Research Date: February 11, 2026 Scope: Comprehensive review of AGENTS.md security protocols against current standards and best practices Sources: NIST CSRC, OWASP GenAI Security Project, NIST Cybersecurity Framework 2.0, NIST IR 8547
- Executive Summary
- Post-Quantum Cryptography (PQC) Updates
- New NIST Publications & Standards
- Zero Trust Architecture Updates
- OWASP LLM & Agentic AI Security
- TLS & Transport Security
- Encryption at Rest
- AI Agent-Specific Security
- Supply Chain Security
- NIST Cybersecurity Framework 2.0 Alignment
- Recommended AGENTS.md Changes
- Migration Timeline & Priority Matrix
The current AGENTS.md security section is well-structured and already references the correct FIPS 203/204/205 standards. However, several significant developments since the original drafting require updates:
- FIPS 203/204/205 are now FINAL (published August 13, 2024) — the current table says "Standard" for 2026 status, which is accurate but should reflect they are already finalized and in active deployment
- HQC selected as backup KEM (March 11, 2025) — a second KEM to back up ML-KEM
- FIPS 206 (FN-DSA/FALCON) is in draft development — a fourth PQC standard
- NIST SP 800-227 (September 2025) — new KEM recommendations guidance is now final
- NIST IR 8547 (November 2024, draft) — formal transition timeline: deprecate quantum-vulnerable algorithms by 2035
- OWASP Top 10 for Agentic Applications 2026 (December 2025) — directly relevant to this project
- NIST CSF 2.0 — new Cybersecurity Framework with Cyber AI Profile in development
- OWASP AIBOM Generator (December 2025) — AI Bill of Materials tooling
- EO 14110 on AI was rescinded (January 20, 2025) — federal AI policy landscape shift
| Purpose | Standard | Algorithm | Status (2026) |
|---------|----------|-----------|---------------|
| Key Encapsulation | FIPS 203 | ML-KEM-768/1024 | Standard |
| Digital Signatures | FIPS 204 | ML-DSA-65/87 | Standard |
| Hash-Based Sig | FIPS 205 | SLH-DSA | Standard |
| Purpose | Standard | Algorithm | Status (Feb 2026) |
|---|---|---|---|
| Key Encapsulation (Primary) | FIPS 203 | ML-KEM-768/1024 | Finalized (Aug 2024) |
| Digital Signatures (Primary) | FIPS 204 | ML-DSA-65/87 | Finalized (Aug 2024) |
| Hash-Based Sig (Backup) | FIPS 205 | SLH-DSA | Finalized (Aug 2024) |
| Digital Signatures (Backup) | FIPS 206 | FN-DSA (FALCON) | Draft (In Development) |
| Key Encapsulation (Backup) | TBD | HQC | Selected (Mar 2025), ~2 years to final |
| KEM Guidance | SP 800-227 | N/A | Finalized (Sep 2025) |
| Migration Timeline | IR 8547 | N/A | Draft (Nov 2024) |
Key Changes:
- FIPS 203/204/205 are no longer "upcoming" — they are final and ready for immediate use
- NIST explicitly states: "Go ahead and start using these three." (Dustin Moody, PQC project lead)
- HQC was selected over BIKE and Classic McEliece as a backup KEM based on code-based cryptography (different math than ML-KEM's lattice-based approach), providing algorithm diversity
- FN-DSA (FALCON) will provide a lattice-based signature backup with smaller signatures than ML-DSA
- SP 800-227 provides authoritative KEM deployment guidance — should be referenced
- IR 8547 establishes the NIST deprecation timeline for quantum-vulnerable algorithms
NIST identified an issue in FIPS 203 that will be corrected in a future update. Check the errata spreadsheet at:
https://csrc.nist.gov/files/pubs/fips/203/final/docs/fips-203-potential-updates.xlsx
Several minor issues identified in FIPS 204. Check:
https://csrc.nist.gov/files/pubs/fips/204/final/docs/fips-204-potential-updates.xlsx
Current AGENTS.md: X25519 + ML-KEM-768 (FIPS 203)
Recommendation: This is still correct and aligned with best practices. The hybrid approach provides:
- Classical security via X25519 (ECDH)
- Quantum resistance via ML-KEM-768
