Skip to content

[AAI suit] Add a per-action-class decision-rights / reversibility mapping dimension to companion-mappings-1.0.yaml #3018

Description

@Mayur021

Is your feature request related to a problem? Please describe.

The Agentic AI (AAI) suit's mitigations already reason about action-class authority and reversibility, but only in card explanation prose, not as
a structured mapping dimension like STRIDE / CIA / MITRE ATLAS / OWASP LLM / OWASP Agentic / AITG / AISVS.

Two examples from the current cards:

  • AAI9 (CoPirate, unauthorized system modification) names the root cause as "The system does not distinguish between read operations and
    destructive or privileged write operations when the request originates from an AI agent" and prescribes "Require explicit human approval for any
    agent action that modifies security-relevant configuration, permissions, or infrastructure state."
  • AAIK (GPI-3.1415, catastrophic cross-system impact) prescribes "least privilege applied at the action level, not just at the credential level,"
    "Never allow a single agent decision to trigger bulk irreversible changes across systems," and "Wrap all destructive or state-modifying agent
    actions in reversible transactions or dry-run modes."

That is per-action-class authority and reversibility reasoning, stated as prose. Because it is not a structured field, it can't be queried,
filtered, or kept consistent across the suit the way the other dimensions are. A facilitator currently can't answer "which AAI cards involve
irreversible high-impact actions that need a human authorization gate?" from the mappings file.

Describe the solution you'd like

Add a decision_class dimension (with a decision_class_print variant, consistent with the existing schema) to each AAI card in
source/companion-mappings-1.0.yaml. The taxonomy is a four-level ladder graded by reversibility and required authority:

ID Label Authority gate
RO Read-only Autonomous
BR Bounded-reversible Autonomous, logged
BI Bounded-irreversible Human authorization
IH Irreversible high-impact Human authorization + evidence threshold

Example rows (shape only; the full per-card mapping would follow in the PR, in the style of #2833):

  # AAI9 — unauthorized configuration / permission / IAM modification
  decision_class: [ BI, IH ]
  decision_class_print: [ "Bounded-irreversible (human authorization)", "Irreversible high-impact (human authorization + evidence threshold)" ]

  # AAIK — catastrophic cross-system impact via excessive agency
  decision_class: [ IH ]
  decision_class_print: [ "Irreversible high-impact (human authorization + evidence threshold)" ]

  # AAI4 — unbounded consumption / cost harvesting
  decision_class: [ BR ]
  decision_class_print: [ "Bounded-reversible (autonomous, logged)" ]

This makes the authority/reversibility reasoning already present in the card prose queryable and consistent, and gives facilitators a fast way to
surface the cards whose mitigations require a human-in-the-loop gate.

Describe alternatives you've considered

  • Leaving the reasoning in prose only — rejected because it can't be queried or kept consistent, and the prose already varies in how explicitly
    each card states the action class.
  • A free-text reversibility note per card — rejected because an enumerated class is filterable and avoids drift.
  • A separate standalone document — rejected because the mapping belongs next to the other dimensions in the same file, where facilitators already look.

Additional context

  • Scope is the AAI suit only, since that is where the prose already leans hardest on action-class reasoning. Extending the dimension to the LLM /
    CLD / DVO suits where applicable would be follow-up work, not part of this change, to avoid re-opening the recently merged LLM/CLD mappings.
  • The four-class taxonomy aligns with emerging governance work that grades autonomous-action authority by reversibility and blast radius — e.g.
    OWASP SPVS 1.5-AI, where I have an open PR adding a related runtime decision-rights control ([ADDED] V1.3.7 — NHI runtime decision-rights matrix www-project-spvs#15) — and is consistent with the AISVS least-privilege / continuous-authorization direction the suit already maps to.
  • @suvroc since you lead the AAI suit, I'd value your input on the class boundaries and would be glad to co-author. @sydseter @cw-owasp tagging per CODEOWNERS for visibility.
  • Per CONTRIBUTING.md, raising this as an issue first and requesting assignment before opening a PR. Happy to author the full per-card mapping PR in the Add security mappings (STRIDE, CIA, MITRE ATLAS, OWASP LLM Top 10, CWE) for all LLM companion cards (LLM2-LLMK) #2833 format (per-card reasoning table + authoritative-source references) once scoped.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions