AI agent security is the practice of ensuring that autonomous AI systems can only take actions they are explicitly authorized to take, that their behavior is continuously verified against policy, and that every action is attributable, auditable, and recoverable. Unlike traditional API security, agent security must account for non-deterministic outputs, multi-hop trust chains between agents, and the compound risk of actions that are hard or impossible to reverse. Getting it right requires layered controls at the identity, authorization, content, runtime, and observability layers — not just an API key on a webhook.

This guide covers the full stack: how to establish agent identity, how to enforce least-privilege authorization, how to validate content in real time, how to reason about trust in multi-agent systems, and how to operate with the visibility needed to detect and contain incidents. Where Praesidia implements these controls, the guide notes what that looks like in practice. Where it does not, the principles and patterns remain the same.

Why AI agent security is different from API security

Traditional API security assumes a human is ultimately in the loop. The blast radius of a compromised credential is bounded by what it can read or write, and an attacker still needs to issue requests manually.

AI agents change this picture in three important ways.

Autonomy multiplies exposure. An agent with access to email, calendar, and a database can chain hundreds of actions from a single trigger. A misconfigured permission is not a one-time leak — it is a persistent capability exercised across every task that touches that surface.

Outputs are non-deterministic. An agent that is safe in testing may produce harmful or incorrect output in production as inputs drift. Content guardrails must operate at runtime, not just at design time.

Trust chains are multi-hop. Modern agent architectures involve agents calling other agents, calling MCP servers, calling external APIs. A vulnerability anywhere in the chain — a compromised identity, a missing guardrail, a policy never enforced — propagates downstream.

These differences make agent security its own discipline, not an extension of API security practices.

Establishing agent identity

Every security control in an agent system depends on reliable identity. If you cannot say with certainty which agent is taking an action, you cannot enforce authorization, evaluate trust, or produce meaningful audit logs.

Unique, non-shared credentials

Each agent should have its own credential, scoped to its identity — not shared with other agents or human users. Common patterns:

  • Client ID + secret pairs — the agent presents a client ID verified against a stored hash (HMAC or bcrypt). The secret is never stored in plaintext.
  • Short-lived tokens — the agent authenticates to an identity provider and receives a JWT with a short TTL. Revocation happens at the token boundary.
  • Mutual TLS — the agent presents a client certificate validated against a known CA. The strongest option for high-assurance environments, but requires certificate lifecycle management.

Avoid hard-coded credentials in source code, secrets shared across agents, and long-lived tokens that are never rotated.

Registration and lifecycle management

Agent identity requires lifecycle management beyond the initial credential: registration (the control plane records the agent's identity and issues credentials), rotation (defined schedule, possible without downtime by keeping two active credentials during the overlap), revocation (instant and propagated to all enforcement points, not just the issuing service), and decommission (credentials revoked, connections closed, endpoint URLs deregistered).

In Praesidia, disabling communication on an agent immediately marks all dependent connections as disconnected — the system does not leave orphaned connections pointing at a decommissioned endpoint.

Identity for agent-to-agent calls

When agents call each other, the receiving agent must verify the caller's specific identity, not just that any valid token is present. The token must carry the caller's agent ID, and the receiving system must confirm the caller is authorized to reach that specific receiver.

Praesidia's A2A pattern uses per-agent endpoint URLs and requires authenticated credentials on every inbound request. Public endpoints exist only for agents explicitly marked as public; private endpoints are reachable only within the platform's routing layer.

Authorization and least privilege

Identity tells you who is calling. Authorization tells you what they are allowed to do. For AI agents, the principle of least privilege is especially important because agents will, by design, use every capability they have access to.

The capability surface

Start by enumerating what an agent can reach: which APIs and tools, which data stores, which other agents or MCP servers, the maximum cost per request and per month, and which task types it should never perform. This capability surface should be explicit and enforced — not implicit (whatever the agent happens to have credentials for).