- Defense-in-depth: if either algorithm is broken, the other still protects
Additional Consideration: As HQC becomes standardized (~2027), consider a triple-hybrid option for highest-security contexts:
X25519 + ML-KEM-768 + HQC (future)
The transition report establishes these key milestones:
- Now: Begin migrating to PQC standards immediately
- 2030: Quantum-vulnerable algorithms should be deprecated for new systems
- 2035: Quantum-vulnerable algorithms removed from NIST standards entirely
- High-risk systems: Must transition much earlier than the general timeline
Recommendation for AGENTS.md: Add explicit deprecation targets:
Deprecation Timeline (per NIST IR 8547):
- RSA, ECDSA, ECDH: Deprecate by 2030, Remove by 2035
- SHA-1: Already deprecated
- 3DES: Already deprecated
Published: September 2025 (Final) Authors: Alagic, Barker, Chen, Moody, Robinson, Silberg, Waller
This is the authoritative guide for KEM deployment. It covers:
- KEM definitions and security properties
- Application guidance for ML-KEM
- Key establishment patterns
- Security parameter recommendations
Action: Reference SP 800-227 in AGENTS.md security section for KEM implementation guidance.
Published: March 2025
Documents the selection of HQC and reasoning behind choosing it over BIKE and Classic McEliece. Important for understanding the algorithm diversity strategy.
NIST continues evaluating additional signature algorithms via the "onramp" process. These are being evaluated for specialized use cases and backup purposes. Monitor:
https://csrc.nist.gov/projects/pqc-dig-sig/round-2-additional-signatures
NIST SP 800-207 (August 2020) remains the foundational Zero Trust document. No revision has been published yet, but supplementary guidance includes:
- SP 800-207A: Zero Trust Architecture applied to specific deployment models
- CSWP 20: Planning for a Zero Trust Architecture (companion document)
The current AGENTS.md Zero Trust principles are solid. Recommended additions:
Zero Trust Enhancement:
- Continuous Authentication: Re-verify identity on every tool call, not just session start
- Risk-Based Access: Adjust permissions dynamically based on behavioral analysis
- Microsegmentation: Each agent capability runs in an isolated security domain
- Assume Breach: Design every component as if adjacent components are compromised
Reference Standards:
- NIST SP 800-207: Zero Trust Architecture
- NIST SP 800-207A: ZTA Model Deployments
- NIST CSWP 20: Planning for ZTA
The current AGENTS_LLM_SECURITY.md already covers the 2025 OWASP LLM Top 10. Verified accurate:
| # | Risk |
|---|---|
| LLM01 | Prompt Injection |
| LLM02 | Sensitive Information Disclosure |
| LLM03 | Supply Chain |
| LLM04 | Data and Model Poisoning |
| LLM05 | Improper Output Handling |
| LLM06 | Excessive Agency |
| LLM07 | System Prompt Leakage |
| LLM08 | Vector and Embedding Weaknesses |
| LLM09 | Misinformation |
| LLM10 | Unbounded Consumption |
Published: December 9, 2025 Critical Finding: This is directly relevant to the ainish-coder project.
The OWASP Top 10 for Agentic Applications 2026 is a peer-reviewed framework identifying the most critical security risks facing autonomous and agentic AI systems. Developed by 100+ experts, it provides actionable guidance for securing AI agents that plan, act, and make decisions across complex workflows.
Recommendation: This should be referenced in AGENTS.md and AGENTS_LLM_SECURITY.md. The full document should be downloaded and integrated:
https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
Published: December 2025
AI Bill of Materials (AIBOM) tooling for generating comprehensive manifests of AI system components. Analogous to SBOM but for AI/ML components including:
- Model provenance
- Training data lineage
- Dependency mapping
- Configuration tracking
Recommendation: Add AIBOM generation requirement to supply chain security.
