Reference
Short, technical definitions of terms used across our research on enterprise AI agents and AI security. Alphabetical order.
An open protocol for communication and capability discovery between AI agents, independent of framework. Complements MCP, which governs agent-to-tool communication.
A system built around an LLM that repeatedly reasons, calls tools, and acts on the results, rather than returning a single response. Unlike a chatbot, it acts on external systems across multiple steps.
A library providing reusable primitives for building agents: orchestration, state management, tool integration, multi-agent coordination. Examples: LangGraph, CrewAI, OpenAI Agents SDK, Google ADK.
The control layer between a raw model and the real world: tool registry, context and memory management, guardrails, permission enforcement, error handling. "Agent = Model + Harness."
The repeated cycle inside an agent turn: assemble context, call the model to reason, act on a tool call, feed the result back, repeat until a stop condition is reached. Canonical form: the ReAct pattern.
Persistent state an agent retains across sessions: procedural, semantic, or episodic. Enables long-running agents but introduces persistent memory poisoning as a risk.
An inventory of all agents in an organization, including officially built, third-party, and shadow agents. A core component of a control plane.
The control-plane layer for agents: registration, identity, policy enforcement, and lifecycle management. Distinct from the gateway, which is the data plane.
The data-plane layer for agent-to-tool, agent-to-LLM, and agent-to-agent traffic: rate limiting, inline guardrails, tool federation, cost control, tracing.
The dependencies an agent relies on beyond the model itself: framework libraries, community tools, MCP servers, registries. A compromised link can change agent behavior after the fact.
The tendency of human reviewers to approve most permission prompts reflexively once volume is high, undermining human-in-the-loop as a safety control.
Security controls that are themselves agentic: detecting and responding to threats at machine speed rather than through manual review. An emerging, still-immature capability.
A risk where unbounded loops, retries, or unauthorized tool usage drive up compute or API cost without a corresponding rate or budget limit.
A risk where an agent is granted more autonomy, tool access, or permissions than the task requires, expanding the blast radius of any single error.
A design pattern requiring human approval before an agent executes an irreversible or high-impact action.
Prompt injection delivered through content an agent processes as part of its task, such as a tool result or web page, rather than through direct user input.
Short-lived, task-scoped credentials issued to an agent only for the duration and scope of a specific action, replacing long-lived static credentials.
A control-plane capability to immediately revoke an agent's access or halt its execution, independent of the agent's own logic.
The principle that an agent's autonomy and tool access should be the minimum required for its task, granted deliberately rather than by default.
A single, stateless request-response interaction with an LLM: one prompt in, one completion out. No memory, no tools, no loop.
An agent that works on a task across multiple sessions and context windows, with persistent memory and the ability to resume after interruption.
The risk that an agent's behavior becomes unsafe over an accumulated series of sessions even though each individual session passes safety benchmarks.
A seven-layer threat-modeling framework for agentic AI that treats security and compliance as a layer cutting across all other layers.
An open protocol standardizing how agents connect to external tools and data sources. A major source of real-world agentic risk when servers are misconfigured.
An identity assigned to a non-human actor, such as an agent or service, rather than a human user. Now substantially outnumbers human identities in most enterprises.
A risk taxonomy naming ten agent-specific risk categories, from Agent Goal Hijack to Rogue Agents (ASI01–ASI10).
An injection attack that lands in an agent's persistent memory and is reloaded on every subsequent session, functioning as a persistence mechanism.
Enforcing governance rules as machine-readable policy evaluated at the infrastructure layer, rather than as text-based instructions.
The canonical agent loop pattern: observe, think, act, repeated until a stop condition. Short for "Reasoning and Acting."
An agent that acts outside its intended scope or authorization, and is not caught because no registry or control plane is tracking it.
A design constraint: within a session, an agent should have at most two of three properties — untrustworthy input, access to sensitive systems, and the ability to change state externally.
The operational hosting layer for an agent: compute, scaling, isolation, agent identity, networking, observability hooks.
The behavior-defining layer of an agent: system prompt, tool descriptions, output format instructions.
An append-only log of every model call, tool call, and result within an agent's execution. The primary audit-evidence artifact for agentic systems.
An agent built, deployed, or connected without going through an organization's agent registry or governance process.
The mechanism by which an agent invokes external functions, APIs, or tools based on the model’s decision, and receives the result back into its context.
Two MCP-specific attack techniques: hiding malicious instructions inside a tool's description, or changing a tool's behavior after a client has already approved it.