Abstract
The OSSASAI Control Catalog specifies security controls for AI agent runtimes that accept untrusted inputs and execute actions with real-world consequences. Controls are derived from empirical threat analysis and organized around the four canonical trust boundaries (B1–B4). This document provides a systematic overview of the control structure, domain organization, and implementation prioritization guidance.
Note: Verifiability Principle: Every OSSASAI control includes specific, testable acceptance criteria with automated or semi-automated verification procedures. Controls without clear verification methodology are excluded from the normative specification.
Control Framework Architecture
Design Principles
OSSASAI controls are designed according to the following principles:
| Principle | Description | Implementation |
|---|---|---|
| Threat-Derived | Controls address documented attack vectors | Traceability to AATT threat taxonomy |
| Boundary-Aligned | Controls map to trust boundaries | B1–B4 boundary classification |
| Level-Graduated | Requirements scale with risk | L1/L2/L3 applicability |
| Evidence-Based | Controls require verifiable artifacts | Specified evidence requirements |
| Actionable | Controls include remediation guidance | Implementation procedures |
Control Identification Schema
OSSASAI-[DOMAIN]-[NUMBER]
│ │
│ └─── Sequential identifier (01, 02, 03...)
│
└─── Domain abbreviation (CP, ID, TB, LS, SC, FV, NS)
Examples:
OSSASAI-CP-01 → Control Plane domain, first control
OSSASAI-TB-03 → Tool Blast Radius domain, third control
OSSASAI-FV-02 → Formal Verification domain, second control
Control Domains
### GEN: General
Boundary: All
Security by default, fail secure, least privilege, defense in depth, audit logging
**5 controls**
Boundary: B2 (Control Plane)
Admin access, exposure control, authentication, configuration integrity
**4 controls**
Boundary: B1 (Inbound Identity)
Peer verification, session isolation, channel policies
**3 controls**
Boundary: B3 (Tool)
Least privilege, approval gates, sandboxing, egress control
**4 controls**
### LS: Local State
Boundary: B4 (Local State)
Secrets protection, log redaction, memory safety, retention
**4 controls**
### SC: Supply Chain
Boundary: B3 (Tool)
Plugin trust, inventory management, artifact signing
**3 controls**
Boundary: All
Security invariants, model checking, continuous verification
**3 controls**
Boundary: B2, B3
Transport security, certificate validation, endpoint protection
**4 controls**
Control Specification Structure
Each control follows a standardized structure enabling consistent implementation and verification:
# OSSASAI Control Specification Format
Control ID: OSSASAI-[DOMAIN]-[NUMBER]
Title: [Descriptive Title]
Version: [Major.Minor]
# Requirement Classification
Requirement Level: MUST | SHOULD | MAY
Assurance Levels: L1 | L2 | L3 | All
# Normative Requirement
Requirement: |
[Detailed requirement using RFC 2119 keywords]
Rationale: [Security justification and threat context]
# Implementation
Remediation: |
[Step-by-step implementation guidance]
Configuration: |
[Example configuration snippets]
# Verification
Evidence:
- [Required artifact type and description]
Checks:
- [Automated or manual verification procedure]
Verification Script: [Optional automation reference]
# Traceability
OSSASAI Top 10 Mapping: [Failure mode numbers]
STRIDE Categories: [S/T/R/I/D/E]
External References:
- NIST SP 800-53: [Control reference]
- OWASP ASVS: [Requirement reference]
- CIS Controls: [Safeguard reference]
Complete Control Matrix
Controls by Domain and Level
| ID | Title | Req Level | L1 | L2 | L3 |
|---|---|---|---|---|---|
| General — Cross-cutting | |||||
| OSSASAI-GEN-01 | Security by Default | MUST | ● | ● | ● |