Published: February 4, 2026
Criteria for evaluating AI red teaming providers and tooling.
Recommendation: Reference for security testing requirements.
In Transit:
TLS 1.3+ with mTLS for inter-agent communication.
Hybrid PQC Key Exchange: X25519 + ML-KEM-768 (FIPS 203).
The current specification is aligned with best practices. Enhancements:
TLS 1.3+ Configuration:
- Key Exchange: X25519 + ML-KEM-768 (hybrid PQC per FIPS 203)
- Cipher Suites: TLS_AES_256_GCM_SHA384 (preferred), TLS_CHACHA20_POLY1305_SHA256
- Certificate Signatures: ML-DSA-65 (FIPS 204) for new certificates
- Certificate Management: Automated rotation via ACME protocol
- Certificate Pinning: Enforce for known inter-agent endpoints
- OCSP Stapling: Required for certificate revocation checking
PQC TLS Migration:
- Phase 1 (Current): Hybrid X25519+ML-KEM-768 key exchange
- Phase 2 (2027+): Hybrid X25519+ML-KEM-768+HQC once HQC is standardized
- Phase 3 (2030+): Pure PQC key exchange once ecosystem matures
- Certificate Migration: Begin issuing ML-DSA certificates alongside ECDSA
At Rest:
AES-256-GCM for databases and file storage.
Tenant-specific keys for Vector DB embeddings.
Encrypted logs with strict retention and PII redaction.
At Rest (Enhanced):
- Symmetric Encryption: AES-256-GCM (NIST approved, quantum-resistant at 256-bit)
- Key Derivation: HKDF-SHA384 for deriving per-purpose keys
- Key Wrapping: ML-KEM-768 for key encapsulation (replacing RSA key wrap)
- Tenant Isolation: Per-tenant keys with hardware-backed key storage (HSM/TPM)
- Vector DB: Tenant-specific encryption keys + access control per embedding namespace
- Log Encryption: AES-256-GCM with separate log encryption keys
- Retention Policy: 90-day hot, 365-day cold, crypto-shred on deletion
- PII Handling: Detect-redact-encrypt pipeline before any storage
- Backup Encryption: Independent key hierarchy from primary storage
Note: AES-256 is considered quantum-resistant (Grover's algorithm reduces effective security to 128-bit equivalent, still adequate). No immediate PQC migration needed for symmetric encryption.
The current AGENTS.md focuses on general security. Given this project's nature as an AI coding agent toolkit, add agent-specific security:
AI Agent Security (per OWASP Agentic Top 10 2026):
- Tool Call Validation: Schema-validate every tool invocation (Zod/Pydantic)
- Capability Boundaries: Agents cannot escalate their own permissions
- Action Audit Trail: Immutable log of every tool call with input/output hashes
- Human-in-the-Loop: Destructive operations require explicit approval
- Sandboxed Execution: Code execution via WASM/containers with resource limits
- Output Sanitization: Never execute or eval agent-generated code directly
- Multi-Agent Trust: mTLS + signed messages between cooperating agents
- Rate Limiting: Per-agent, per-tool, per-session rate limits
- Graceful Degradation: System remains safe if any agent component fails
- Context Isolation: Each agent session has isolated context; no cross-session bleed
AI Supply Chain:
- Generate AIBOM for all AI components (per OWASP AIBOM standard)
- Track model provenance: source, version, training data lineage
- SLSA Level 3+ for build pipeline integrity
- Sign model artifacts with ML-DSA-65 (FIPS 204)
- Verify model checksums before deployment
AGENTS.md mentions supply chain indirectly. Recommend explicit coverage:
Supply Chain Security:
- SBOM: Generate Software Bill of Materials for all dependencies
- AIBOM: Generate AI Bill of Materials for AI/ML components
- SLSA Level 3+: Build provenance and integrity verification
