BRACE — A Security Framework for Autonomous AI Agents

The idea

Why agent security needs its own framework.

An autonomous agent is not the code that shipped. It is a runtime configuration of infrastructure — a container, a harness (the loop that runs the model and hands it tools), a system prompt, a set of tools, a memory store, an identity, and a network path. Two agents built from the same model can behave completely differently depending on how those parts are configured. So you secure the configuration, not the code — there is no code to review.

Nine controls, three observability requirements

Every control and observable splits into an agent-scoped half (configured per agent) and an ecosystem-scoped half (the shared substrate). You cannot secure one half alone.

Build-time — fixed when the agent is built

CONTROL 1

Architecture

Environment and network isolation; bound the blast radius by topology.

CONTROL 2

Capability-scoped API access

Tokens grant specific capabilities, not wildcards.

CONTROL 3

Container

Signed, minimal, kernel-isolated; the image hash is part of the agent's identity.

CONTROL 4

Harness

Which tools, which limits — and destructive actions blocked by default.

Run-time — active on every execution

CONTROL 5

Data

Treat all external input as untrusted; assume injection sometimes succeeds.

CONTROL 6

Memory

Scope per instance and type; validate writes; keep per-entry provenance.

CONTROL 7

Behavioral

Security-anomaly monitoring, separate from quality monitoring.

Closure — stop and explain

CONTROL 8

Kill switch

A tested way to halt the agent and its sub-agents, leaving a safe state.

CONTROL 9

Audit trail

The full execution graph for every action — not just the output.

Observability — the data the controls depend on

Required identity fields

Six fields per action, including a content-hashed agent-type-id.

Context-size logging

Context size at decision time, so baselines can split by size.

Sub-agent provenance

Which sub-agent ran, and the prompt the parent gave it.

Ship them in this order

Most teams cannot build all twelve at once, and should not wait until they can.

Tier 1 — Prevent damage, preserve attribution

Destructive-verb interception, capability-scoped tokens, a tested kill switch, an audit trail, and the six identity fields.

Tier 2 — Harden the substrate, surface invisible failures

Environment and egress isolation, a signed minimal container, input validation, context-size logging.

Tier 3 — Active detection

Behavioral monitoring with sequence-pattern baselines, memory provenance, sub-agent and parent-prompt provenance.

Adopting only part of BRACE means you are accepting the rest of the risk on purpose, not removing it.

It composes — it doesn't replace

Use OWASP and MITRE to know what can go wrong. Use BRACE to know what to build, and in what order.

OWASP Top 10 for Agentic Applications — a threat catalog. BRACE maps each risk (ASI01–ASI10) to the controls that mitigate it.
MITRE ATLAS — attacker techniques. BRACE maps the agentic techniques to controls.
NIST AI RMF / ISO 42001 — governance and compliance. BRACE is the technical control layer underneath.

Start here

Pick the artifact that matches your job.

Sign-off checklist — a one-page go/no-go gate for shipping an agent.
Self-assessment — score a deployment, or use it to evaluate a vendor.
OpenTelemetry conventions — the proposed agent.* attributes for identity and provenance.
Vendor matrix — which cloud and open-source offerings cover each control.
Contribute — propose changes, report an incident, or map a product.

Status. BRACE is a synthesis of agent-security practice already in production across the industry — not yet a validated standard. The individual controls are widely deployed; what BRACE adds is the unified organization and the agent-granularity instrumentation. It is an open, evolving project — apply it, critique it, and contribute.