Security
This document is written for CISOs, security architects, and anyone evaluating AgentLattice as part of their AI governance stack. It covers data handling, authentication, authorization, audit integrity, anomaly detection, and the threat model AgentLattice is designed to address.
Core Principle: Metadata Only
AgentLattice never sees your agent's actual data. It operates exclusively on action metadata: what type of action was attempted, what resource categories were accessed, how many records were involved, and what sensitivity level applies.
When an agent calls al.gate("db.migrate"), AgentLattice receives the action type (db.migrate), optional metadata (repo name, PR number), and data access descriptors (e.g., "database, 50 rows, high sensitivity"). It never receives the actual database records, file contents, API payloads, or any business data your agent processes.
This is a deliberate architectural decision. AgentLattice does not need your data to do its job. It needs to know what happened and who did it, not what the data said. This minimizes your attack surface and simplifies data processing agreements.
Authentication
Agent Authentication
Every agent authenticates via an API key issued during registration. Keys are:
- Workspace-scoped: An agent's key only works within its registered workspace.
- Hashed at rest: AgentLattice stores a SHA-256 hash of each key. The raw key is shown exactly once at creation time.
- Immediately revocable: Deactivating an agent or revoking its key takes effect on the next request.
Operator Authentication
Human operators authenticate through your identity provider via standard OAuth/OIDC flows. Workspace membership is verified on every request.
MCP Authentication
MCP keys follow the same pattern as agent keys: generated in the dashboard, shown once, stored as SHA-256 hashes. MCP keys are scoped to the workspace and can be revoked instantly by any admin. See MCP Integration for details.
Delegated Agent Authentication
Ephemeral agents created through delegation receive short-lived API keys with bounded TTLs (maximum 24 hours). These keys are cryptographically random, transmitted over TLS only, and become useless the moment the delegation is revoked or expires. See Agents & Delegation for the full delegation model.
Authorization
Policy Engine
Every action submitted to AgentLattice is evaluated against your workspace's policy rules before it can proceed. The policy engine supports:
- Auto-approve: Actions matching specific criteria proceed without human review.
- Require approval: Actions are held until a designated reviewer approves or denies them.
- Auto-deny: Actions matching certain criteria are rejected immediately.
- Conditional rules: Policies can evaluate metadata fields (PR size, data sensitivity, time of day) to make dynamic decisions.
Policies are versioned. Every audit event records which policy version governed the decision, providing a complete history of your governance rules as they evolve.
Segregation of Duties
AgentLattice enforces that the entity requesting an action cannot be the same entity approving it. This is a hard constraint, not a configuration option. It addresses a core SOX and SOC 2 requirement: the person (or agent) who initiates a change must not be the one who authorizes it.
Delegation Scope Enforcement
Delegated agents can only perform actions within their granted capabilities, and those capabilities must be a strict subset of the parent's. This is enforced server-side on every request -- not by the SDK, not by convention, but by the authorization layer. Attempts to exceed scope are rejected with a 403 and recorded in the audit trail.
Scope narrows monotonically through delegation chains. A grandchild agent can never have more capabilities than its parent, regardless of how many levels of delegation exist.
Audit Trail
Immutable Event Log
Every action creates an audit event containing:
- Agent identity and key fingerprint
- Action type and metadata
- Policy evaluation result (approved, denied, timed out)
- Trust source (direct API key, delegation token)
- Timestamp and cryptographic nonce
- Data access descriptors (resource types, counts, sensitivity levels)
Hash Chain
Each audit event includes a prev_hash field pointing to the hash of the previous event, and a row_hash computed from the event's own fields plus the previous hash. This creates a tamper-evident chain: modifying any event changes its hash, which breaks the chain for every subsequent event.
The hash chain provides two guarantees:
- Row integrity: Each event's hash can be independently recomputed and verified against the stored value.
- Chain linkage: Each event's
prev_hashmust match the previous event'srow_hash. A gap or alteration is detectable.
Hashes use SHA-256. The first event in any workspace's chain references a genesis value, establishing the chain root.
Checkpoint Signing
To make verification scalable, AgentLattice periodically creates signed checkpoints. A checkpoint records the cumulative hash at a specific point in the chain and signs it with an ECDSA P-256 key. Verification only needs to walk the chain from the most recent signed checkpoint, not from the beginning of time.
