# CLAWLINE Zero Trust for Agentic AI

**Methodology update:** `CLAWLINE_METHOD_V0.7_ASI_ALIGNMENT_2026-07-02`  
**Status:** Candidate white paper / implementation blueprint / ASI-traceable control layer  
**Owner:** CLAWLINE / LeftOutSecurity  
**Purpose:** Extend CLAWLINE into a vendor-neutral Zero Trust assessment methodology for autonomous AI agents, local agent runtimes, MCP supply chains, ABOM evidence, negative-space analysis, OWASP ASI Top 10 traceability, and machine-speed response.  
**Automated assessment scope:** `STATIC_SUBMISSION`; `runtime_behavior_verified: false`.

---

## 1. Executive thesis

Autonomous AI agents cannot be secured as ordinary users, ordinary workloads, or ordinary SaaS integrations. Agents can ingest untrusted context, plan across multiple steps, invoke tools, mutate state, write data, call APIs, and delegate work faster than human security teams can review each action.

CLAWLINE therefore treats every autonomous agent as a discrete security principal with its own identity, authority boundary, evidence package, telemetry obligations, blast-radius tier, and ASI traceability profile.

The automated v0.7 path parses and evaluates only the submitted disclosure and nested ABOM. It does not start, instrument, observe, terminate, or otherwise control the submitted agent. A `FREEZE`, `KILL`, `QUARANTINE`, or `BLOCK` value is a deterministic assessment/publication decision; it is not proof that a live runtime action occurred.

The v0.7 candidate profile is additive. Existing v0.5 submission fields remain accepted, and the optional ABOM v0.4 intake is nested at `clawline_submission.disclosure.clawline_disclosure.abom`. The method version does not silently replace the v0.5 base submission contract.

**Positioning:**

- Microsoft provides a concrete enterprise implementation path for Microsoft-native environments.
- CLAWLINE provides a vendor-neutral review method for any agent stack: Microsoft, OpenAI, Anthropic, Google, AWS, self-hosted, OpenClaw-style local agents, MCP servers, custom browser agents, and automation gateways.
- LeftOutSecurity can package this as paid services: `AI Agent Zero Trust Review`, `MCP Security Review`, `Agent Blast-Radius Map`, `OWASP ASI Traceability Review`, and `ABOM Evidence Package`.

---

## 2. External source basis

This update is grounded against these public control anchors:

| Source | Relevance |
|---|---|
| Microsoft - Configure agent identity security with Zero Trust Assessment | Agent token access, authentication gaps, overpermissioned agents, lifecycle/accountability gaps, Conditional Access for agents. |
| Microsoft - Secure autonomous agentic AI systems | Autonomous agents can plan, invoke tools, access data, and execute actions with limited human intervention. |
| Microsoft Entra Agent ID docs | Agent identity, sponsor/owner lifecycle, agent identity logging, Conditional Access, Identity Protection, Governance. |
| Microsoft Foundry Prompt Shields | Prompt injection and adversarial input guardrail model. |
| Microsoft Purview AI protections | Data classification, DLP, compliance, and AI usage governance. |
| Microsoft Security Dashboard for AI | AI asset inventory, risk posture, third-party AI/MCP visibility, executive reporting. |
| OWASP Top 10 for Agentic Applications 2026 | External ASI taxonomy for agent goal hijack, tool misuse, identity abuse, supply chain, RCE, memory poisoning, A2A security, cascading failures, human trust exploitation, and rogue agents. |
| OWASP Agentic AI - Threats and Mitigations | Threat-model-based reference for emerging agentic threats and mitigation themes. |
| OpenClaw security guidance | Local gateway threat model, one-trust-boundary assumption, shell/file/network access, sandboxing. |
| CrowdStrike OpenClaw guidance | Discovery, external exposure, prompt injection, local execution, sensitive file and lateral movement risk. |

