacks or systemic issues.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is likely we need agents to review and audit agents and red flag suspicious activity. Using agents to monitor potential attacks would be a good idea to accommodate especially fast moving AI attack vectors.

Signed-off-by: Paul Merrison <paul@tetrate.io>
@pmerrison

Copy link
Copy Markdown
Contributor Author

RI-26 / MI-20 are very thorough!

However, I'm not aware of any implementations (in the coding assistant space, anyway) that would be be compliant with everything listed. think adoption is more likely with a tiered approach.

One simplifying assumption would be that all MCP clients must use the centrally-administered MCP proxy, and the proxy is configured to use trusted implementations of MCP servers.

Another simplifying assumption would be for systems with human-in-the-loop controls.

Full on many-to-many MCP would be the harder scenario that we'd still want to solve, but as a different tier, would give the industry time to work out the details while still allowing limited use in the meantime.

Thanks Alvin - I've significantly reworked the MCP risk and mitigation to introduce a layered approach to governance. Hopefully it addresses your concern whilst leaving the technical detail in place for the future.

Signed-off-by: Paul Merrison <paul@tetrate.io>
Signed-off-by: Paul Merrison <paul@tetrate.io>
Signed-off-by: Paul Merrison <paul@tetrate.io>
@pmerrison

Copy link
Copy Markdown
Contributor Author

I've addressed (or at least I think I have) all feedback comments provided before this comment.

@aateeque aateeque left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is comprehensive & solid start on agentic stuff; just raised a minor clartificatoin point around "tool manager" which perhaps need to elaborate on a bit more. otherwise lgtm & thanks for a superb contribution!
ps: have ticked as happy to address the clarification in a further PR

* **Tool Selection Reasoning Capture**:
* **Decision Logging**: Log the agent's reasoning for tool selection decisions, including input factors and decision criteria.
* **Alternative Analysis**: When possible, capture why other available tools were not selected to identify potential manipulation.
* **Confidence Scoring**: Implement confidence metrics for tool selection decisions to identify potentially compromised selections.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really good and useful; but does this imply a continuous telemetry on agent tool use? That sort of opens up the door to evals & benchmarks and is that something we should call out here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I've added another point in my next commit.

@@ -0,0 +1,91 @@
---

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep lgtm too

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

* Implement comprehensive authorization checks at the tool manager level before any API calls are executed, validating the agent's identity and role against the requested operation.
* Validate that requested API endpoints and parameters are within the agent's authorized scope.
* Reject and log any attempts to access unauthorized tools or APIs, including the agent identity for audit purposes.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth defining what we mean by "external" here (external to org or external to system integrating an agentic flow)? And also is "tool manager" a new component in the architecture which wraps all APIs that the system interacts with?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re: tool manager - I think of it as a component that wraps all the APIs that agents might call to effect change, but it's probably easier to have it wrap every external API call/tool (The RHS of the diagram, not the memory/LLM/comms).

I've clarifed the external part in my next commit

* **Tool Manager Integration**:
* **Pre-execution Validation**: Implement validation checks at the tool manager level before any tool execution begins.
* **Parameter Interception**: Intercept and validate all parameters before they are passed to underlying APIs or systems.
* **Tool Chain Orchestration**: Use the tool manager to orchestrate safe tool execution sequences and enforce workflow validation.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this needs a bit more clarity...it feels like we mean the tool manager is an orchestrator? whereas I think the intent is perhaps that an LLM is an agentic orchestrator, which in turn may orchestrate further tool/agent calls routed via a "tool manager"? Or have I misunderstood this one?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tool manager is meant as a piece of middleware that sits between the agent and the tools it calls. It gives you a place to do things like monitor/prevent certain chains of tool calls (like read calendar, email contents) that you know to be anti-patterns. You would probably implement this via a combination API/MCP gateway that lets you do things like pooling APIs and MCP based tools into buckets that you can expose to specific agents, monitor tool execution order, perform logging etc. I will work on the clarity for the next commit

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a reference back to mi-18 section 3 where this is defined

@alvin-c-shih

alvin-c-shih commented Oct 9, 2025

Copy link
Copy Markdown
Contributor

For mi-20, I think Tier 1 and Tier 2 should be swapped. ri-26 LGTM.

Tier 1 is "easiest adoption at the cost of HITL".

