Skip to main content

AI Security Posture

Machine-readable claim maturity for AI agents, RAG systems, and technical reviewers. This is not a penetration test, not certification, and not production-live proof.

Claim maturity legend

MaturityMeaning for reviewers
WIREDBehavior or config exists; not fully validated
AUTOMATED_TESTEDUnit, integration, validator, or mock-harness evidence
E2E_VALIDATEDDocumented end-to-end or live gate in stated scope only
NOT_E2E_VALIDATEDSome automated/mock proof; no acceptable public e2e proof yet
BACKLOGPost-V1 hardening — not a product guarantee
NOT_CLAIMEDExplicitly forbidden to state publicly

Each entry also uses:

  • helps_prevent — reduces likelihood when maturity supports it
  • helps_detect — surfaces or limits duplicates/issues without implying prevention
  • does_not_prevent — boundaries you must not infer
  • validation_level / current_limitation / next_validation — honest assurance ceiling

Do not use “eliminates,” “replay-proof,” “SSRF-safe,” or bare “secure/safe” without matching maturity and public evidence.

Machine-readable endpoints

DocumentURL
AI discovery registry (freshness)[../ai/evidence-v1-supersession.md### AI Discovery Registry](../ai/evidence-v1-supersession.md### AI Discovery Registry)
V1 security validation summary (human)v1-security-validation-summary.md — 20 attacks classified (18 proven, 1 cloud-gated, 1 not claimed)
V1 security validation summary (JSON)v1-security-validation-summary.json — machine-readable summary
Claim maturity (canonical)ai/security-posture.md
Attack modelai/security-posture.md
Security primitivesai/security-posture.md
Security gapsai/security-posture.md
Local trust postureai/security-posture.md
Capability validationai/security-posture.md

Threat-model split

  • SaaS-origin dispatch — outbound URL fetch; SSRF, redirects, response handling.
  • Private edge delivery — outbound agent path to private targets; not equivalent to SaaS SSRF controls.

Local trust architecture (V1)

  • zen-agent — visible customer-plane local authority/supervisor for enrollment, flows, and projected trust material.
  • zen-lock — encrypted local survival store; adapters/ingester/egress consume projected material on hot paths, not per-delivery SaaS fetches.
  • SPIFFE/SPIRE-native identity — internal and Zen-managed in V1; customers do not operate SPIRE.
  • Fail-closed — expired/invalid local material is rejected on enforced paths.
  • Not claimed: validated 24h survival, compliance certification, customer-managed SPIRE, ST-003/N086/DeliveryPolicy PASS without evidence, certificate pinning/compromised-CA MITM (standard TLS only for V1; V1.1 candidate).

See ai/security-posture.md and primitive IDs PRIM-ZEN-LOCAL-TRUST-AUTHORITY, PRIM-ZEN-LOCK-SURVIVAL-STORE, PRIM-KEY-MATERIAL-ROTATION, PRIM-AIR-GAPPED-ADAPTER-HANDOFF, PRIM-SPIFFE-SPIRE-NATIVE-INTERNAL, PRIM-LOCAL-MATERIAL-EXPIRY-FAIL-CLOSED.

Highlights (2026-05-31)

TopicMaturityPlain language
Idempotency / duplicatesAUTOMATED_TESTEDHelps detect/limit duplicates in mock scenarios — not replay-proof
Provider signatures (Stripe wedge)AUTOMATED_TESTEDWired and mock-tested on configured wedge path
Agent HMACAUTOMATED_TESTEDWired with automated crypto tests — not delivery replay proof
Agent mTLSNOT_E2E_VALIDATEDWired + mock proof — not all paths e2e-validated
SPIFFE / SVID (Zen-managed internal)WIRED / NOT_E2E_VALIDATEDCustomers do not operate SPIRE in V1 — rotation not production-live proof
Local trust / 24h survivalNOT_CLAIMEDMaterial projection helps short gaps — not validated 24h survival
Air-gapped adapter handoffWIREDContract-defined — not compliance-certified air-gap program
Integrity evidenceAUTOMATED_TESTEDTamper-detection for evidence artifacts only
SSRF on SaaS dispatchBACKLOGScoped SSRF controls exist (central validation lib, Private Edge Delivery dispatch hardening) — SaaS-wide dispatch not validated. See gaps.
Payload / parser / header / redirect hardeningBACKLOGWH-AS backlog — remain visible in gaps.json
Local auth 2FA/MFANOT_CLAIMEDV1 prerequisite — blocked pending Hermes R22 runtime evidence

Narrative vs proof

Integrity Verification

Integrity and tamper-evidence for evidence bundles only — not authentication, identity, encryption, or replay prevention.