Connection-level policy enforcement

In multi-agent architectures, the connection between two agents is itself a security boundary. Each connection should carry a policy that specifies:

Policy dimension Example values
Allowed task types ["code_review", "summarize"] or null (any) or [] (none)
Rate limits 10 requests per minute, 500 per hour
Active time window Weekdays 08:00–18:00 UTC only
Monthly spend cap $200 USD
Allowed models ["claude-3-5-sonnet"]
Allowed tools ["web_search", "read_file"]
Minimum trust level VERIFIED
Approval requirement Manual review required above $50

Praesidia enforces this policy at the moment of task dispatch — every task is evaluated against the connection's policy before it is routed. A violation produces an audit event and a denied response; the task never reaches the downstream agent.

This is the key distinction between stored policy and enforced policy. Many systems let you configure a policy but enforce it only partially. Connection-level enforcement at the dispatch layer means the policy cannot be bypassed by calling the downstream agent directly — the downstream agent does not expose credentials to the calling agent; the platform holds the trust relationship.

Role-based access to the control plane

The operators who configure agents also need scoped access. Use role-based access control (RBAC) with fine-grained permissions: Viewer (read dashboards and logs), Operator (create and configure agents, manage connections), and Owner (update trust floors, approve or revoke attestations, manage organization-wide policy). For detailed patterns, see identity and access management for AI systems.

Content guardrails: validating inputs and outputs

Authorization controls what an agent is allowed to do. Guardrails control what it is allowed to say and receive. Because LLM outputs are probabilistic, you cannot guarantee safe content at the model layer alone — you need runtime validation on both the input side (what goes into the agent) and the output side (what comes out).

Input validation

Before a task reaches an agent, the input should be screened for:

  • Prompt injection: attempts by malicious content in the environment (web pages, documents, user messages) to hijack the agent's behavior by inserting instructions. This is the single most prevalent attack against LLM-based agents in production.
  • PII and sensitive data: inputs containing social security numbers, credit card numbers, passwords, or other sensitive data may be appropriate to redact before they reach the agent, particularly if the agent logs or stores its inputs.
  • Policy violations: inputs that request the agent to take actions outside its authorized scope — jailbreak attempts, requests to access data the agent should not see, instructions to bypass safety controls.

Output validation

After a task completes, the output should be screened for:

  • Harmful or disallowed content: outputs that violate content policy, include dangerous instructions, or contain material inappropriate for the intended audience.
  • Data exfiltration: outputs that appear to be leaking sensitive data from the agent's context — another class of prompt injection side effect.
  • Factual accuracy: for high-stakes domains, LLM outputs should be validated against known-good sources or flagged for human review when confidence is low.
  • Brand and compliance: outputs that could expose the organization to legal or reputational risk.

Guardrail types and actions

Guardrails are not binary. Different situations call for different responses:

  • BLOCK: the task or output is rejected entirely. Use for security violations, prompt injection, and severe policy breaches.
  • REDACT: sensitive content is removed or masked before passing to the agent or returning to the caller. Useful for PII.
  • REPLACE: the blocked content is substituted with a safe placeholder.
  • WARN: the content passes but a warning is logged. Use for borderline cases where human review is appropriate but blocking is too aggressive.
  • ESCALATE: the content is flagged for human review before the task proceeds.
  • RETRY: the task is retried with modified parameters (useful for format violations that might resolve on a second attempt).

Praesidia applies complementary guardrail techniques across rule-based, classifier, and LLM-judge approaches — a BLOCK action actually stops the task, not merely logs a warning. The default failure mode is fail-closed: if the guardrail evaluator cannot run, the task is blocked rather than allowed through.

A guardrail that fails open provides no security guarantee — it only works when everything is working. Choose the failure mode deliberately: security guardrails should always fail-closed; quality guardrails may fail-open after careful consideration of the tradeoff.

For a broader treatment of how guardrails fit into AI governance frameworks, see AI governance and compliance.

Trust scoring: a quantitative layer above identity

Identity verification answers "who is this agent." Trust scoring answers "how much should we rely on this agent right now." These are different questions, and the answer to the second one changes over time.