- Dependency Pinning: Lockfiles mandatory, hash verification on install
- Vulnerability Scanning: Automated CVE scanning in CI/CD pipeline
- Code Signing: All releases signed with ML-DSA-65 (PQC-ready)
- Provenance: Verifiable build provenance for all artifacts
- Vendor Assessment: Third-party model/tool risk assessment per OWASP criteria
NIST CSF 2.0 is the current cybersecurity framework (published February 2024). Key additions relevant to AGENTS.md:
- New "Govern" function: Added to the existing Identify, Protect, Detect, Respond, Recover
- Supply chain risk management: Elevated prominence
- Cybersecurity AI Profile: In development (workshop held January 14, 2026)
- Enterprise Risk Management alignment: NIST IR 8286 series updated December 2025
CSF 2.0 Alignment:
- Map security controls to CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover)
- Implement supply chain risk management per CSF 2.0 GV.SC subcategory
- Prepare for Cyber AI Profile integration when finalized
- Reference: NIST CSWP 29 (CSF 2.0)
Replace the current PQC table with:
Post-Quantum Cryptography (NIST FIPS Standards)
| Purpose | Standard | Algorithm | Status (Feb 2026) |
|---------|----------|-----------|-------------------|
| Key Encapsulation (Primary) | FIPS 203 | ML-KEM-768/1024 | Finalized (Aug 2024) |
| Key Encapsulation (Backup) | TBD | HQC | Selected (Mar 2025) |
| Digital Signatures (Primary) | FIPS 204 | ML-DSA-65/87 | Finalized (Aug 2024) |
| Hash-Based Sig (Backup) | FIPS 205 | SLH-DSA | Finalized (Aug 2024) |
| Digital Signatures (Alt) | FIPS 206 | FN-DSA (FALCON) | Draft (In Dev) |
| KEM Guidance | SP 800-227 | — | Finalized (Sep 2025) |
| Migration Timeline | IR 8547 | — | Draft (Nov 2024) |<security>
Core Principles:
Zero Trust: Verify every tool call; sanitize all inputs. (NIST SP 800-207)
Least Privilege: Minimal permissions; scoped credentials per session.
No hardcoded secrets: Environment variables only, accessed via secure vault.
Sandboxing: Code execution via WASM/Firecracker only.
Tool Misuse: Strict schema validation (Zod/Pydantic) for all inputs.
Identity Abuse: Independent Permission Broker; short-lived tokens.
Information Disclosure: PII Redaction; Env var only secrets.
Repudiation: Structured immutable ledgers; remote logging.
Supply Chain: SBOM + AIBOM generation; SLSA Level 3+; dependency pinning.
Agent Safety: OWASP Agentic Top 10 2026 compliance.
Data Protection & Encryption:
In Transit:
TLS 1.3+ with mTLS for inter-agent communication.
Hybrid PQC Key Exchange: X25519 + ML-KEM-768 (FIPS 203).
Cipher Suites: TLS_AES_256_GCM_SHA384 (preferred).
Certificate Signatures: Transition to ML-DSA-65 (FIPS 204).
At Rest:
AES-256-GCM for databases and file storage.
Key Wrapping: ML-KEM-768 for key encapsulation.
Tenant-specific keys for Vector DB embeddings (HSM/TPM-backed).
Encrypted logs with strict retention (90d hot/365d cold) and PII redaction.
Crypto-shred on deletion.
Post-Quantum Cryptography (NIST FIPS Standards)
| Purpose | Standard | Algorithm | Status (Feb 2026) |
|---------|----------|-----------|-------------------|
| Key Encapsulation (Primary) | FIPS 203 | ML-KEM-768/1024 | Finalized |
| Key Encapsulation (Backup) | TBD | HQC | Selected (Mar 2025) |
| Digital Signatures (Primary) | FIPS 204 | ML-DSA-65/87 | Finalized |
| Hash-Based Sig (Backup) | FIPS 205 | SLH-DSA | Finalized |
| Digital Signatures (Alt) | FIPS 206 | FN-DSA (FALCON) | Draft |
| KEM Guidance | SP 800-227 | — | Finalized (Sep 2025) |
| Migration Timeline | IR 8547 | — | Draft (Nov 2024) |
Deprecation Timeline (per NIST IR 8547):
RSA, ECDSA, ECDH → Deprecate by 2030, Remove by 2035.