---

## 3. CLAWLINE control domains

| Domain | Name | Core question | Output |
|---|---|---|---|
| `AZTA-01` | Agent Identity & Trust Fabric | Does every agent have a discrete, verifiable identity separate from the user and runtime? | Agent identity map, owner/sponsor map, token path review. |
| `AZTA-02` | Context Integrity & Negative Space | Can untrusted context override, poison, or silently redirect the agent? | Prompt/context boundary map and absent-control findings. |
| `AZTA-03` | Tool & MCP Supply Chain | Are MCP servers, tool manifests, SDKs, and connectors approved, pinned, and monitored? | MCP catalog review, pinning/drift report. |
| `AZTA-04` | Data Boundary & RAG Security | What can the agent retrieve, infer, summarize, leak, or retain? | Data access map, RAG/vector store boundary review. |
| `AZTA-05` | Agent Execution Boundary | Where can the agent run code, browse, write files, call APIs, or mutate systems? | Execution capability graph and sandbox review. |
| `AZTA-06` | Autonomy & HITL Controls | Which actions are automatic, approval-gated, capped, or forbidden? | Action policy matrix and human-in-the-loop gates. |
| `AZTA-07` | Runtime Telemetry & Machine-Speed Response | Can every agent action be logged, attributed, detected, and revoked at machine speed? | Telemetry map, SIEM/SOAR trigger map, kill-switch review. |
| `AZTA-08` | Endpoint & Local Agent Isolation | Are local agents isolated from host credentials, files, shell, browser sessions, and unmanaged ports? | Local runtime isolation score. |
| `AZTA-09` | ABOM & Evidence Governance | Is the agent's identity, model, prompts, tools, data, memory, policies, and provenance documented? | ABOM package and custody receipt. |
| `AZTA-10` | Blast Radius & Business Impact | What is the maximum harm if the agent is hijacked or misaligned? | Blast-radius tier and remediation roadmap. |

---

## 4. Microsoft-to-CLAWLINE crosswalk

| Microsoft control layer | CLAWLINE mapping | Methodology change |
|---|---|---|
| Entra Agent ID / Agent identities | `AZTA-01 Agent Identity & Trust Fabric` | Agent identity evidence requirements and identity-negative-space findings. |
| Agent inventory / Security Dashboard for AI | `AZTA-09 ABOM & Evidence Governance` | ABOM v0.4 and agent inventory completeness scoring. |
| Conditional Access for agents | `AZTA-01`, `AZTA-06`, `AZTA-07` | Policy gates for approved agents, risky agents, and agent-user accounts. |
| Purview AI data controls | `AZTA-04 Data Boundary & RAG Security` | Data classification, DLP, retention, and excessive-read checks. |
| Foundry Prompt Shields | `AZTA-02 Context Integrity` | Shadow Prompting expanded into context-integrity review. |
| Defender / runtime threat protection | `AZTA-07 Runtime Telemetry` | Continuous tool/API/vector lookup telemetry requirements. |
| MCP governance | `AZTA-03 Tool & MCP Supply Chain` | MCP treated as software supply chain; unapproved tools blocked by default. |
| Endpoint agent policies | `AZTA-08 Endpoint & Local Agent Isolation` | Local container/sandbox, host-token, shell, and browser-control checks. |

---

## 5. OWASP ASI Top 10 closure

The CLAWLINE v0.7 candidate extension defines explicit evidence-traceability mappings for the OWASP ASI Top 10. This is not a production standard, OWASP certification, or endorsement. It is a control/evidence crosswalk that lets assessments using this candidate profile report a verifier-computed status per ASI item within the stated static-submission scope.

| OWASP ASI item | CLAWLINE closure |
|---|---|
| `ASI01` Agent Goal Hijack | Intent capsule, goal-state ID, goal-drift telemetry, hierarchy tests. |
| `ASI02` Tool Misuse and Exploitation | Semantic tool firewall, tool sequence policy, fully qualified tool names, version pins, fail-closed ambiguity handling. |
| `ASI03` Identity and Privilege Abuse | Discrete agent identity, delegation-chain map, per-action authorization receipt, short-lived task-scoped credentials. |
| `ASI04` Agentic Supply Chain Vulnerabilities | ABOM v0.4, signed/pinned manifests, registry trust tiers, runtime attestation, activation allowlist, kill switch. |
| `ASI05` Unexpected Code Execution / RCE | Code/exec separation, no unsandboxed `eval`, pre-execution scan, sandbox, egress/filesystem/syscall controls, production execution gate. |
| `ASI06` Memory and Context Poisoning | Memory write gates, provenance, namespace isolation, TTL/decay, rollback/quarantine, self-reingestion denial. |
| `ASI07` Insecure Inter-Agent Communication | Mutual authentication, message signing, anti-replay, descriptor validation, registry trust, semantic intent diffing. |
| `ASI08` Cascading Failures | Dependency map, fan-out/retry/queue caps, circuit breakers, progress caps, replay tests, rollback drills. |
| `ASI09` Human-Agent Trust Exploitation | Risk summary, rationale/proof separation, provenance cues, approval impact disclosure, reporting path, anti-manipulative UI review. |
| `ASI10` Rogue Agents | Behavioral manifest, runtime attestation, watchdog/peer validation, self-replication/provisioning block, kill switch, quarantine playbook. |

