Agentic Security
Agent Goal Hijack is why "No Stamp → No Ship" exists.
For high-impact agent actions, Good Proof enforces an externally verifiable, fail-closed gate using a revocable Status Link.
Assume compromise; limit blast radiusExternally verifiable stop-relyAudit-ready gating evidence
Not a certification. Scope-limited verification. Downstream acceptance depends on counterparty/programme requirements.
Threat Model in 60 Seconds
1
Indirect prompt injection: malicious instructions in documents, emails, or web content2
Goal hijack / instruction-data confusion: objective subtly redirected (confusable deputy)3
Tool misuse + permission escalation: execution beyond intended scope or privileges4
Connector/plugin supply-chain risk: compromised third-party integrations5
Long-horizon steering: multi-step workflows manipulated across conversation turns6
Exfiltration via tool calls: tokens, secrets, or outputs leaked through connectorsWhy Gates Beat Guardrails
Guardrails reduce risk—they do not guarantee prevention.
High-impact actions require a machine-checkable, revocable external gate.
Status Link = control object for reliance.
Is This a Fit?
Best fit
- High-impact agent actions (denials, transfers, overrides, closures)
- Teams needing stop-rely + external verifiability
Not fit
- Low-risk chat-only copilots
- Teams seeking prompt tuning without execution control
Enforcement Flow
1
Agent requests high-impact action2
Gate verifies Status Link from official verifier3
Policy evaluates status + scope + expiry + freshness4
Execute only if VALID; else block/escalate5
Log Gate Decision + evidence fieldsStatus Definitions
VALIDDecision verified, within scope, not expired—proceed
NEEDS_REFRESHRe-verification required before reliance
WITHDRAWNReliance stopped—block immediately
EXPIREDPast expiry threshold—treat as non-reliance
NOT_VERIFIEDVerification failed—block or escalate
Treat NEEDS_REFRESH as non-reliance for high-impact execution unless programme policy explicitly routes to review.
Failure Semantics
| Condition | Returned State | Default Action |
|---|---|---|
| Timeout / network unreachable | NOT_VERIFIED | Block/Escalate |
| TLS / certificate failure | NOT_VERIFIED | Block/Escalate |
| Domain mismatch / redirect | NOT_VERIFIED | Block/Escalate |
| Malformed / unauthenticated response | NOT_VERIFIED | Block/Escalate |
| WITHDRAWN status returned | WITHDRAWN | Block + stop-rely |
| NEEDS_REFRESH status returned | NEEDS_REFRESH | Escalate/Review |
| VALID but out-of-scope / expired | NOT_VERIFIED | Block/Escalate |
What Good Proof Does (and Doesn't)
Does
- Hard gate for high-impact actions — No Stamp → No Ship. Agents cannot proceed without a valid Status Link.
- Stampable permission boundaries — Agent permissions become a control object with live status—not just a config file.
- Live Status revocation — Revocation is immediate at source. Enforcement is bounded by verify-per-action/TTL.
- Guardian exception review — When edge cases arise, scoped human finality—not blanket AI overrides.
Does NOT
- Prompt injection detection or scanning
- Guarantee secure or compliant system
- Replace red team, pentest, or security program
- Real-time behavior monitoring
Evidence Pack Minimum Fields
Designed for incident response, audit, disputes, and underwriting review.
stamp_id
action_class
decision
status
verified_at
expires_at
verifier_domain
signer
version
request_id
reason_code
failure_mode
Where This Fits
Compensating control, not replacement.
Works alongside:
Least privilege and role-based access
Sandboxing and execution isolation
Egress controls and network segmentation
Secret management and credential rotation
Red teaming and adversarial testing
Monitoring and logging
Control Mapping
SOC 2:Logical Access, Change Management, Monitoring, System Operations
ISO 27001:Access Control, Communications Security, Logging/Monitoring, Supplier Relationships
NIST:AC (Access Control), AU (Audit), CM (Configuration), SC (System/Comms), SI (System Integrity)
Mapping only; not a certification claim.
Procurement Fast-Path
"High-impact [ACTION_CLASS] SHALL require a valid externally-verifiable Status Link (No Stamp → No Ship)."
See /kill-switch for enforcement semantics and /clause-pack for template language.
Responsibilities
Buyer
Defines action classes, runs gate, enforces fail-closed
Supplier
Issues Stamps, maintains Status Links, propagates refresh/withdrawal
Guardians
Exceptions/appeals only, scoped human finality
Agentic Gate Sprint (30 Days)
One lane live with fail-closed enforcement, Status Link verification, and Evidence Pack output.
1
ScopeHigh-impact action classes + success criteria
2
IntegrateGate checks + logging infrastructure
3
DrillsTimeout/TLS/domain/malformed + refresh/withdrawal tests
4
DeliverGo-live report + rollout plan
Definition of done: Selected workflow blocks on status ≠ VALID for chosen action class.
Risk Reduced vs Out of Scope
Risk reduced
- Unbounded blast radius
- Unverified high-impact execution
- Stale authorization
- Missing decision-time evidence
Out of scope
- Model correctness/quality
- Blanket compliance certification
- Insider abuse/infrastructure posture
Mind Chill Guardians
Human finality for exceptions/appeals only
Conflict-checked independent review
Multi-review thresholds for high-risk lanes
Auditable traceability with minimal disclosure
Ready to gate high-impact agent actions?
Start with one decision class. Prove verification. Then scale.
Scope-limited verification. Not a certification.