The OWASP AI Exchange is the closest thing to a global consensus on AI security, feeding directly into the EU AI Act and ISO standards. This page maps Kynara to its runtime controls for AI agents — and to the corresponding MITRE ATLAS mitigations.
| OWASP control | Coverage | How Kynara implements it |
|---|---|---|
| #LEAST MODEL PRIVILEGE Minimize what an agent can do |
Implemented | RBAC scopes gate every action; ABAC conditions constrain arguments. MCP Gateway does least-privilege tool discovery (agents only see tools they may call). "Avoid implementing authorization in GenAI instructions" — Kynara decides on structured requests outside the LLM, immune to prompt injection. |
| ↳ Honor limitations of the served | Implemented | Non-escalation guarantee: an agent's effective permissions are the intersection of the agent's roles and the dispatching user's roles. |
| ↳ Ephemeral permissions temporal blast-radius control |
Implemented | JIT grants: time-boxed, scoped elevation that auto-expires, recorded in the audit chain. |
| ↳ Harden based on risk elevation downgrade on untrusted input |
Implemented | The is_tainted policy operator + automatic session taint tracking in the MCP Gateway: the moment an agent reads untrusted content (web fetch, inbound email), egress actions are denied or routed to approval — done outside the LLM. |
| ↳ Harden based on role assignment | Implemented | Roles map to task-scoped permission sets; agents are assigned the role for their task. |
| ↳ Downgrading subagents delegated scoped credentials |
Partial | Non-escalation already bounds agent authority to the user. Fine-grained runtime permission handoff to subagents (scoped, short-lived delegation) is on the roadmap. |
| #OVERSIGHT Detect & respond to unwanted behaviour |
Implemented | Human-in-the-loop approvals via the require_approval effect and approval queue; a deny on an unpermitted action is recorded and alertable. Risk-scored requests help avoid approval fatigue. |
| ↳ Rollback / undo actions | Roadmap | Every decision is logged with full context; compensating-action / revert-from-timeline support is planned. |
| #MONITOR USE | Implemented | Tamper-evident, SHA-256 hash-chained audit log of every decision; queryable dashboards, filters, and CSV export. |
| #CONTINUOUS VALIDATION | Partial | Guardrails auto-revoke agents that breach behavioral thresholds; per-agent baseline anomaly detection is on the roadmap. |
| #AI TRANSPARENCY | Partial | Decision traces explain why an action was allowed or denied. In-product nudges warning admins about risky permissions are planned. |
The OWASP controls above reference these MITRE ATLAS mitigations for AI agents. Kynara maps to them directly:
| ATLAS ID | Mitigation | Kynara |
|---|---|---|
| AML.M0029 | Human-in-the-Loop for AI Agent Actions | Implemented |
| AML.M0030 | Restrict AI Agent Tool Invocation on Untrusted Data | Implemented |
| AML.M0028 | AI Agent Tools Permissions Configuration | Implemented |
| AML.M0026 | Privileged AI Agent Permissions Configuration | Implemented |
| AML.M0027 | Single-User AI Agent Permissions Configuration | Implemented |
OWASP's "harden based on risk elevation" and MITRE ATLAS AML.M0030 both call for tightening an agent's permissions the moment it ingests untrusted data — the primary vector for prompt injection. Kynara implements this as a first-class control:
context.taint, and a policy using the is_tainted operator denies or requires approval for egress-capable actions.Ready-made templates ship in the policy editor: Block data egress after untrusted input and Require approval for egress after untrusted input. See the docs.
We're happy to walk security and compliance teams through Kynara's control coverage.