What goes into a trust score

A well-designed trust score synthesizes multiple evidence sources:

  • Identity verification: is the agent's identity backed by a certificate, a verified registration, or simply a self-asserted credential? Higher verification strength contributes a higher base score.
  • Behavioral history: has the agent been producing outputs that pass guardrails, completing tasks successfully, and respecting rate limits? Or does it have a pattern of policy violations, errors, or anomalous behavior?
  • Compliance posture: is the agent running a known software version, with a current security scan, in a compliant deployment environment?
  • Reputation: has the agent been externally attested by a trusted third party — an auditor, a certification body, or another trusted organization?
  • Security posture: does the agent use strong credential types, rotate its secrets on schedule, and operate without unnecessary permissions?

Praesidia computes a 0–100 trust score from multiple weighted signals and maps it to a named trust level (UNTRUSTED through TRUSTED). The score feeds independent enforcement gates — at the connection, policy, and organization levels — so an agent whose score falls below a configured minimum has its tasks denied before they are dispatched.

Attestations

Trust scores can be adjusted by signed attestations from authorized third parties — an auditor, a compliance body, or your own internal security team — that cryptographically assert an agent meets a specific standard. The platform verifies each attestation's signature against an allowlisted set of trusted signing keys before it affects the score. Unverified or expired attestations do not contribute.

The bounded bonus design — each attestation contributes a limited positive adjustment, capped in total — prevents a single attestation from overwhelming the behavioral components of the score. An agent with a strong attestation but a pattern of policy violations should still be treated with caution.

Trust as a dynamic gate

Trust is dynamic. An agent's score rises when it behaves well and falls when it does not, making the dispatch gate a continuous control rather than a one-time onboarding check. If an agent starts exhibiting anomalous behavior, its score drops, connections with higher minimum trust levels begin rejecting its tasks, and operators see the change before a full incident develops — earlier than a static credential-based system where a compromised agent retains all capabilities until manually revoked.

Securing agent-to-agent (A2A) communication

When agents communicate with each other or with MCP servers, every hop in the chain is a potential trust boundary. Securing these connections requires the same rigor as securing human-to-system connections, with additional considerations for the automated, high-volume, multi-hop nature of agent traffic.

The connection as a security boundary

Each A2A connection should be treated as a distinct security boundary with its own policy — not a generic "this agent can talk to that agent" permission. When you establish a connection, you are making a precise statement about what is permitted on that link. Before a connection can be established between agents in different organizations, the receiving organization must explicitly share the agent, preventing cross-org connections without consent.

SSRF and outbound request validation

When agents can register outbound URLs — for example, a custom public endpoint — every URL is a potential SSRF (Server-Side Request Forgery) surface. Outbound request validation must reject URLs resolving to private IP ranges (RFC 1918, loopback, link-local), require HTTPS for any externally-registered endpoint, validate a public TLD, and block redirects that resolve to private addresses after initial DNS resolution.

Circuit breakers and backup connections

In high-reliability agent systems, you need a fallback when a connection is unhealthy. The circuit breaker pattern — stop sending traffic to a failing endpoint, wait for it to recover, then gradually resume — prevents a slow or failing downstream agent from cascading failures upstream.

Praesidia supports designating a backup connection on each A2A link. When the primary connection's health degrades (rising error rate, increasing latency, sustained failures), traffic can be routed to the backup. Health is tracked through rolling snapshots, giving operators a time-series view of each connection's reliability.

For more on reliability patterns in AI infrastructure, see platform operations.

Budget and cost controls as security controls

In AI agent systems, cost controls are also security controls. An agent with no spending limit that is compromised or malfunctioning can accumulate significant API costs before the incident is detected.

Each A2A connection should carry a monthly spend cap. When the cap is reached, further tasks are denied until it is reset or raised — this bounds the blast radius of a compromised agent to a defined dollar amount. Per-request cost limits prevent a single unusually large task from consuming a disproportionate share of the budget.

Unusual spending patterns are also an early incident signal. An agent spending at five times its normal rate may be processing injected prompts, caught in a loop, or redirected to a more expensive model than intended. Budget anomaly alerts belong in the same workflow as security alerts, not in a separate finance dashboard.

For guidance on AI cost management, see AI FinOps.

Multi-tenancy and data isolation

In any system serving multiple organizations, strict data isolation between tenants is foundational. For AI agents this means every query — logs, task records, agent state — is scoped to the requesting organization; agent credentials from one organization cannot reach another's agents without an explicit sharing relationship; and audit logs are isolated so Organization A can never read Organization B's records.

Row-level security (RLS) at the database layer is the most reliable implementation because it enforces the boundary even when application code has a bug — the database itself refuses the query. Application-layer enforcement alone can be bypassed by code defects. When an organization closes its account, data should follow defined retention and deletion policies rather than persisting indefinitely.

Observability and audit logging

You cannot secure what you cannot see. Observability for AI agent systems means a complete, tamper-evident record of every action every agent has taken, every policy decision made, and every guardrail triggered — not just application performance metrics.

What to log

Every agent action should produce a log entry containing: the agent identity (agent ID, not just a name); the requesting organization and user; the action taken and its parameters; the policy decision and which policy clause applied; the guardrail decisions (which ran, which triggered, what action was taken); the cost incurred; and timestamps precise enough to reconstruct event ordering.

Standard application logs capture HTTP layer activity. An AI agent audit log captures the causal chain: which guardrail triggered, which policy was applied, what the agent was authorized to do, and how much it cost — context that makes multi-hop incident reconstruction possible.

Audit log integrity

Audit logs are only useful if you can trust them. An attacker who can modify the log can erase evidence of their actions. Protect integrity with append-only storage (the log is never edited or deleted), cryptographic chaining (each entry includes a hash of the previous one, making tampering detectable), and separate access controls (readable by authorized auditors, not writable by the agents being audited).

Retention and real-time alerting

Define explicit retention periods and enforce them with automated deletion — indefinite log retention creates privacy and legal exposure. Alongside retention, define real-time alert conditions: repeated policy violations from a single agent, trust score drops below a threshold, unusual spend rate, guardrail trigger spikes, and new connections established from unexpected sources. Logs are retrospective; alerts are prospective. Both are necessary.

For broader guidance on AI system observability, see platform operations.

Compliance frameworks for AI agents

Several regulatory frameworks now apply directly to AI agent security. Understanding them together helps you design controls that satisfy multiple requirements without retrofitting for each separately.

Framework Primary relevance to agent security
EU AI Act Risk classification; transparency, human oversight, and documentation for high-risk AI
GDPR / CCPA PII handling in agent I/O; data subject rights; audit trail for automated decisions
SOC 2 Type II Access control, change management, monitoring, incident response
ISO 27001 Risk assessment and treatment for AI-specific threats
NIST AI RMF Govern, Map, Measure, Manage cycle for AI risk

The pattern across all frameworks is the same: document your controls, enforce them technically, produce evidence, and demonstrate a credible incident response capability. A well-instrumented agent control plane — one that captures audit logs, enforces policy in-band, and produces per-evaluation guardrail records — is the technical foundation that makes compliance achievable without separate tooling for each framework.

For deeper coverage, see AI governance and compliance.

Incident response for AI agents

Agent security incidents differ from traditional IR in the speed of blast-radius growth and the importance of the audit log for reconstruction.

Containment

The first priority is stopping the blast radius from growing. Containment steps, in order:

  1. Revoke the agent's credentials immediately — not after the investigation. A false-positive revocation costs temporary downtime; an ongoing compromise costs far more. Credentials can be re-issued once the investigation concludes.
  2. Disable A2A communication — this closes the agent's endpoint URLs and marks all dependent connections as disconnected. Downstream agents can no longer receive tasks from the compromised agent.
  3. Suspend specific connections — if the agent itself is not the root cause, you can suspend the connections that showed anomalous traffic while leaving others active.

