Agentic AI Security Requirements — anandus.ai
Version: 1.0 | Created: 2026-05-30 | Frameworks: NIST AI RMF · NIST SP 800-53 Rev 5 · OWASP LLM Top 10 v1.1 · Microsoft Responsible AI Standard v2
1. Scope and Purpose
This document defines security requirements specific to the agentic behavior of anandus.ai —
the AI's ability to retrieve information, generate responses, log interactions, index documents,
and expose analytics via MCP. These requirements go beyond traditional application security to
address risks unique to AI agents: excessive authority, hallucination, model manipulation,
supply chain attacks, and inadequate human oversight.
System components in scope:
ChatHandler Lambda — RAG agent that retrieves and generates responsesRAGIndexer Lambda — indexing agent that fetches, chunks, and embeds profile dataMCPHandler Lambda — analytics agent that exposes interaction data via JSON-RPC 2.0- Amazon Bedrock Nova Lite — the language model being orchestrated
- Amazon Bedrock Titan Embeddings V2 — the embedding model used for semantic retrieval
- Azure AI Content Safety (Prompt Shields) — second-layer prompt attack classification
2. NIST AI RMF Requirements
The NIST AI Risk Management Framework structures AI risk across four functions:
Govern (GV), Map (MP), Measure (ME), Manage (MG).
2.1 Govern (GV) — Policies and Accountability
| ID |
Control |
Requirement |
Tested |
| GV-1.1 |
Policies exist |
AI governance policies are documented and enforced in code |
YES |
| GV-1.2 |
Risk tolerance |
Human oversight is mandatory for all high-risk AI outputs |
YES |
| GV-1.3 |
Accountability |
Every AI action is attributable to an authenticated session |
YES |
| GV-2.1 |
Authority limits |
AI cannot execute actions — advisory outputs only |
YES |
| GV-2.2 |
Scope definition |
AI scope is bounded to profile Q&A — no general-purpose use |
YES |
| GV-3.1 |
Transparency |
AI identifies itself and cites sources in all responses |
YES |
| GV-4.1 |
Culture of safety |
Injection defense is a first-class engineering concern |
YES |
2.2 Map (MP) — Risk Context and Identification
| ID |
Control |
Requirement |
Tested |
| MP-1.1 |
AI risk identification |
All agent roles have defined authority boundaries |
YES |
| MP-2.1 |
Impact assessment |
Failure modes (hallucination, injection, overreach) are documented |
MANUAL |
| MP-3.1 |
Stakeholder mapping |
AI output consumers (users, MCP clients) are identified |
PARTIAL |
| MP-4.1 |
Supply chain mapping |
Third-party models (Bedrock, Azure) have documented risk profiles |
YES |
| MP-5.1 |
Indirect impact |
Poisoned RAG content is a mapped threat vector |
YES |
2.3 Measure (ME) — Risk Analysis and Evaluation
| ID |
Control |
Requirement |
Tested |
| ME-1.1 |
Performance metrics |
Retrieval accuracy and latency are measurable |
PARTIAL |
| ME-2.1 |
Robustness testing |
AI behaves consistently under adversarial inputs |
YES |
| ME-2.2 |
Bias evaluation |
Consistent behavior regardless of input phrasing |
YES |
| ME-2.3 |
Safety evaluation |
Injection detection rate is measurable |
YES |
| ME-3.1 |
Human review |
Output quality is subject to human audit |
YES |
| ME-4.1 |
Monitoring |
Real-time metrics for injection attempts and risk scores |
YES |
2.4 Manage (MG) — Risk Treatment and Response
| ID |
Control |
Requirement |
Tested |
| MG-1.1 |
Risk treatment |
Injection risks are mitigated at multiple layers |
YES |
| MG-2.1 |
Incident response |
Security events trigger automated logging and alerting |
YES |
| MG-3.1 |
Session controls |
Malicious sessions are invalidated within 15 minutes |
YES |
| MG-4.1 |
Monitoring |
CloudWatch alarms fire on anomalous injection rates |
YES |
| MG-5.1 |
Recovery |
System degrades gracefully when Bedrock is unavailable |
YES |
3. NIST SP 800-53 Rev 5 Requirements (AI-relevant controls)
3.1 Access Control (AC)
| Control |
Requirement |
Implementation |
| AC-3 |
Access Enforcement |
Agent requests validated against session store before any action |
| AC-4 |
Information Flow |
Data flows only from corpus → LLM → user; no reverse flow |
| AC-6 |
Least Privilege |
Each Lambda has only the IAM permissions it requires |
| AC-6(9) |
Log Use of Privileged Functions |
All Bedrock invocations logged with interaction ID |
| AC-12 |
Session Termination |
Sessions expire at 24h; invalidated on abuse or injection |
| ID |
Requirement |
Ref |
Tested |
| REQ-AC-01 |