| OSSASAI-GEN-02 | Fail Secure | MUST | ● | ● | ● |
| OSSASAI-GEN-03 | Principle of Least Privilege | MUST | ● | ● | ● |
| OSSASAI-GEN-04 | Defense in Depth | SHOULD/MUST | ○ | ● | ● |
| OSSASAI-GEN-05 | Audit Logging | SHOULD/MUST | ○ | ● | ● |
| B2 — Control Plane | |||||
| OSSASAI-CP-01 | Default-Deny Control Plane Exposure | MUST | ● | ● | ● |
| OSSASAI-CP-02 | Strong Administrative Authentication | MUST | ● | ● | ● |
| OSSASAI-CP-03 | Proxy Trust Boundary Configuration | MUST | ● | ● | |
| OSSASAI-CP-04 | Operator/Agent Identity Separation | MUST | ● | ● | |
| B1 — Inbound Identity | |||||
| OSSASAI-ID-01 | Peer Verification for New Contacts | MUST | ● | ● | |
| OSSASAI-ID-02 | Session Isolation by Default | MUST | ● | ● | ● |
| OSSASAI-ID-03 | Group/Channel Policy Hardening | SHOULD/MUST | ○ | ● | |
| B3 — Tool Governance | |||||
| OSSASAI-TB-01 | Least Privilege Tool Configuration | MUST | ● | ● | ● |
| OSSASAI-TB-02 | Approval Gates for High-Risk Actions | MUST | ● | ● | |
| OSSASAI-TB-03 | Sandboxing for Untrusted Contexts | MUST | ● | ● | |
| OSSASAI-TB-04 | Outbound Data Exfiltration Controls | MUST | ● | ● | |
| B4 — Local State | |||||
| OSSASAI-LS-01 | Secrets Protected at Rest | MUST | ● | ● | ● |
| OSSASAI-LS-02 | Sensitive Log Redaction | MUST | ● | ● | ● |
| OSSASAI-LS-03 | Memory Safety Against Instruction Smuggling | SHOULD/MUST | ○ | ● | ● |
| OSSASAI-LS-04 | Retention and Deletion Guarantees | MUST | ● | ● | |
| Supply Chain | |||||
| OSSASAI-SC-01 | Explicit Plugin Trust and Inventory | MUST | ● | ● | |
| OSSASAI-SC-02 | Reproducible Builds and Pinning | SHOULD/MUST | ○ | ● | |
| OSSASAI-SC-03 | Artifact Signing and Attestation | SHOULD/MUST | ○ | ● | |
| Formal Verification (Optional) | |||||
| OSSASAI-FV-01 | Security Invariant Formal Verification | SHOULD | ○ | ||
| OSSASAI-FV-02 | Negative Model Regression Testing | SHOULD | ○ | ||
| OSSASAI-FV-03 | Continuous Verification in CI/CD | SHOULD | ○ | ||
| Network Security | |||||
| OSSASAI-NS-01 | TLS Enforcement for All Connections | MUST | ● | ● | |
| OSSASAI-NS-02 | Certificate Validation | MUST | ● | ● | |
| OSSASAI-NS-03 | API Endpoint Security | MUST | ● | ● | |
| OSSASAI-NS-04 | Network Traffic Analysis and Monitoring | MUST | ● |
Legend: ● = MUST implement, ○ = SHOULD implement, (blank) = Not applicable
Total Controls: 30 (5 GEN + 4 CP + 3 ID + 4 TB + 4 LS + 3 SC + 3 FV + 4 NS)
Controls by Assurance Level
L1: Local-First Baseline
Deployment Profile: Single operator, local administration, minimal network exposure
Required Controls (10 MUST + 3 SHOULD):
| Control ID | Title | Primary Threat Addressed |
|---|---|---|
| OSSASAI-GEN-01 | Security by Default | Insecure defaults (#1) |
| OSSASAI-GEN-02 | Fail Secure | Security bypass on error (#4) |
| OSSASAI-GEN-03 | Principle of Least Privilege | Over-privileged tools (#2) |
| OSSASAI-GEN-04 | Defense in Depth (SHOULD) | Single point of failure (#5) |
| OSSASAI-GEN-05 | Audit Logging (SHOULD) | Insufficient auditability (#9) |
| OSSASAI-CP-01 | Default-Deny Control Plane Exposure | Control plane exposure (#3) |
| OSSASAI-CP-02 | Strong Administrative Authentication | Weak authentication (#3) |
| OSSASAI-ID-02 | Session Isolation by Default | Session boundary collapse (#4) |
| OSSASAI-TB-01 | Least Privilege Tool Configuration | Over-privileged tools (#2) |
| OSSASAI-LS-01 | Secrets Protected at Rest | Secrets leakage (#5) |
| OSSASAI-LS-02 | Sensitive Log Redaction | Secrets leakage (#5) |
| OSSASAI-LS-03 | Memory Safety (SHOULD) | Memory poisoning (#8) |
L2: Network-Aware Deployment
Deployment Profile: Remote access, team usage, network-exposed control plane
Additional Controls (15+ beyond L1):
