Home / Security / OWASP AI Exchange coverage

Kynara & the OWASP AI Exchange

The OWASP AI Exchange is the closest thing to a global consensus on AI security, feeding directly into the EU AI Act and ISO standards. This page maps Kynara to its runtime controls for AI agents — and to the corresponding MITRE ATLAS mitigations.

Legend: Implemented Kynara enforces this today  ·  Partial partially covered  ·  Roadmap planned. This is Kynara's own assessment against the public OWASP AI Exchange (§1.3, "controls to limit the effects of unwanted behaviour" — blast-radius control), not a certification.

OWASP AI Exchange — runtime controls

OWASP controlCoverageHow Kynara implements it
#LEAST MODEL PRIVILEGE
Minimize what an agent can do
Implemented RBAC scopes gate every action; ABAC conditions constrain arguments. MCP Gateway does least-privilege tool discovery (agents only see tools they may call). "Avoid implementing authorization in GenAI instructions" — Kynara decides on structured requests outside the LLM, immune to prompt injection.
↳ Honor limitations of the served Implemented Non-escalation guarantee: an agent's effective permissions are the intersection of the agent's roles and the dispatching user's roles.
↳ Ephemeral permissions
temporal blast-radius control
Implemented JIT grants: time-boxed, scoped elevation that auto-expires, recorded in the audit chain.
↳ Harden based on risk elevation
downgrade on untrusted input
Implemented The is_tainted policy operator + automatic session taint tracking in the MCP Gateway: the moment an agent reads untrusted content (web fetch, inbound email), egress actions are denied or routed to approval — done outside the LLM.
↳ Harden based on role assignment Implemented Roles map to task-scoped permission sets; agents are assigned the role for their task.
↳ Downgrading subagents
delegated scoped credentials
Partial Non-escalation already bounds agent authority to the user. Fine-grained runtime permission handoff to subagents (scoped, short-lived delegation) is on the roadmap.
#OVERSIGHT
Detect & respond to unwanted behaviour
Implemented Human-in-the-loop approvals via the require_approval effect and approval queue; a deny on an unpermitted action is recorded and alertable. Risk-scored requests help avoid approval fatigue.
↳ Rollback / undo actions Roadmap Every decision is logged with full context; compensating-action / revert-from-timeline support is planned.
#MONITOR USE Implemented Tamper-evident, SHA-256 hash-chained audit log of every decision; queryable dashboards, filters, and CSV export.
#CONTINUOUS VALIDATION Partial Guardrails auto-revoke agents that breach behavioral thresholds; per-agent baseline anomaly detection is on the roadmap.
#AI TRANSPARENCY Partial Decision traces explain why an action was allowed or denied. In-product nudges warning admins about risky permissions are planned.

MITRE ATLAS mitigations

The OWASP controls above reference these MITRE ATLAS mitigations for AI agents. Kynara maps to them directly:

ATLAS IDMitigationKynara
AML.M0029Human-in-the-Loop for AI Agent ActionsImplemented
AML.M0030Restrict AI Agent Tool Invocation on Untrusted DataImplemented
AML.M0028AI Agent Tools Permissions ConfigurationImplemented
AML.M0026Privileged AI Agent Permissions ConfigurationImplemented
AML.M0027Single-User AI Agent Permissions ConfigurationImplemented

Spotlight: dynamic downgrade on untrusted input

OWASP's "harden based on risk elevation" and MITRE ATLAS AML.M0030 both call for tightening an agent's permissions the moment it ingests untrusted data — the primary vector for prompt injection. Kynara implements this as a first-class control:

Ready-made templates ship in the policy editor: Block data egress after untrusted input and Require approval for egress after untrusted input. See the docs.

Governing AI agents against a framework?

We're happy to walk security and compliance teams through Kynara's control coverage.