High-risk systems → Migrate to PQC immediately.
Reference Standards:
NIST SP 800-207 (Zero Trust), SP 800-227 (KEM Guidance),
IR 8547 (PQC Migration), CSF 2.0 (CSWP 29),
OWASP LLM Top 10 2025, OWASP Agentic Top 10 2026
</security>Add after the existing <security> block:
<agent_security>
OWASP Compliance:
LLM Top 10 2025: Full mitigation coverage (see AGENTS_LLM_SECURITY.md)
Agentic Top 10 2026: Full mitigation coverage
AIBOM: Generated for all AI components
Tool Call Security:
- Schema-validate every tool invocation
- Immutable audit trail with input/output hashes
- Per-tool rate limiting and resource quotas
- Destructive operations require human approval
Inter-Agent Security:
- mTLS with PQC certificates between agents
- Signed messages using ML-DSA-65 (FIPS 204)
- Context isolation per session
- No cross-session state leakage
</agent_security>| Item | Action | Effort |
|---|---|---|
| Update PQC table | Reflect finalized status + new standards | Low |
| Add SP 800-227 reference | Link KEM guidance | Low |
| Add IR 8547 reference | Link migration timeline | Low |
| Reference OWASP Agentic Top 10 2026 | New standard directly relevant | Low |
| Fix "Complicated" typo | Line in current AGENTS.md under encryption | Low |
| Item | Action | Effort |
|---|---|---|
| Add supply chain section | SBOM + AIBOM requirements | Medium |
| Add agent-specific security section | Tool call validation, audit trail | Medium |
| Add CSF 2.0 alignment notes | Governance function mapping | Medium |
| Add deprecation timeline | Per IR 8547 guidance | Low |
| Enhance TLS config | Cipher suite specificity, cert migration plan | Medium |
| Item | Action | Effort |
|---|---|---|
| Implement AIBOM generation | Tooling integration | High |
| ML-DSA certificate deployment | Begin issuing PQC certificates | High |
| Monitor FIPS 206 draft | Track FN-DSA standardization | Low |
| Monitor HQC standardization | Track backup KEM progress (~2027) | Low |
| Monitor NIST Cyber AI Profile | Expected to inform CSF + AI alignment | Low |
| Item | Action | Effort |
|---|---|---|
| HQC integration | Add backup KEM once standardized | High |
| FN-DSA integration | Add backup signature once FIPS 206 finalized | Medium |
| Pure PQC transition | Phase out classical-only key exchange | High |
| Full IR 8547 compliance | Complete migration from quantum-vulnerable algorithms | High |
- Typo: The word "Complicated" appears as a standalone line under "Data Protection & Encryption" → "At Rest" section. Should be removed.
- "Crytography" typo: In the PQC header — should be "Cryptography"
- Status column accuracy: The "Status (2026)" column says "Standard" which is correct but could be more precise: "Finalized (Aug 2024)" to show these are already active, not future.
- Missing reference standards: No NIST publication numbers cited for Zero Trust, CSF, or KEM guidance.
- No agent-specific security: Given this is an AI agent toolkit, the security section should address agentic-specific threats per OWASP Agentic Top 10 2026.
- No supply chain section: No SBOM/AIBOM requirements despite being critical for AI agent deployments.
- No deprecation timeline: Should reference IR 8547 for quantum-vulnerable algorithm phase-out dates.
This document was compiled from authoritative sources (NIST CSRC, OWASP GenAI Security Project) accessed on February 11, 2026. All recommendations should be validated against the latest publications before implementation.