defense 2025

A2AS: Agentic AI Runtime Security and Self-Defense

Eugene Neelou 1,2,3, Ivan Novikov 1,3, Max Moroz 1,4, Om Narayan 5,2, Tiffany Saade 6, Mika Ayenson 7, Ilya Kabanov 8, Jen Ozmen 8, Edward Lee 9, Vineeth Sai Narajala 10,2, Emmanuel Guilherme Junior 2, Ken Huang 2, Huseyin Gulsin 2, Jason Ross 11, Marat Vyshegorodtsev 11, Adelin Travers 12, Idan Habler 12, Rahul Jadav 12

1 A2AS

2 OWASP

3 Wallarm

4 ByteDance

5 AWS

6 Cisco

7 Elastic

8 Google

9 JPMorganChase

10 Meta

11 Salesforce

12 Other

3 citations · 12 references · SSRN
α

Published on arXiv

2510.13825

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Introduces the BASIC security model as a conceptual foundation for LLM agent runtime security, positioning A2AS as a proposed industry standard analogous to HTTPS for web security.

A2AS / BASIC security model

Novel technique introduced

The A2AS framework is introduced as a security layer for AI agents and LLM-powered applications, similar to how HTTPS secures HTTP. A2AS enforces certified behavior, activates model self-defense, and ensures context window integrity. It defines security boundaries, authenticates prompts, applies security rules and custom policies, and controls agentic behavior, enabling a defense-in-depth strategy. The A2AS framework avoids latency overhead, external dependencies, architectural changes, model retraining, and operational complexity. The BASIC security model is introduced as the A2AS foundation: (B) Behavior certificates enable behavior enforcement, (A) Authenticated prompts enable context window integrity, (S) Security boundaries enable untrusted input isolation, (I) In-context defenses enable secure model reasoning, (C) Codified policies enable application-specific rules. This first paper in the series introduces the BASIC security model and the A2AS framework, exploring their potential toward establishing the A2AS industry standard.

Key Contributions

  • A2AS framework: a runtime security layer for AI agents and LLM applications analogous to HTTPS, requiring no model retraining, architectural changes, or latency overhead
  • BASIC security model: five-component foundation covering Behavior certificates, Authenticated prompts, Security boundaries, In-context defenses, and Codified policies
  • Defense-in-depth strategy for LLM agents combining prompt authentication, behavior enforcement, and context window integrity

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
ai agentsllm-powered applications
Read PDF arXiv DOI

Similar Papers

defense

AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents

2025 0 cit.
100%
defense

Securing AI Agents: Implementing Role-Based Access Control for Industrial Applications

2025 0 cit.
100%
defense

Agent-Sentry: Bounding LLM Agents via Execution Provenance

2026 0 cit.
100%
defense

Optimizing Agent Planning for Security and Autonomy

2026 0 cit.
100%
defense

The LLMbda Calculus: AI Agents, Conversations, and Information Flow

2026 0 cit.
100%
defense

Spider-Sense: Intrinsic Risk Sensing for Efficient Agent Defense with Hierarchical Adaptive Screening

2026 0 cit.
100%
defense

BlockA2A: Towards Secure and Verifiable Agent-to-Agent Interoperability

2025 0 cit.
100%
defense

Policy Compiler for Secure Agentic Systems

2026 0 cit.
100%