Canonical ASI artifacts:

- [Agentic AI Zero Trust whitepaper](https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-agentic-zero-trust-whitepaper.md)
- [OWASP ASI Top 10 crosswalk](https://theclawline.com/artifacts/agentic-ai/v0.7/owasp-asi-top-10-clawline-crosswalk.md)
- [ASI control catalog](https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-asi-control-catalog.md)
- [ASI assessment template](https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-asi-assessment-template.md)
- [ABOM v0.4 JSON Schema](https://theclawline.com/schemas/abom-v0.4.schema.json)
- [ASI assessment v0.7 JSON Schema](https://theclawline.com/schemas/asi-assessment-v0.7.schema.json)
- [Third-party notices](https://theclawline.com/NOTICE.md)

---

## 6. Agent Identity & Trust Fabric

**Control statement:** Every agentic actor must have a discrete identity, accountable owner, bounded authority, revocable credential path, and auditable action trail. The invoking human, host service account, model provider, and agent runtime are not acceptable substitutes for agent identity.

### Required evidence

- Agent name, version, environment, tenant, and runtime location.
- Agent identity object or equivalent non-human identity record.
- Owner and sponsor.
- Creator, approver, and deployment pipeline.
- Credential source: managed identity, certificate, OAuth client, delegated token, service account, or user session.
- Authorization model: direct, delegated on-behalf-of, user-like account, workload identity, or shared secret.
- Token lifetime, rotation, revocation, and emergency disable path.
- Conditional policy assignment or equivalent policy engine binding.
- Logs that bind: caller -> agent -> tool/API -> data/resource -> action/result.

### Identity findings

| ID | Finding | Severity logic |
|---|---|---|
| `CRABS-I90` | Agent identity absent | Warn for read-only; freeze for write/action/data access. |
| `CRABS-I91` | Agent borrows human session token | Freeze by default; block for privileged actions. |
| `CRABS-I92` | Agent runs under over-broad service account | Warn or freeze by blast radius. |
| `CRABS-I93` | Owner/sponsor absent or stale | Warn; freeze if high-risk agent. |
| `CRABS-I94` | Agent identity shared across materially different deployments | Warn; freeze if audit attribution is ambiguous. |
| `CRABS-I95` | Revocation path unproven | Warn; freeze when agent has write/delete/financial/admin capability. |

---

## 7. Negative Space Analysis

Negative space analysis is a first-class CLAWLINE review step. The absence of evidence is not treated as proof of safety. It is scored as an explicit posture state.

