Back to KB
Difficulty
Intermediate
Read Time
8 min

The Missing Layer in Agent Security

By Codcompass Team··8 min read

Current Situation Analysis

Agentic AI systems operate by chaining discrete tool calls into multi-step workflows. Traditional security architectures treat these systems like conventional microservices: they scan static configurations before deployment and enforce per-call policies at runtime. This two-layer model creates a critical blind spot. It evaluates actions in isolation, completely ignoring the temporal sequence that defines agent behavior.

The industry overlooks this gap because security engineering has historically focused on boundary protection. Input validation, rate limiting, and path restrictions work well for stateless APIs. Agents are stateful and autonomous. A single tool call rarely violates policy. The risk emerges from the trajectory: how actions compound, how data moves across steps, and whether the session aligns with its declared purpose.

Production incidents consistently demonstrate this failure mode. In a documented support-agent breach, three sequential actions passed every per-call check: reading account data, formatting it as CSV, and emailing it externally. Each step was individually permitted. The combined sequence constituted data exfiltration. The per-call proxy returned green checkmarks because it lacked session memory.

Regulatory frameworks now mandate what security teams have struggled to implement. Article 72 of the EU AI Act requires post-market monitoring for behavioral drift in high-risk systems. Singapore’s Model Governance Framework for Agentic AI (effective January 2026) explicitly requires kill-switch capability and plan logging. DORA demands four-hour incident reconstruction for financial services. None of these can be satisfied with isolated call validation. You need continuous trajectory scoring.

The attack surface has matured to exploit this exact gap. The postmark-mcp incident demonstrated a malicious MCP server that accumulated 15 legitimate versions before injecting exfiltration logic. The ToxicSkills campaign poisoned agent memory files to trigger delayed behavioral shifts. These attacks succeed because they mimic normal operation at the call level. They only reveal their intent when viewed across a session timeline.

WOW Moment: Key Findings

The fundamental shift occurs when security moves from evaluating individual actions to scoring behavioral trajectories. The following comparison illustrates why trajectory enforcement closes the gap that static analysis and per-call proxies leave open.

ApproachDetection ScopeTemporal AwarenessEnforcement GranularityCompliance Readiness
Static Config ScanPre-deployment onlyNonePolicy definitionPartial (audit trail)
Per-Call ProxySingle actionNoneImmediate block/rate-limitLow (no session context)
Trajectory EnvelopeFull sessionContinuous scoringGraduated response (warn/pause/kill)High (drift logging, kill-switch, plan audit)

This finding matters because it redefines how we secure autonomous systems. Per-call enforcement answers: Is this specific tool call allowed? Trajectory enforcement answers: Is this agent still performing its declared function? The latter enables compliance with post-market monitoring mandates, prevents compound exfiltration attacks, and provides forensic-grade session reconstruction. It shifts security from reactive filtering to proactive behavioral governance.

Core Solution

Trajectory enforcement operates by declaring expected behavior upfront, then continuously scoring runtime execution against that declaration. The implementation requires three components: a declarative envelope definition, a scoring engine

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

Sign in to read the full article and unlock all 635+ tutorials.

Sign In / Register — Start Free Trial

7-day free trial · Cancel anytime · 30-day money-back