| Control ID | Title | Primary Threat Addressed |
|---|---|---|
| OSSASAI-GEN-04 | Defense in Depth (MUST) | Single point of failure (#5) |
| OSSASAI-GEN-05 | Audit Logging (MUST) | Insufficient auditability (#9) |
| OSSASAI-CP-03 | Proxy Trust Boundary Configuration | Header spoofing attacks |
| OSSASAI-CP-04 | Operator/Agent Identity Separation | Privilege confusion |
| OSSASAI-ID-01 | Peer Verification for New Contacts | Unauthorized message processing |
| OSSASAI-ID-03 | Group/Channel Policy Hardening (SHOULD) | Group coercion attacks |
| OSSASAI-TB-02 | Approval Gates for High-Risk Actions | Tool misuse (#1) |
| OSSASAI-TB-03 | Sandboxing for Untrusted Contexts | Sandbox escape attacks |
| OSSASAI-TB-04 | Outbound Data Exfiltration Controls | Data exfiltration (#6) |
| OSSASAI-LS-03 | Memory Safety (MUST) | Memory poisoning (#8) |
| OSSASAI-LS-04 | Retention and Deletion Guarantees | Data lifecycle risks |
| OSSASAI-SC-01 | Explicit Plugin Trust and Inventory | Supply chain (#7) |
| OSSASAI-SC-02 | Reproducible Builds (SHOULD) | Supply chain (#7) |
| OSSASAI-SC-03 | Artifact Signing (SHOULD) | Supply chain (#7) |
| OSSASAI-NS-01 | TLS Enforcement | Network interception |
| OSSASAI-NS-02 | Certificate Validation | MITM attacks |
| OSSASAI-NS-03 | API Endpoint Security | API abuse |
L3: High-Risk Runtime
Deployment Profile: Multi-tenant, plugin-rich, regulated data, broad external connectivity
Additional Controls (7+ beyond L2):
| Control ID | Title | Primary Threat Addressed |
|---|---|---|
| OSSASAI-ID-03 | Group/Channel Policy Hardening (MUST) | Group coercion attacks |
| OSSASAI-SC-02 | Reproducible Builds (MUST) | Supply chain (#7) |
| OSSASAI-SC-03 | Artifact Signing (MUST) | Supply chain (#7) |
| OSSASAI-FV-01 | Security Invariant Verification (SHOULD) | Logic errors |
| OSSASAI-FV-02 | Negative Model Regression (SHOULD) | Regression introduction |
| OSSASAI-FV-03 | CI/CD Integration (SHOULD) | Continuous assurance |
| OSSASAI-NS-04 | Network Traffic Analysis | Advanced threats |
OSSASAI Top 10 Mapping
Controls are mapped to the OSSASAI Top 10 failure modes derived from empirical incident analysis:
| # | Failure Mode | Primary Controls | Coverage |
|---|---|---|---|
| 1 | Prompt Injection → Tool Misuse | TB-01, TB-02, ID-02, GEN-01 | Direct |
| 2 | Over-Privileged Tools | TB-01, TB-02, TB-04, GEN-03 | Direct |
| 3 | Control Plane Exposure | CP-01, CP-02, CP-03 | Direct |
| 4 | Session Boundary Collapse | ID-02, ID-03, GEN-02 | Direct |
| 5 | Secrets Exfiltration | LS-01, LS-02, GEN-04 | Direct |
| 6 | Unsafe External Connectivity | TB-03, TB-04 | Direct |
| 7 | Extension Supply Chain | SC-01, SC-02, SC-03 | Direct |
| 8 | Memory Poisoning | LS-03 | Direct |
| 9 | Insufficient Auditability | TB-02, LS-04, GEN-05 | Direct |
| 10 | Configuration Drift | CP-01, CP-02, GEN-01 | Indirect |
Control Dependency Graph
┌─────────────────────────────────────────────────────────────────────────────┐
│ OSSASAI Control Dependencies │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────────┐ │
│ │ CP-01 / CP-02 │ │
│ │ Control Plane │ │
│ │ Foundation │ │
│ └─────────┬──────────┘ │
│ │ │
│ ┌──────────────────────┼──────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ ID-01/02 │◄────►│ TB-01/02 │ │ SC-01/02 │ │
│ │ Identity │ │ Tool Policy │ │ Supply Chain │ │
│ └───────┬───────┘ └───────┬───────┘ └───────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌───────────────┐ ┌───────────────┐ │
│ │ LS-01/02 │ │ TB-03/04 │ │
│ │ Local State │ │Sandbox/Egress │ │
│ └───────────────┘ └───────────────┘ │
│ │
│ Cross-Cutting Controls: │
│ ───────────────────── │
│ • FV-* verifies invariants across CP-*, TB-*, ID-* │
│ • NS-* extends CP-* and TB-* for network scenarios │