### Evidence states

- `OBSERVED`
- `TESTED`
- `DECLARED`
- `UNSUPPORTED`
- `ABSENT`
- `CONTRADICTED`

### Negative-space dimensions

| Dimension | Missing evidence that matters | Default routing |
|---|---|---|
| Identity | No agent identity, owner, sponsor, token subject, per-action auth, or revocation path. | WARN/FREEZE by capability. |
| Delegation | No proof of user authorization or on-behalf-of boundary. | FREEZE for user data access. |
| Data | No classification, DLP, retention, vector-store access map, or read-volume baseline. | WARN; FREEZE for regulated data. |
| Context | No prompt injection boundary, retrieval trust labels, memory controls, goal-drift detection, or tool-output isolation. | WARN/FREEZE by action path. |
| Tool/MCP | No approved catalog, pinning, manifest hash, semantic firewall, sequence policy, tool owner, or change-control path. | WARN; FREEZE for sensitive scopes. |
| Runtime | No per-tool logs, trace IDs, decision receipts, downstream API audit, pre-exec scan, or sandbox proof. | WARN/FREEZE for autonomous writes. |
| Response | No kill switch, token revocation, circuit breaker, quarantine, rollback, or rogue-agent playbook. | FREEZE for high-impact agents. |
| Endpoint | No sandbox/container, host filesystem boundary, shell policy, browser isolation, or network egress policy. | WARN/FREEZE by local privilege. |
| Financial | No cost cap, rate cap, budget guardrail, approval gate, or spend telemetry. | WARN/FREEZE by spend authority. |
| Evidence | No ABOM, provenance, version, schema, ASI coverage state, or policy receipt. | WARN by default; FREEZE for high-risk. |

---

## 8. ABOM v0.4 - Agent Bill of Materials

The ABOM is the submitter-supplied portable evidence package for each agent. v0.4 extends v0.3 with explicit OWASP ASI claim fields. The intake is untrusted: even values named `OBSERVED` or `TESTED` are submitter claims until CLAWLINE independently derives an assessment. Intake never carries CLAWLINE finding IDs or verifier-owned status fields.

### Required ABOM v0.4 blocks

| Block | Purpose |
|---|---|
| `agent` | Identity, owner, sponsor, environment, autonomy tier, blast-radius tier. |
| `owasp_asi` | `claimed_traceability` plus per-ASI `claimed_status`, `claimed_evidence_state`, evidence references, claimed negative-space results, and claimed exceptions. |
| `intent_capsule` | Declared goal, allowed/denied actions, constraints hash, scope expiry, signer. |
| `tool_policy` | Fully qualified tools, version pins, semantic firewall, sequence policy, fail-closed ambiguity handling. |
| `memory_policy` | Namespace isolation, provenance, TTL/decay, rollback/quarantine, self-reingestion block. |
| `inter_agent_security` | Mutual auth, message signing, anti-replay, descriptor validation, registry trust. |
| `behavioral_integrity` | Manifest hash, attestation frequency, watchdog/peer validation, self-replication/provisioning block. |
| `human_trust_controls` | Risk summary, provenance cues, reporting path, anti-manipulative UI review. |
| `runtime` | Sandbox, pre-execution scan, network/filesystem/syscall policy, working directory, production gate. |
| `response` | Kill switch, token revocation, rollback, circuit breaker, fan-out caps, rogue quarantine playbook. |

Canonical schemas:

- Intake ABOM: [https://theclawline.com/schemas/abom-v0.4.schema.json](https://theclawline.com/schemas/abom-v0.4.schema.json)
- Verifier-owned assessment output: [https://theclawline.com/schemas/asi-assessment-v0.7.schema.json](https://theclawline.com/schemas/asi-assessment-v0.7.schema.json)

There are two verifier-owned result forms:

- The checkup API exposes a sanitized, derived `owasp_asi` projection with `projection_version: "clawline-api-owasp-asi/v1"`, `archival_assessment_schema: "https://theclawline.com/schemas/asi-assessment-v0.7.schema.json"`, `assessment_scope`, `runtime_behavior_verified`, `version`, `traceability`, optional `claimed_traceability`, `claim_conflict`, `risk_tier`, and summaries for `items.ASI01` through `items.ASI10`. Per-item summaries carry computed status/evidence, conditional findings, severity, DAD route, reason codes, and control IDs. The explicit version and schema pointer identify this as an API projection, not the signed archival object.
- A separately signed archival assessment is a top-level object conforming to the ASI assessment v0.7 schema. It uses `traceability`, `items.*.computed_status`, `items.*.evidence_state`, conditional `finding_ids`, `dad_decision`, and `claws_action`; it is not written back into the ABOM.

Both result forms declare `assessment_scope: "STATIC_SUBMISSION"` and `runtime_behavior_verified: false`.

DAD item routes correlate uniformly with computed severity: a `WARN` finding uses `DAD-ASIxx-WRN`, while a `CRITICAL` finding uses `DAD-ASIxx-CRT`. An `INFO`/not-assessed item emits no finding and carries the canonical `-WRN` route placeholder only to identify the route that would apply if a WARN finding were emitted.

---

## 9. Blast Radius Tier Model

CLAWLINE blast-radius scoring separates capability from consequence.

| Tier | Capability | Example consequence | Required control floor |
|---|---|---|---|
| `BR-0` | Chat-only, no tools, no memory | Bad answer, low data exposure. | Prompt logging and disclosure. |
| `BR-1` | Read-only public data/tools | Minor leakage or misinformation. | ABOM-lite, context-integrity review. |
| `BR-2` | Internal read access | Internal document leakage, data oversharing. | Agent identity, DLP, audit logs. |
| `BR-3` | Write access to low-risk systems | Ticket spam, bad updates, workflow disruption. | HITL gate, rollback, per-action logs. |
| `BR-4` | Sensitive data or business workflow access | Regulated data leakage, customer harm, financial loss. | Conditional policy, kill switch, SIEM/SOAR, ASI item evidence. |
| `BR-5` | Admin, production, financial, security, physical, or OT impact | Lateral movement, fraud, outage, safety impact. | Quarantine by default until identity, telemetry, sandbox, ASI controls, HITL, and revocation are proven. |

---

## 10. Assessment workflow

1. **Inventory** - identify every managed, unmanaged, local, and shadow agent.
2. **Identity map** - bind each agent to owner, sponsor, principal, token path, runtime, policies, and per-action authorization.
3. **ABOM collection** - capture submitter claims and referenced artifacts in ABOM v0.4 for identity, ASI, models, prompts, tools, MCP servers, data sources, memory, policies, provenance, runtime, and telemetry.
4. **Context-integrity review** - map prompt injection, RAG poisoning, memory poisoning, tool-output poisoning, hidden instruction channels, and goal hijack paths.
5. **MCP/tool supply-chain review** - approve, pin, hash, gateway, attest, and monitor tool definitions.
6. **Execution-boundary review** - classify shell, browser, file, database, API, workflow, code, deployment, and production actions.
7. **ASI negative-space analysis** - deterministically evaluate the submitted structure for all ten ASI items using evidence states and routing rules; separately identified human or runtime tests may supplement, but are not performed by the static scanner.
8. **Blast-radius scoring** - compute maximum feasible impact if the agent is hijacked, poisoned, or misaligned.
9. **Telemetry and response review** - review submitted evidence for traceability, SIEM/SOAR hooks, token revocation, circuit breakers, quarantine, and rollback. Do not describe this static review as live runtime verification.
10. **Evidence package** - produce executive summary, technical findings, ABOM, ASI traceability table, risk register, remediation plan, and receipts.

---

## 11. Report claim language

Use this language for v0.7:

> The CLAWLINE v0.7 candidate extension defines evidence-traceability mappings to the OWASP ASI Top 10 for Agentic Applications 2026. Reports using this candidate profile may claim ASI traceability only when each ASI item includes a coverage state, evidence state, negative-space result, and mapped remediation. This is not a production standard, OWASP certification, or endorsement.

Automated reports must also disclose: `assessment_scope: STATIC_SUBMISSION` and `runtime_behavior_verified: false`. Runtime behavior may be described as verified only in a separate engagement that actually observes or tests the runtime and identifies that additional scope.

Traceability labels:

| Label | Meaning |
|---|---|
| `ASI_TRACEABLE` | All ten items have observed/tested evidence and no unresolved critical negative-space findings. |
| `ASI_TRACEABLE_WITH_EXCEPTIONS` | All ten items have evidence or documented compensating controls with owners and expiry. |
| `PARTIAL` | One or more ASI items are missing evidence or have unresolved findings. |
| `NOT_ASSESSED` | ASI evidence was not reviewed. |

---

## 12. Recommended LeftOutSecurity offers

| Offer | Fixed-scope deliverable |
|---|---|
| AI Agent Zero Trust Review | Identity map, ABOM, blast-radius map, negative-space analysis, ASI traceability table, and remediation roadmap. |
| OWASP ASI Traceability Review | Per-ASI evidence states, CRABS/DAD mappings, exception register, and executive claim language. |
| MCP Security Review | MCP inventory, approval/pinning status, drift/collision checks, gateway recommendations. |
| Local Agent Hardening Review | Endpoint/local runtime threat model, sandboxing, shell/file/browser exposure controls. |
| RAG/Data Boundary Review | Retrieval path map, data classification, vector DB exposure, memory controls, leakage controls. |
| AI Security Evidence Package | Board/vendor-ready artifact package with architecture, controls, findings, ABOM v0.4, ASI traceability, and proof. |