  • all traditional open source software controls in place (license checks, CVE checks, other scanning of transitive dependencies)

Tier 2 is "humans can be removed if there's sufficient identity management, logging, and monitoring".

Tier 3 adds "mutual authentication, added containment, etc.".

I've made a hasty copy-paste with light edits to hopefully convey the idea more concretely:

Tier 1: Centralized Proxy + Human-in-the-Loop Controls

Recommended for: Organizations beginning MCP adoption, coding assistant deployments, development workflows

  • Example: GitHub Copilot's centralized MCP server access configuration
    • TLS encryption for all MCP communications
    • MCP proxy enforces connection restrictions (clients cannot bypass proxy to connect directly to MCP servers)
    • Central IT/security team maintains allowlist of approved MCP servers
    • Approved MCP servers undergo basic security vetting (source code review for open source, scanning of transitive dependencies, vendor assessment for commercial)
    • Regular security reviews of approved MCP servers (at least annually)
    • Human approval required before agents execute actions suggested by MCP servers
    • Incident response procedures specific to MCP server compromise

Tier 2: Centralized Proxy with Pre-Approved Servers

Recommended for: Production deployments with moderate risk, customer-facing applications with oversight

  • All Tier 1 controls, minus Human-in-the-Loop plus:

  • Architecture: All MCP clients connect through a centrally-administered MCP proxy server that enforces connections only to pre-approved, trusted MCP server implementations

  • Key Controls:

    • Basic logging of MCP server connections and usage
    • User/agent identity propagation through MCP proxy for audit trails
    • Enhanced monitoring and alerting on MCP server behavior and data anomalies in place of Human-In-The-Loop

Tier 3: Distributed Many-to-Many with Comprehensive Security

Recommended for: Complex multi-agent systems, high-risk financial transactions, fully autonomous deployments

  • All Tier 1 and 2 controls, plus:
  • Additional Controls:
    • Comprehensive supply chain due diligence for all MCP server providers (detailed in sections below)
    • Advanced data integrity validation including cryptographic signatures and cross-reference validation
    • Real-time behavioral monitoring and anomaly detection for MCP server responses
    • Network segmentation and service isolation for MCP connections
    • Mutual authentication between all MCP clients and servers
    • Advanced incident response capabilities with forensic analysis and rapid isolation procedures


## Links

- [OWASP Machine Learning Security Top 10](https://owasp.org/www-project-machine-learning-security-top-10/)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice diagram on this one with not-overwhelming list of mitigations at the end.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the links with two of the three above, thanks!

* **Decision Event Capture**:
* **Decision Initiation**: Log when agent decision-making processes begin, including triggering events and initial context.
* **Input Data Recording**: Capture all input data used in decision-making, including data sources, timestamps, and data quality indicators.
* **Tool Selection Logic**: Document why specific tools were selected and why alternatives were rejected.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is realistic. OpenAI hides the thinking tokens.
https://platform.openai.com/docs/guides/reasoning

  • "While reasoning tokens are not visible via the API, they still occupy space in the model's context window and are billed as output tokens."

Forcing detailed reasoning in cases where the model works "most of the time" is going to increase cost by quite a bit.

Again, you might want to have tiers depending on the stakes associated with each use case.

Tier 1, just being able to reconstruct the flows of data / prompts so they can try to reproduce in the "lab environment" and tease out the "why".

Tier 2 could suggest that explicit reasoning should be generated / logged in advance of the tool calls.

But some use may be be so low stakes (again HITL controls, software development with code reviews) that the preference is to defend against data leakage and go with a Zero Data Retention policy instead. (Tier 0?)

At bare minimum, you'd want an Architecture Decision Record that shows the risk analysis performed and which Tier applies.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're right here that we need a tiered approach again. I've made an update to this file to address.

Signed-off-by: Paul Merrison <paul@tetrate.io>
@pmerrison

Copy link
Copy Markdown
Contributor Author

All review comments have now been addressed.

@chamindra / @ColinEberhardt - I think all the files have been reviewed now. Unless there are further review comments, I would suggest that we merge this, then open some new issues to bring each of the pairs from Draft to Approve-Specification, and we can work through them one at a time.

@ColinEberhardt ColinEberhardt merged commit 4479f18 into finos:main Oct 15, 2025
1 check passed
@ColinEberhardt

Copy link
Copy Markdown
Contributor

Thank you everyone - great job 👏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

governance-needed indicates that this PR contains substantive changes to the published specification.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants