Security Coverage
OWASP Top 10 for
Agentic Applications
How hummbl-governance addresses every risk in the OWASP Top 10 for Agentic Applications (2026). Every claim below links to source code and tests.
Attackers manipulate an agent's planning or objective by injecting malicious instructions through prompts, documents, or tool outputs.
KillSwitch
provides 4-mode graduated shutdown (DISENGAGED →
HALT_NONCRITICAL → HALT_ALL → EMERGENCY). Survives
process restart via filesystem persistence. Stops hijacked
agents mid-execution.
Agents misuse legitimate tools when excessive permissions or unsafe interfaces enable unintended actions.
CapabilityFence
enforces allowlist/blocklist per tool. Agents cannot invoke
tools outside their granted capabilities. Deny-by-default.
Agents improperly inherit, misuse, or retain privileges across sessions, users, or delegated workflows.
DelegationTokenManager
issues HMAC-signed scoped tokens with chain-depth limits.
AgentRegistry
tracks canonical identities, trust tiers, and alias resolution.
Agents dynamically load prompts, plugins, tools, and models at runtime — introducing risk from compromised third-party components.
Zero third-party runtime dependencies. Python stdlib only.
pip audit finds nothing because there is nothing to
audit. No transitive dependency tree to compromise.
pip install hummbl-governance pulls 0
packages
Agents that generate or execute code can be manipulated into running malicious instructions via prompt injection.
OutputValidator
with InjectionDetector scans agent outputs for
prompt injection patterns, blocked terms, PII leakage, and
missing provenance before downstream consumption.
Attackers inject malicious data into memory systems that influence future agent reasoning.
BusWriter
enforces append-only semantics with content hashing.
AuditLog
provides tamper-evident logging. Poisoned entries are
cryptographically detectable.
Agentic systems communicating without authentication or message integrity are vulnerable to spoofing and replay attacks.
LamportClock
provides causal ordering for distributed agent messages.
ContractNetManager
implements structured agent task allocation with bid
verification.
A single failure propagates across agents or tenants, causing automation storms and systemic impact.
CircuitBreaker
isolates failing components with CLOSED/HALF_OPEN/OPEN state
machine.
HealthProbe
detects degradation before cascade.
CostGovernor
enforces budget ceilings to prevent runaway spend.
Humans over-trust confident agent outputs and approve dangerous actions without adequate review.
ReasoningEngine
generates structured decision traces that explain why a
governance decision was made.
ComplianceMapper
maps decisions to external frameworks (NIST, ISO) for
independent validation.
Agents drift from intended behavior due to model updates, memory mutation, or emergent multi-step behavior not anticipated at design time.
BehaviorMonitor
detects behavioral drift via Jensen-Shannon divergence and
entropy collapse.
GovernanceLifecycle
enforces state machine transitions (PROVISIONED → ACTIVE
→ SUSPENDED → DECOMMISSIONED).
Start in 30 seconds
Every primitive above ships in one package. No frameworks. No lock-in. No dependencies.
For the formal governance primitive underlying all 10 mitigations, see The Governance Tuple (Bowlby, 2026).