---

## 13. Website implementation notes

This white paper should be published at:

- [https://theclawline.com/whitepaper/agentic-ai](https://theclawline.com/whitepaper/agentic-ai)

It should link to:

- [Whitepaper](https://theclawline.com/whitepaper)
- [Methodology](https://theclawline.com/methodology)
- [Glossary](https://theclawline.com/glossary)
- [Crosswalk](https://theclawline.com/crosswalk)
- [Origins](https://theclawline.com/origins)

This candidate extension is intentionally additive and does not replace the existing deterministic CLAWLINE white paper or the v0.5 base submission fields. The current automated integration is limited to intake parsing, deterministic static assessment, DAD routing, and CLAWS publication handling.

---

## 14. Engineering backlog

| Priority | Work item | Status in this revision |
|---|---|---|
| P0 | Explicit ASI coverage matrix in white paper and assessment output. | Closed at methodology/template level. |
| P0 | ASI05 RCE controls for shell/code/file-capable agents. | Closed in control catalog. |
| P0 | ASI03 per-action authorization and delegated-chain evidence. | Closed in control catalog. |
| P0 | ABOM v0.4 schema fields. | Defined in the [public ABOM v0.4 JSON Schema](https://theclawline.com/schemas/abom-v0.4.schema.json). |
| P1 | ASI07 inter-agent authenticated/signed communication controls. | Closed in control catalog. |
| P1 | ASI06 memory provenance, namespace, TTL, rollback, and quarantine. | Closed in control catalog. |
| P1 | ASI08 fan-out, circuit breaker, and cascade telemetry. | Closed in control catalog. |
| P1 | ASI10 behavioral manifest and rogue-agent quarantine. | Closed in control catalog. |
| P2 | ASI09 human-trust UX controls and reporting path. | Closed in control catalog. |
| P2 | Static parser, ASI evaluation, DAD routing, and CLAWS publication integration. | Implemented for submitted artifacts; regression tests are the release gate. |
| P2 | Live runtime observation or enforcement. | Out of scope for the automated v0.7 profile; requires a separately identified runtime adapter/test engagement. |

---

## 15. Source links

- Microsoft Zero Trust Assessment for agent identity security: https://learn.microsoft.com/en-us/security/zero-trust/assessment/ai-pillar
- Microsoft secure autonomous agentic AI systems: https://learn.microsoft.com/en-us/security/zero-trust/sfi/secure-agentic-systems
- Microsoft Entra Agent ID: https://learn.microsoft.com/en-us/entra/agent-id/what-are-agent-identities
- Microsoft Conditional Access for autonomous agents: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-autonomous-agents
- Microsoft Foundry Prompt Shields: https://learn.microsoft.com/en-us/azure/foundry/openai/concepts/content-filter-prompt-shields
- Microsoft Purview AI data security protections: https://learn.microsoft.com/en-us/purview/ai-microsoft-purview
- Microsoft Security Dashboard for AI: https://learn.microsoft.com/en-us/security/security-for-ai/security-dashboard-for-ai
- OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
- OWASP Agentic AI - Threats and Mitigations: https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/
- OWASP Agentic Security Initiative: https://genai.owasp.org/initiatives/agentic-security-initiative/
- OWASP AIUC-1 Crosswalks for Agentic Applications: https://genai.owasp.org/resource/aiuc-1-crosswalks-owasp-top-10-for-agentic-applications/
- OpenClaw security guidance: https://docs.openclaw.ai/gateway/security
- CrowdStrike OpenClaw security guidance: https://www.crowdstrike.com/en-us/blog/what-security-teams-need-to-know-about-openclaw-ai-super-agent/

Attribution: OWASP Gen AI Security Project / Agentic Security Initiative materials are used as external risk taxonomy references. OWASP content is licensed under Creative Commons Attribution-ShareAlike 4.0 unless otherwise specified by OWASP.