ChatHandler MUST reject requests with no valid session |
AC-3 |
YES |
| REQ-AC-02 |
MCPHandler MUST be read-only (no DynamoDB writes) |
AC-6 |
YES |
| REQ-AC-03 |
RAGIndexer MUST NOT write to Sessions or Interactions table |
AC-6 |
YES |
| REQ-AC-04 |
Model ID MUST NOT be user-controllable |
AC-3 |
YES |
| REQ-AC-05 |
Inference parameters MUST NOT be user-controllable |
AC-3 |
YES |
3.2 Audit and Accountability (AU)
| Control |
Requirement |
Implementation |
| AU-2 |
Event Logging |
All chat_message events logged with timestamp, email, IP |
| AU-3 |
Content of Audit Records |
Records contain sufficient detail for post-incident reconstruction |
| AU-9 |
Protection of Audit Info |
Logs written to DynamoDB; AI cannot delete or modify them |
| AU-12 |
Audit Record Generation |
Interaction logger is called on every successful AI response |
| AU-14 |
Session Audit |
Session token present in every security event record |
| ID |
Requirement |
Ref |
Tested |
| REQ-AU-01 |
Every successful chat MUST log a chat_message interaction |
AU-12 |
YES |
| REQ-AU-02 |
Every injection block MUST log a security_event |
AU-12 |
YES |
| REQ-AU-03 |
Audit records MUST contain: interactionId, timestamp, email, ipAddress |
AU-3 |
YES |
| REQ-AU-04 |
AI CANNOT delete or modify its own audit records |
AU-9 |
YES |
| REQ-AU-05 |
Audit records MUST be retained for minimum 30 days (TTL) |
AU-11 |
YES |
3.3 Configuration Management (CM)
| Control |
Requirement |
Implementation |
| CM-7 |
Least Functionality |
AI agent capabilities bounded to Q&A — no code execution, no DB writes |
| CM-7(5) |
Authorized Software |
Only approved Bedrock models may be invoked |
| CM-14 |
Signed Components |
Model versions are pinned and documented |
| ID |
Requirement |
Ref |
Tested |
| REQ-CM-01 |
AI MUST use only the pinned model: amazon.nova-lite-v1:0 |
CM-7(5) |
YES |
| REQ-CM-02 |
AI MUST use only the pinned embedding model: amazon.titan-embed-text-v2:0 |
CM-7(5) |
YES |
| REQ-CM-03 |
AI MUST NOT invoke models based on user-supplied model IDs |
CM-14 |
YES |
| REQ-CM-04 |
AI response generation MUST be bounded: max_new_tokens ≤ 1024 |
CM-7 |
YES |
| REQ-CM-05 |
AI temperature MUST be fixed at 0.7 (not user-adjustable) |
CM-7 |
YES |
| Control |
Requirement |
Implementation |
| SI-3 |
Malicious Code Protection |
Prompt injection patterns blocked at gate + Bedrock Guardrails |
| SI-10 |
Information Input Validation |
All chat inputs validated for type and structure |
| SI-15 |
Information Output Filtering |
Responses include source citations; template tokens stripped from chunks |
| SI-23 |
Information Fragmentation |
RAG retrieval bounded to top-5 relevant chunks |
| ID |
Requirement |
Ref |
Tested |
| REQ-SI-01 |
AI output MUST include citations (sources array) |
SI-15 |
YES |
| REQ-SI-02 |
Chunk content MUST be sanitized before system prompt insertion |
SI-10 |
YES |
| REQ-SI-03 |
AI responses MUST NOT contain executable HTML or JavaScript |
SI-15 |
YES |
| REQ-SI-04 |
Response length MUST be bounded by max_new_tokens |
SI-7 |
YES |
| REQ-SI-05 |
AI MUST NOT return content from outside the indexed corpus |
SI-23 |
YES |
4. OWASP LLM Top 10 v1.1 Requirements
| OWASP ID |
Vulnerability |
Status in anandus.ai |
| LLM01 |
Prompt Injection |
Mitigated — 4-layer defense (heuristic + Guardrails + chunk sanitization + system prompt) |
| LLM02 |
Insecure Output Handling |
Mitigated — source citations required; responses not executed |
| LLM03 |
Training Data Poisoning |
Not applicable — model is third-party (Nova Lite), not fine-tuned |
| LLM04 |
Model Denial of Service |
Partially mitigated — rate limiting; no token budget enforcement beyond max_tokens |
| LLM05 |
Supply Chain Vulnerabilities |
Mitigated — model IDs pinned; Bedrock handles model version management |
| LLM06 |
Sensitive Information Disclosure |
Mitigated — system prompt protected; source paths sanitized |
| LLM07 |
Insecure Plugin Design |
Mitigated — MCP server is read-only; no write-capable tools exposed |
| LLM08 |
Excessive Agency |
Mitigated — AI is advisory only; no autonomous action execution |
| LLM09 |
Overreliance |
Partial — source citations present; no AI output quality gate |
| LLM10 |
Model Theft |
Not applicable — hosted model, not exportable |
4.1 LLM08 — Excessive Agency Requirements
An agent has excessive agency when it can take actions beyond what is necessary or authorized.