│ • LS-03 protects against B1→B4 injection chains │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Implementation Prioritization
Critical Path Controls
These controls form the security foundation and SHOULD be implemented first:
| Priority | Control | Rationale |
|---|---|---|
| 1 | OSSASAI-CP-01 | Prevents control plane exposure—foundational |
| 2 | OSSASAI-CP-02 | Protects administrative functions—foundational |
| 3 | OSSASAI-TB-01 | Limits tool blast radius—primary defense |
| 4 | OSSASAI-LS-01 | Protects credentials—prevents cascade compromise |
| 5 | OSSASAI-LS-02 | Prevents log-based leakage—defense in depth |
Risk-Effort Analysis
| Control | Risk Reduction | Implementation Effort | Priority Score |
|---|---|---|---|
| OSSASAI-CP-01 | High | Low | 1 |
| OSSASAI-LS-02 | High | Low | 2 |
| OSSASAI-TB-01 | High | Medium | 3 |
| OSSASAI-ID-02 | High | Medium | 4 |
| OSSASAI-TB-02 | High | Medium | 5 |
| OSSASAI-CP-02 | High | Medium | 6 |
| OSSASAI-TB-04 | Medium | Medium | 7 |
| OSSASAI-SC-01 | Medium | Medium | 8 |
Evidence Framework
Required Artifacts by Domain
| Domain | Artifact | Description | Controls |
|---|---|---|---|
| GEN | Default Configuration Audit | Fresh install security baseline | GEN-01 |
| GEN | Error Handling Tests | Fail-secure behavior verification | GEN-02 |
| GEN | Privilege Audit | Runtime permission analysis | GEN-03 |
| GEN | Defense Layer Analysis | Control redundancy documentation | GEN-04 |
| GEN | Audit Log Samples | Security event log evidence | GEN-05 |
| CP | Exposure Report | Admin surface reachability analysis | CP-01, CP-02, CP-03 |
| CP | Auth Configuration | Authentication mechanism evidence | CP-02, CP-04 |
| ID | Session Isolation Tests | Cross-context leakage test results | ID-02, ID-03 |
| TB | Tool Policy Manifest | Allowlists, scopes, approval rules | TB-01, TB-02, TB-04 |
| LS | Secrets Posture | Credential storage and permissions | LS-01 |
| LS | Redaction Tests | Log analysis for sensitive patterns | LS-02 |
| SC | Extension Inventory | Plugin list with provenance | SC-01, SC-02 |
| SC | Signature Verification Logs | Artifact signing verification evidence | SC-03 |
| FV | Model Artifacts | TLA+/TLC outputs and counterexamples | FV-01, FV-02 |
| NS | TLS Assessment | Certificate and protocol verification | NS-01, NS-02 |
Verification Methods
| Method | Description | Applicable Controls |
|---|---|---|
| Automated | Full automation via audit tooling | CP-01, TB-01, LS-02, NS-01, NS-02 |
| Semi-Automated | Automated check + manual review | TB-02, SC-01, ID-02 |
| Manual | Requires human assessment | CP-02, FV-, some ID- |
Profile Implementation
OSSASAI controls are generic specifications. Ecosystem Profiles provide implementation-specific mappings:
# Profile Mapping Example
profile: OSSASAI-PROFILE-OPENCLAW-OCSAS-0.1
mappings:
OSSASAI-CP-01:
platform_config: "gateway.bind"
default_value: "127.0.0.1:18789"
verification_command: "openclaw security audit --deep"
documentation: "https://docs.openclaw.ai/gateway/security"
OSSASAI-TB-01:
platform_config: "tools.allowlist"
verification_command: "openclaw security audit --check tools"
documentation: "https://docs.openclaw.ai/gateway/security"
OCSAS - OpenClaw Security Assurance Standard
Reference implementation profile demonstrating complete control-to-configuration mapping for the OpenClaw agent runtime.
References
Normative References
- OSSASAI Specification Overview (/spec/overview)
- OSSASAI Threat Model (/threat-model/overview)
- OSSASAI Assurance Levels (/spec/assurance-levels)
Informative References
- OWASP Application Security Verification Standard (ASVS) v4.0
- NIST SP 800-53 Rev 5: Security and Privacy Controls
- CIS Controls v8: Critical Security Controls
- MITRE ATT&CK Framework