Skip to main content
ClawQL
SecurityModule series

Agentic AI security best practices

Thirty-two modules derived from the repo's security-best-practices-series. Content is synced at site build for static HTML and search. Edit the Markdown in the repo, then run node scripts/sync-security-training-modules.mjs from website/ (also runs on prebuild).

← Security overview · Defense in depth (full guide)

  1. 1.Container Image Security: Pinning, Distroless Pipelines, Mirror Registries, and Golden ImagesDigest pinning, distroless golden images, private mirror registries, and CI scanning from source to registry.
  2. 2.Cluster Admission Control: Image Signing, Kyverno, and Blocking Unsigned WorkloadsCosign verification and Kyverno admission policies that block unsigned or policy-violating workloads.
  3. 3.ClawHub Skill Vetting and Safe Installation: Signature Verification, Sandbox Testing, and AllowlistingVet third-party skills with manifest signing, static analysis, sandbox observation, and hash pinning.
  4. 4.Zero Trust Network Architecture: mTLS, Istio, RBAC, and Workload IdentitySPIFFE workload identity, STRICT mTLS, default-deny networking, and L7 AuthorizationPolicy.
  5. 5.Agent Gateway Hardening: Binding, Firewall Rules, DNS Rebinding Defense, and Safe Remote AccessLocalhost binding, VPN-only access, Host/Origin validation, and listening-port drift detection.
  6. 6.Egress Filtering, DNS Controls, and Data Loss PreventionServiceEntry allowlists, SSRF prevention, DNS tunneling heuristics, and tool-call DLP.
  7. 7.Least Privilege and Scoped Kubernetes Identities: ServiceAccounts, IRSA, and Workload IdentityOne ServiceAccount per workload, scoped RBAC, and cloud workload identity federation.
  8. 8.Secrets at Rest: Vault Integration, HSM Backing, and Tamper-Proof Audit LoggingDynamic secrets, HSM unseal, gateway token exchange, and WORM Vault audit logs.
  9. 9.Authentication and Session Management: Per-Request Scoped Tokens, OAuth/OIDC, Rotation, and Replay PreventionTool-scoped tokens, OAuth for external APIs, nonce replay prevention, and device pairing.
  10. 10.Agent Identity Lifecycle: Provisioning, Scope Governance, and DecommissioningJoiner-mover-leaver for agents: approval workflows, scope trials, orphan detection, and forensic shutdown.
  11. 11.Sandboxing Agent Workloads: Kata Containers, gVisor, and macOS SeatbeltChoose Kata, gVisor, or seccomp baselines by workload trust and performance requirements.
  12. 12.MCP Runtime Enforcement: Panguard, ATR Rules, Schema Validation, and Injection DefenseEnforce policy at the structured tool-call layer with ATR, schema validation, and HITL deny-on-timeout.
  13. 13.Input Validation and Protocol Hardening: SSRF Prevention, Token Limits, Encoding Defense, and Replay PreventionHarden the MCP input boundary before Panguard: JSON safety, SSRF, token budgets, and tool manifest integrity.
  14. 14.Multi-Agent Trust Hierarchies and Orchestrator Security: Delegation, Result Integrity, and Blast Radius IsolationSigned instructions and results, downward-only ATR delegation, and pipeline-level risk scoring.
  15. 15.Data Classification and PII Redaction: Tagging, Anonymisation, and Residency ControlsFour-level taxonomy, Presidio at write boundaries, and classification-gated recall.
  16. 16.Model Weight Integrity: Verifying Authenticity Before Every LoadSigned weight manifests, per-load hash verification, honest limits of backdoor detection, and multi-provider weight promotion.
  17. 17.GPU and Resource Protection: Isolation, Quotas, and Side-Channel DefencesMIG isolation, namespace GPU quotas, and monitoring for unexpected GPU consumers.
  18. 18.Memory and Context Poisoning Prevention: Redaction at Source and Immutable Agent MemoryMerkle integrity, WORM storage, per-subject encryption, and poisoning detection at write time.
  19. 19.Security Monitoring and Observability Architecture: Falco, Wazuh, SIEM Integration, and Telemetry DesignCanonical security event schema, SIEM correlation, cardinality-safe metrics, and NOC dashboards.
  20. 20.Automated Response and Incident Recovery: Talon, Quarantine, PICERL, and WORM AuditsAutomated quarantine, circuit breakers, PICERL lifecycle, and forensic preservation before revocation.
  21. 21.Development and Deployment Security: Workstation Hardening, Local Dev, and Secure Production DeploymentHarden developer laptops and enforce secure-by-default production deploys with staging parity.
  22. 22.Threat Modelling for Agentic AI: STRIDE, Attack Trees, and Living Threat ModelsExtend STRIDE for agentic threats and maintain a living threat model in version control.
  23. 23.OWASP Agentic Top 10: Mitigations and Control MappingMap ASI01–ASI10 to deployed ClawQL controls with test evidence from the adversarial suite.
  24. 24.Red Teaming and Adversarial Testing Methodology: Proving the Controls WorkYAML attack library in CI, purple-team exercises, and MCP-scoped external pen tests.
  25. 25.Quarterly Security Review Checklist: Metrics, Rotations, and Continuous Posture VerificationEvidence-driven quarterly review: rotations, allowlists, restore tests, and signed reports.
  26. 26.Vulnerability Management, Patch Cadence, and Cryptographic AgilityReachability-based triage, session-drain rolling updates, and planned algorithm migrations.
  27. 27.Secure Multi-Tenancy: Namespace Isolation, Per-Tenant Vault Paths, and Audit SegregationTenant-scoped Vault paths, memory partitions, and per-tenant WORM audit destinations.
  28. 28.Disaster Recovery and Business Continuity: RTO/RPO, Session Recovery, and Cross-Region FailoverPer-tier RTO/RPO, agent checkpoints, active/passive failover, and session recovery decision tree.
  29. 29.Compliance and Regulatory Mapping: GDPR, HIPAA, SOC 2 Type II, and EU AI ActMap controls to GDPR, HIPAA, SOC 2, and EU AI Act with cryptographic erasure and evidence packages.
  30. 30.Human Operator Security: Admin Controls, Separation of Duties, Break-Glass Access, and External API HygieneMutually exclusive admin roles, 4-eyes changes, break-glass with audit, and webhook hardening.
  31. 31.Third-Party Model API Security: Securing Calls to External LLM ProvidersAPI key hygiene, classification-gated outbound prompts, provider retention policies, multi-provider routing, and WORM audit for external LLM calls.
  32. 32.Where to Start: Prioritization for a New DeploymentSequencing guide for new deployments — the five controls to implement first, second tier before scaling, and why partial coverage is worse than focused depth.