From 0e4e26291c0e1a9dbcdfb6f032ee6a4d59518746 Mon Sep 17 00:00:00 2001 From: Rico Komenda Date: Tue, 31 Mar 2026 23:11:42 +0200 Subject: [PATCH] feat(C9): add agent persisted state integrity control (9.4.5) --- 1.0/en/0x10-C09-Orchestration-and-Agentic-Action.md | 1 + 1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md | 1 + 2 files changed, 2 insertions(+) diff --git a/1.0/en/0x10-C09-Orchestration-and-Agentic-Action.md b/1.0/en/0x10-C09-Orchestration-and-Agentic-Action.md index f871b26..03c5711 100644 --- a/1.0/en/0x10-C09-Orchestration-and-Agentic-Action.md +++ b/1.0/en/0x10-C09-Orchestration-and-Agentic-Action.md @@ -62,6 +62,7 @@ Make every action attributable and every mutation detectable. | **9.4.2** | **Verify that** agent-initiated actions are cryptographically bound to the execution chain (chain ID) and are signed and timestamped for non-repudiation and traceability. | 2 | | **9.4.3** | **Verify that** audit logs are tamper-evident (via append-only/WORM/immutable log store, cryptographic hash chaining where each record includes the hash of the prior record, or equivalent integrity guarantees that can be independently verified), and include sufficient context to reconstruct who/what acted, initiating user identifier, delegation scope, authorization decision (policy/version), tool parameters, approvals (where applicable), and outcomes. | 2 | | **9.4.4** | **Verify that** agent identity credentials (keys/certs/tokens) rotate on a defined schedule and on compromise indicators, with rapid revocation and quarantine on suspected compromise or spoofing attempts. | 3 | +| **9.4.5** | **Verify that** agent state persisted between invocations (including memory, task context, goals, and partial results) is integrity-protected (e.g., via cryptographic MACs or signatures), and that the runtime rejects or quarantines state that fails integrity verification before resuming execution. | 2 | --- diff --git a/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md b/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md index 9f04dd2..b90f220 100644 --- a/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md +++ b/1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md @@ -138,6 +138,7 @@ Verify authenticity and detect tampering of models, artifacts, messages, logs, a | MCP component signature and checksum verification | 10.1.1 | | MCP schema integrity signing and tool definition hash tracking | 10.4.2, 10.4.5 | | DAG cryptographic signatures and tamper-evident storage | 13.7.3 | +| Agent persisted state integrity protection (MAC/signature, rejection on failure) | 9.4.5 | **Common pitfalls:** using mutable `:latest` tags instead of immutable digests; not re-verifying tool definition hashes between MCP invocations; missing replay protection on agent messages.