The Agentic AI Top 10 maps well to the Agent Passport System's enforcement model. Here's how APS addresses each relevant risk:
| Risk |
APS Mitigation |
| AAI001: Agent Hijacking |
Delegation chain check runs in enforcement layer, not model layer. Hijacked agent's intent is signed (forensic evidence) then denied if out-of-scope |
| AAI002: Tool Misuse |
ProxyGateway binds exact tool + parameters + target at approval time. Tool calls outside approved scope are rejected before execution |
| AAI003: Privilege Escalation |
Monotonic narrowing invariant — each delegation can only narrow authority, never widen. Mathematically impossible for sub-agent to exceed parent's scope |
| AAI005: Agent Impersonation |
Ed25519 cryptographic identity per agent. Messages must be signed. Unsigned or forged messages fail signature verification |
| AAI006: Memory/Context Poisoning |
3-signature receipt chain provides tamper-proof audit trail. Poisoned context can cause agent to request unauthorized action, but policy engine denies it |
| AAI008: Agent Orchestration Attacks |
Cascade revocation — revoking one delegation invalidates all downstream delegations instantly, severing any compromised orchestration chain |
Key design principle: APS treats these as authorization enforcement problems, not model behavior problems. The enforcement layer operates independently of the LLM, so compromised model reasoning cannot bypass delegation checks.
The protocol is open source (Apache 2.0), ships as both TypeScript and Python SDKs, and has an MCP server (120 tools) for interoperability with any agent framework.
Happy to contribute mitigation strategies or participate in the red teaming workstream.
The Agentic AI Top 10 maps well to the Agent Passport System's enforcement model. Here's how APS addresses each relevant risk:
Key design principle: APS treats these as authorization enforcement problems, not model behavior problems. The enforcement layer operates independently of the LLM, so compromised model reasoning cannot bypass delegation checks.
The protocol is open source (Apache 2.0), ships as both TypeScript and Python SDKs, and has an MCP server (120 tools) for interoperability with any agent framework.
agent-passport-system(v1.27.0, 1634 tests)agent-passport-system(v0.7.0)Happy to contribute mitigation strategies or participate in the red teaming workstream.