Security Coverage
OWASP Top 10 for
Agentic Applications
How hummbl-governance addresses every risk in the OWASP Top 10 for Agentic Applications (2026). Every claim below links to source code and tests.
Attackers manipulate an agent's planning or objective by injecting malicious instructions through prompts, documents, or tool outputs.
KillSwitch provides 4-mode graduated shutdown (DISENGAGED → HALT_NONCRITICAL → HALT_ALL → EMERGENCY). Survives process restart via filesystem persistence. Stops hijacked agents mid-execution.
Agents misuse legitimate tools when excessive permissions or unsafe interfaces enable unintended actions.
CapabilityFence enforces allowlist/blocklist per tool. Agents cannot invoke tools outside their granted capabilities. Deny-by-default.
Agents improperly inherit, misuse, or retain privileges across sessions, users, or delegated workflows.
DelegationTokenManager issues HMAC-signed scoped tokens with chain-depth limits.
AgentRegistry tracks canonical identities, trust tiers, and alias resolution.
Agents dynamically load prompts, plugins, tools, and models at runtime — introducing risk from compromised third-party components.
Zero third-party runtime dependencies. Python stdlib only. pip audit finds nothing because there is nothing to audit. No transitive dependency tree to compromise.
pip install hummbl-governance pulls 0 packages
Agents that generate or execute code can be manipulated into running malicious instructions via prompt injection.
OutputValidator with InjectionDetector scans agent outputs for prompt injection patterns, blocked terms, PII leakage, and missing provenance before downstream consumption.
Attackers inject malicious data into memory systems that influence future agent reasoning.
BusWriter enforces append-only semantics with content hashing. AuditLog provides tamper-evident logging. Poisoned entries are cryptographically detectable.
Multi-agent systems communicating without authentication or message integrity are vulnerable to spoofing and replay attacks.
LamportClock provides causal ordering for distributed agent messages. ContractNetManager implements structured multi-agent task allocation with bid verification.
A single failure propagates across agents or tenants, causing automation storms and systemic impact.
CircuitBreaker isolates failing components with CLOSED/HALF_OPEN/OPEN state machine. HealthProbe detects degradation before cascade. CostGovernor enforces budget ceilings to prevent runaway spend.
Humans over-trust confident agent outputs and approve dangerous actions without adequate review.
ReasoningEngine generates structured decision traces that explain why a governance decision was made. ComplianceMapper maps decisions to external frameworks (NIST, ISO) for independent validation.
Agents drift from intended behavior due to model updates, memory mutation, or emergent multi-step behavior not anticipated at design time.
BehaviorMonitor detects behavioral drift via Jensen-Shannon divergence and entropy collapse. GovernanceLifecycle enforces state machine transitions (PROVISIONED → ACTIVE → SUSPENDED → DECOMMISSIONED).
Start in 30 seconds
Every primitive above ships in one package. No frameworks. No lock-in. No dependencies.
For the formal governance primitive underlying all 10 mitigations, see The Governance Tuple (Bowlby, 2026).