Checkpoint signing is automated and runs on a regular schedule. The signing key is managed server-side and never exposed to clients.
Delegation Audit Trail
Every delegation lifecycle event is recorded: creation, child actions (tagged with delegation context), revocation, and automated cleanup. If an ephemeral agent takes an action, the audit trail links it back through the full delegation chain to the originating parent agent.
Encryption
- In transit: All communication uses TLS 1.2+. API keys, MCP keys, and delegation tokens are never transmitted in plaintext.
- At rest: Data is encrypted at rest using AES-256 via the underlying PostgreSQL infrastructure. Encryption keys are managed by the hosting provider and are not accessible to application code.
Anomaly Detection
AgentLattice maintains behavioral baselines for each agent: typical action volume, data access patterns, tool usage sequences, and session characteristics. Every action is scored against this baseline.
Detection Signals
- Bulk data access: An agent accessing significantly more records than its baseline suggests data exfiltration or a runaway process.
- Scope creep: An agent attempting action types outside its historical pattern.
- Exfiltration patterns: Access to sensitive data followed immediately by an external write operation.
- Sequence anomalies: Tool usage patterns that deviate from the agent's established workflow.
- Cross-agent propagation: Anomalous behavior in a parent agent that correlates with anomalous behavior in its children, suggesting prompt injection or compromise propagation.
Anomaly events are tagged with threat taxonomy technique identifiers, giving your security team a common vocabulary for discussing AI agent threats.
Circuit Breakers
When anomaly scores exceed configured thresholds, AgentLattice can take graduated enforcement actions:
| Response Level | Effect |
|---|---|
| WARN | Alert generated, agent continues operating |
| THROTTLE | Agent's action rate is reduced to a fraction of its baseline |
| HALT | Agent is suspended pending human review. Can be resumed after investigation |
| KILL | Agent is permanently deactivated. Requires explicit re-provisioning |
Circuit breaker policies are configurable per workspace: you set the anomaly types, score thresholds, and response levels. Policies can be set to notify-only (human decides) or auto-execute (system enforces immediately).
All enforcement events are hash-chained in their own tamper-evident log, separate from the main audit chain.
Threat Model
What AgentLattice Protects Against
| Threat | Mitigation |
|---|---|
| Unauthorized agent actions | Every action is evaluated against org policies. No policy = no action. |
| Privilege escalation via delegation | Monotonic scope narrowing enforced server-side. Children cannot exceed parent capabilities. |
| Audit trail tampering | Hash chain with checkpoint signing. Modifying any event breaks the chain detectably. |
| Compromised agent API key | Immediate revocation, delegation TTL bounds exposure, cascade revocation for child agents. |
| Agent self-replication | Rate limit of 10 active ephemeral children per parent. Enforced at both application and database levels. |
| Data exfiltration by agent | Behavioral baselines detect bulk access and access-then-external-write patterns. Circuit breaker halts the agent. |
| Prompt injection propagation | Cross-agent correlation detects anomalous behavior propagating through delegation chains. |
| Insider threat (human operator) | Segregation of duties enforcement. Audit trail records all human actions including MCP operations. |
What AgentLattice Does Not Protect Against
- Compromise of the AgentLattice platform itself. AgentLattice is infrastructure -- it has the same trust posture as your identity provider or secrets manager.
- Agents that bypass the SDK entirely. Governance requires the agent to route actions through AgentLattice. An agent that calls external APIs directly without using the SDK is ungoverned.
- Social engineering of human approvers. AgentLattice gates actions, but if a human approver rubber-stamps everything, the approval gate provides reduced value. Anomaly detection partially mitigates this by flagging unusual approval patterns.
Incident Response
When an agent is halted or killed by the circuit breaker, AgentLattice generates a structured incident record containing:
- The triggering anomaly event and score
- Threat taxonomy technique identification
- Full behavioral timeline leading up to the incident
- The enforcement action taken and by whom (system or human)
- References to the relevant audit trail events (hash-chain verified)
These records are exportable for post-incident review, insurance documentation, and regulatory reporting.