A Verification-Side Reference
Version 1.0 — Published 2026-06-09
Author: Mayur Agnihotri Senior Information Security Specialist, StraightArc Technologies Pvt. Ltd. Head of Threat Research, SecSphere SOC / SkyVirtRange OWASP AISVS Contributor · CSA IAM Working Group Reviewer
AISVS v1.0 mapping (updated 2026-06-24): The AISVS controls referenced here shipped in OWASP AISVS v1.0 (released June 2026), in the C9 Orchestration and Agentic Security chapter: C9.2.3 (a trusted reversibility classification; Level 2), C9.2.4 (runtime enforcement by that class; Level 2), and C9.2.10 (worst-case class across a multi-step or multi-agent chain; Level 3). v1.0 shipped a leaner set than the architecture this paper develops: the manifest-declaration mechanism, blast radius as an independent axis, and the fail-closed default for unclassified tools are this author's architectural extensions, not separate AISVS controls. Chapter 7 of the paper marks the boundary.
Figure 1. Action-Class Authority — Reference Model. The gate evaluates the declared class from the tool/action manifest (Panel 1). For multi-step chains, the worst-case class across the chain governs the gate (Panel 2). Source: OWASP AISVS v1.0 (C9.2.3, C9.2.4, C9.2.10).
A practitioner reference for what an AI agent is allowed to do without a human in the loop, structured on the axis of reversibility rather than risk. Covers the four-class reversibility taxonomy, manifest-declared classification, the worst-case chain rule, and gate decisions per class. Anchored to OWASP AISVS C9.2.3, C9.2.4, and C9.2.10 (shipped in v1.0).
- Not a competing standard. The architectural anchors live in OWASP AISVS v1.0 C9.2.3, C9.2.4, and C9.2.10, with C9.5 Agent Authorization, Delegation, and Continuous Enforcement (C9.5.3 enforces decisions outside the model) as the enforcement-boundary companion. This document references them.
- Not a vendor product specification. The framework is vendor-neutral by design.
- Not a substitute for the chain-of-custody discipline that DFIR teams already practice. It is the same idea, applied one layer up.
- Standards-track contributors working on agentic AI authorization (OWASP, CSA, IETF, CoSAI)
- DFIR practitioners evaluating AI-augmented triage workflows
- SOC architects designing AI-driven detection and response
- CISOs evaluating agentic AI deployment risk
- Researchers working on agent governance, runtime enforcement, or authorization
| If you want | Read |
|---|---|
| The argument in 5 minutes | Executive Summary + Figure 1 |
| The taxonomy in 15 minutes | Part II (Chapters 3–6) |
| The standards-track anchor | Part III (Chapters 7–9) |
| The DFIR application | Part IV (Chapters 10–12) |
| Implementation guidance | Part V (Chapters 13–15) |
| Full read | All 18 chapters, ~25-30 pages |
Plain text:
Agnihotri, Mayur. (2026). Action-Class Authority for AI Agents: A Verification-Side Reference. Version 1.0.
BibTeX:
@misc{agnihotri2026actionclass,
author = {Agnihotri, Mayur},
title = {Action-Class Authority for AI Agents: A Verification-Side Reference},
year = {2026},
month = {June},
version = {1.0},
howpublished = {Whitepaper, \url{https://github.com/Mayur021/action-class-authority}}
}Creative Commons Attribution 4.0 International (CC BY 4.0). See LICENSE.
| Version | Date | Notes |
|---|---|---|
| 1.0 | 2026-06-09 | Initial release |
| 1.0 (in-place errata) | 2026-06-24 | AISVS citations aligned to the released v1.0: reversibility controls cited as C9.2.3 / C9.2.4 / C9.2.10 (Orchestration and Agentic Security chapter), approval binding as C9.2.2 / C9.2.8, enforcement boundary as C9.5 (C9.5.3). Manifest-declaration, the independent blast-radius axis, and the fail-closed default are marked as the author's extensions, not shipped controls. |
Errata, corrections, or technical objections welcome via:
- GitHub issues (when this repo is published)
- LinkedIn: linkedin.com/in/mayur-agnihotri
Joint contributions (e.g., adjacent schemas) are subject to prior agreement with the relevant co-authors. The chain-level audit schema referenced in Chapter 8 is joint peer-review work with Mallikarjunarao Sunke under CSA IAM Working Group review and is referenced here with permission.
- OWASP AISVS — github.com/OWASP/AISVS — verification standards for AI security
- CSA NHI Working Group — Defining Non-Human Identity paper (under peer review at IAM WG)
- PieterKas/agent2agent-auth-framework — IETF-track agent-to-agent authorization protocol
- SANS AI Security Maturity Model — Chris Cochran, SANS Institute
- CoSAI WS4 — Secure Design Agentic Systems Working Group
- AARM (CSA) — Autonomous Action Runtime Management Working Group
