A runtime that accepts input (messages/events), invokes model(s), and may execute tool actions. Includes chat/DM-based personal assistants, enterprise copilots, multi-agent runtimes, and AI coding assistants.
Adversary Class
Classification of threat actors by capability and access level (A1-A5). Ranges from untrusted senders (A1) to supply-chain adversaries (A5).
Allowlist
Explicit list of permitted items (commands, paths, hosts). OSSASAI uses allowlisting as a primary restriction mechanism.
Assurance Level
OSSASAI conformance tier (L1, L2, L3) representing increasing security rigor and control requirements.
B
B1 (Inbound Identity Boundary)
Trust boundary for untrusted senders, channels, and web inputs. Primary prompt injection / coercion surface.
B2 (Control Plane Boundary)
Trust boundary for admin access to configuration and approvals (UI/API/CLI).
B3 (Tool Boundary)
Trust boundary for tool execution, privilege, and approval flow.
B4 (Local State Boundary)
Trust boundary for credentials, secrets, memory, logs, transcripts, and caches.
Blast Radius
The extent of potential damage from a security incident. Quantified based on filesystem scope, capabilities, data sensitivity, and persistence potential.
C
Capability
A permission or ability granted to an agent. Capabilities are explicitly granted and constrained by the permission model.
Coercion Attack
Attack that manipulates the AI agent into performing unintended actions. Includes prompt injection, social engineering, and context manipulation.
Conformance
Meeting the requirements of a specified OSSASAI assurance level. Full conformance requires implementing all MUST controls for that level.
Control
A security requirement with specific implementation and verification criteria. Identified by OSSASAI prefix, domain prefix, and number (e.g., OSSASAI-TB-01).
Control Plane
Admin UI/API/CLI used to configure, observe, approve, or operate the agent.
D
Data Plane
Inbound/outbound message channels and tool I/O.
Denylist
Explicit list of prohibited items. Used for dangerous command patterns and known malicious content.
Domain
A category of related security controls. OSSASAI defines seven domains: CP, ID, TB, LS, SC, FV, NS.
E
Evidence
Documentation demonstrating control implementation. Required for compliance verification.
Extension / Plugin
Third-party code or configuration that expands agent capabilities. Subject to supply chain controls.
F
Formal Verification
Mathematical proof of security properties. Optional but encouraged for L3 deployments.
I
Instruction Smuggling
Attack where malicious instructions are embedded in retrieved content (memory, RAG) to override system behavior.
L
L1 (Local-First Baseline)
OSSASAI assurance level for single operator, local admin surface, minimal exposure. Target: hobby/personal or developer workstation.
L2 (Network-Aware)
OSSASAI assurance level for remote access (LAN/tailnet/VPS), higher inbound risk. Target: remote control plane, team usage.
L3 (High-Risk Runtime)
OSSASAI assurance level for tool-rich, plugin-heavy, multi-user/multi-tenant deployments. Target: enterprise-like exposure, many connectors, delegated actions.
Least Privilege
Security principle requiring minimal permissions needed for operation. Core principle of OSSASAI tool governance.
M
Memory Poisoning
Attack that corrupts agent memory or context to influence future behavior. Includes retrieval attacks and instruction smuggling.
MUST / SHOULD / MAY
RFC 2119 requirement levels used in OSSASAI. MUST indicates absolute requirement, SHOULD indicates strong recommendation, MAY indicates optional.
O
OCSAS (OpenClaw Security Assurance Standard)
The official OpenClaw implementation profile for OSSASAI. Maps OSSASAI controls to OpenClaw’s configuration and CLI tooling.
OSSASAI
Open Security Standard for Agentic Systems. A vendor-neutral, “OWASP-like” global security standard for AI agent runtimes.