Investigation and recovery

Use the audit log to reconstruct what happened. Key questions: when did the anomalous behavior begin, and what changed at that time? Was the incident caused by a prompt injection — trace the input back to its source. Did any guardrail trigger before detection via another channel? Did the agent's trust score drop before the incident, and if so, why didn't the lower score gate further actions?

Recovery includes re-issuing credentials with rotation, tightening connection policy and guardrail configuration, updating the attestation provider allowlist if attestations were misused, and documenting the incident timeline. Always close with a detection-lag question: how long between the first anomalous action and containment, and what would have shortened that window?

For more on AI risk management, see AI strategy.

Building a security program around AI agents

The controls described in this guide form a layered security program. No single layer is sufficient on its own: identity without authorization leaves capabilities unbounded; authorization without guardrails leaves LLM behavior ungoverned; guardrails without trust scoring leave behavioral drift undetected; all of the above without observability leave incidents accumulating silently.

The right posture question is not "do we have a guardrail?" but "do all the layers work together, with fail-closed defaults, in-band enforcement, and real-time visibility?" Praesidia is designed to answer yes to all of these — identity, authorization, guardrails, trust, A2A policy enforcement, budget controls, audit logging, and incident tooling in a single control plane.

Whether you use a purpose-built control plane or assemble these controls from components, the architecture principle is the same: enforce at the dispatch layer, fail closed, log everything, alert on anomalies, and make revocation instant.

Start with an assessment of your current AI agent security posture, review the documentation for implementation patterns, or explore the frequently asked questions for specific scenarios.

Common questions

What is the difference between a guardrail and an authorization policy?

An authorization policy controls what an agent is allowed to do — which task types, tools, and downstream agents, within what spending limits. A guardrail validates the content passing through the agent's task channel — the actual text, data, and instructions. Both are necessary: authorization prevents out-of-scope actions; guardrails catch harmful content within authorized actions. An agent can be fully authorized to perform a task and still produce output that a guardrail should block.

How should I handle an agent that has been compromised?

Revoke its credentials immediately and disable its A2A communication endpoints — do not wait for the investigation. Containment comes first; credentials can be re-issued once the root cause is understood. Use the audit log to reconstruct what actions were taken, tighten the connection policy and guardrail configuration, then re-issue credentials with rotation.

What trust level should I require for a connection between two agents?

Set the minimum trust level proportional to what the receiving agent can do. For agents with access to sensitive data or the ability to take irreversible actions, require at least a VERIFIED level. For agents with read-only access to non-sensitive data, a lower threshold may be appropriate. When in doubt, err higher — the cost of a blocked task is lower than the cost of an action taken by an agent that should not have been trusted.

Is fail-closed the right default for all guardrails?

Fail-closed is the right default for security guardrails: prompt injection detection, PII blocking, content safety. For guardrails enforcing format or quality standards — where a false positive is more costly than a false negative — fail-open may be appropriate, but only as a deliberate, documented choice. Never set a security guardrail to fail-open without explicit review of the consequences.

How does A2A communication differ from a standard API call?

In a standard API call, a human or deterministic application sends a defined request. In A2A, an AI agent autonomously decides to call another agent, potentially with inputs that are themselves AI-generated and may carry upstream prompt injection. A2A connections need per-connection policies, trust level gates, and guardrails calibrated for autonomous, chained traffic — an API key check alone is not sufficient.

What should an AI agent audit log include that a standard application log does not?

Standard logs capture the HTTP layer. An agent audit log should additionally record: the agent's identity and trust level at the time of action; the guardrail decisions (every rule that ran, every trigger, every action taken); which specific policy clause applied and the evaluation result; the task type and parameters; and the cost incurred. This context makes it possible to reconstruct the causal chain of an incident spanning multiple agent hops.

For the latest guidance on AI agent security patterns, see AI agent security articles. To explore Praesidia's controls in your environment, get started at app.praesidia.ai.