| ID |
Requirement |
Tested |
| REQ-LLM08-01 |
AI response MUST be text-only — no executable actions initiated |
YES |
| REQ-LLM08-02 |
AI MUST NOT modify any DynamoDB table directly from a user instruction |
YES |
| REQ-LLM08-03 |
AI MUST NOT invoke external HTTP endpoints based on user input |
YES |
| REQ-LLM08-04 |
AI MUST NOT create, modify, or delete sessions autonomously |
YES |
| REQ-LLM08-05 |
RAGIndexer MUST NOT write outside the Embeddings table |
YES |
| REQ-LLM08-06 |
MCP handler MUST have no write path whatsoever |
YES |
4.2 LLM09 — Overreliance Requirements
| ID |
Requirement |
Tested |
| REQ-LLM09-01 |
AI responses MUST include source citations for factual claims |
YES |
| REQ-LLM09-02 |
AI MUST NOT respond with empty sources array for Q&A responses |
YES |
| REQ-LLM09-03 |
AI MUST acknowledge uncertainty rather than fabricate answers |
MANUAL |
| REQ-LLM09-04 |
AI system prompt MUST instruct model never to fabricate details |
YES |
5. Azure AI Content Safety Requirements
| ID |
Control |
Azure Service |
Requirement |
| REQ-AZ-01 |
Input screening — jailbreak |
Azure AI Content Safety Prompt Shields |
Detect direct jailbreak in user prompt |
| REQ-AZ-02 |
Input screening — indirect |
Azure AI Content Safety Prompt Shields |
Detect indirect injection in RAG documents |
| REQ-AZ-03 |
Content categories |
Azure AI Content Safety Text Analysis |
Hate/SelfHarm/Sexual/Violence ≤ severity 2 |
| REQ-AZ-04 |
Protected material |
Azure AI Content Safety |
No copyrighted material in responses |
| REQ-AZ-05 |
Groundedness |
Azure AI Content Safety Groundedness |
Response grounded in retrieved context |
| REQ-AZ-06 |
Graceful degradation |
— |
System falls back to local heuristic when Azure CS unavailable |
| REQ-AZ-07 |
Response audit |
Azure Monitor |
Azure CS verdicts logged to Application Insights |
| REQ-AZ-08 |
Defender for AI |
Microsoft Defender for Cloud |
LLM threat detection alerts forwarded to SIEM |
6. Microsoft Responsible AI Principles Mapping
| Principle |
Requirement |
Implementation |
| Fairness |
Consistent behavior regardless of user identity or phrasing |
Stateless gate — same rules for all users |
| Reliability & Safety |
Graceful degradation; no crash on Bedrock failure |
503 with retry logic; 3× exponential backoff |
| Privacy & Security |
PII minimization in logs; no plaintext secrets |
Session tokens hashed; secrets in env vars |
| Inclusiveness |
Accessible to all authenticated users |
Three auth paths (LinkedIn, email, Turnstile) |
| Transparency |
AI identifies itself; cites information sources |
System prompt states AI role; sources[] in response |
| Accountability |
Human can audit, override, and invalidate AI decisions |
Session revocation; interaction log; admin dashboard |
7. Automated Test Coverage Matrix
| Test File |
Standards Covered |
Test Count |
agentic-excessive-agency.red-team.test.ts |
LLM08, AC-6, CM-7, GV-2 |
~35 |
agentic-output-integrity.red-team.test.ts |
LLM02, LLM09, SI-15, GV-3 |
~30 |
agentic-accountability.red-team.test.ts |
AU-2, AU-3, AU-9, AU-12, GV-1 |
~28 |
agentic-model-integrity.red-team.test.ts |
LLM05, CM-7(5), CM-14, MP-4 |
~25 |
agentic-azure-content-safety.red-team.test.ts |
REQ-AZ-01 to REQ-AZ-08, LLM01 |
~30 |
Run all agentic tests:
npx vitest run backend/src/red-team/agentic-