You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The Agentic AI (AAI) suit's mitigations already reason about action-class authority and reversibility, but only in card explanation prose, not as
a structured mapping dimension like STRIDE / CIA / MITRE ATLAS / OWASP LLM / OWASP Agentic / AITG / AISVS.
Two examples from the current cards:
AAI9 (CoPirate, unauthorized system modification) names the root cause as "The system does not distinguish between read operations and
destructive or privileged write operations when the request originates from an AI agent" and prescribes "Require explicit human approval for any
agent action that modifies security-relevant configuration, permissions, or infrastructure state."
AAIK (GPI-3.1415, catastrophic cross-system impact) prescribes "least privilege applied at the action level, not just at the credential level,"
"Never allow a single agent decision to trigger bulk irreversible changes across systems," and "Wrap all destructive or state-modifying agent
actions in reversible transactions or dry-run modes."
That is per-action-class authority and reversibility reasoning, stated as prose. Because it is not a structured field, it can't be queried,
filtered, or kept consistent across the suit the way the other dimensions are. A facilitator currently can't answer "which AAI cards involve
irreversible high-impact actions that need a human authorization gate?" from the mappings file.
Describe the solution you'd like
Add a decision_class dimension (with a decision_class_print variant, consistent with the existing schema) to each AAI card in source/companion-mappings-1.0.yaml. The taxonomy is a four-level ladder graded by reversibility and required authority:
ID
Label
Authority gate
RO
Read-only
Autonomous
BR
Bounded-reversible
Autonomous, logged
BI
Bounded-irreversible
Human authorization
IH
Irreversible high-impact
Human authorization + evidence threshold
Example rows (shape only; the full per-card mapping would follow in the PR, in the style of #2833):
This makes the authority/reversibility reasoning already present in the card prose queryable and consistent, and gives facilitators a fast way to
surface the cards whose mitigations require a human-in-the-loop gate.
Describe alternatives you've considered
Leaving the reasoning in prose only — rejected because it can't be queried or kept consistent, and the prose already varies in how explicitly
each card states the action class.
A free-text reversibility note per card — rejected because an enumerated class is filterable and avoids drift.
A separate standalone document — rejected because the mapping belongs next to the other dimensions in the same file, where facilitators already look.
Additional context
Scope is the AAI suit only, since that is where the prose already leans hardest on action-class reasoning. Extending the dimension to the LLM /
CLD / DVO suits where applicable would be follow-up work, not part of this change, to avoid re-opening the recently merged LLM/CLD mappings.
The four-class taxonomy aligns with emerging governance work that grades autonomous-action authority by reversibility and blast radius — e.g.
OWASP SPVS 1.5-AI, where I have an open PR adding a related runtime decision-rights control ([ADDED] V1.3.7 — NHI runtime decision-rights matrix www-project-spvs#15) — and is consistent with the AISVS least-privilege / continuous-authorization direction the suit already maps to.
@suvroc since you lead the AAI suit, I'd value your input on the class boundaries and would be glad to co-author. @sydseter@cw-owasp tagging per CODEOWNERS for visibility.
Is your feature request related to a problem? Please describe.
The Agentic AI (AAI) suit's mitigations already reason about action-class authority and reversibility, but only in card explanation prose, not as
a structured mapping dimension like STRIDE / CIA / MITRE ATLAS / OWASP LLM / OWASP Agentic / AITG / AISVS.
Two examples from the current cards:
destructive or privileged write operations when the request originates from an AI agent" and prescribes "Require explicit human approval for any
agent action that modifies security-relevant configuration, permissions, or infrastructure state."
"Never allow a single agent decision to trigger bulk irreversible changes across systems," and "Wrap all destructive or state-modifying agent
actions in reversible transactions or dry-run modes."
That is per-action-class authority and reversibility reasoning, stated as prose. Because it is not a structured field, it can't be queried,
filtered, or kept consistent across the suit the way the other dimensions are. A facilitator currently can't answer "which AAI cards involve
irreversible high-impact actions that need a human authorization gate?" from the mappings file.
Describe the solution you'd like
Add a
decision_classdimension (with adecision_class_printvariant, consistent with the existing schema) to each AAI card insource/companion-mappings-1.0.yaml. The taxonomy is a four-level ladder graded by reversibility and required authority:Example rows (shape only; the full per-card mapping would follow in the PR, in the style of #2833):
This makes the authority/reversibility reasoning already present in the card prose queryable and consistent, and gives facilitators a fast way to
surface the cards whose mitigations require a human-in-the-loop gate.
Describe alternatives you've considered
each card states the action class.
Additional context
CLD / DVO suits where applicable would be follow-up work, not part of this change, to avoid re-opening the recently merged LLM/CLD mappings.
OWASP SPVS 1.5-AI, where I have an open PR adding a related runtime decision-rights control ([ADDED] V1.3.7 — NHI runtime decision-rights matrix www-project-spvs#15) — and is consistent with the AISVS least-privilege / continuous-authorization direction the suit already maps to.