AgentSec Ecosystem Map
Back to Blogs & Insights
blog

AgentSec Ecosystem Map: Understand the AI Agent Security Landscape with A2S

·AgentSec Team

Note: This article is still being updated and refined.

TL;DR

The core of AgentSec is not just model safety, but building a verifiable, governable system for AI agents' identity, delegation, actions, and evidence.
A2S (AgentSec Stack) breaks agent security into 6 layers: Identity / Cognition / Orchestration / Action / Enforcement / Evidence.

Why Now: A Control-Plane Shift Creates a Security Vacuum

  • The control plane is shifting again: from App -> Cloud -> Data -> now to Agents (they can read, write, and act).
  • Delegation becomes the default: users stop clicking buttons and instead hand goals and permissions to agents (delegation).
  • The unit of risk changes: from simple chatbots (answer only) to continuous, cross-system action chains (tool calls + side effects).
  • Existing security doesn't compose: IAM/Observability/AppSec are strong on their own, but they do not close the loop of intent binding -> tool execution -> enforcement -> audit-grade evidence.

What is AgentSec

AgentSec is security and trust engineering for AI agents: ensuring every agent action is attributable, constrained, and auditable, with the ability to deny or hold accountable when needed.

It focuses on systems that call tools and cause real-world side effects, including browsing, email, ticketing, payments, CRM updates, code/DevOps, and multi-agent collaboration.

What is A2S (AgentSec Stack)

A2S is a layered coordinate system: it splits the end-to-end chain from goal intake to action to evidence into 6 layers, so you can:

  • Design architecture (which layer are you missing?)
  • Evaluate vendors (which layer does a product actually address?)
  • Define governance boundaries (what belongs to the platform vs runtime/tooling?)

A note on classification: Many projects in this map naturally span multiple layers - a cloud agent runtime might touch Identity (L1), Orchestration (L3), and Evidence (L6) simultaneously. We classify each project by its primary capability or most distinctive contribution to the stack. This map is a coordinate system for reasoning about agent security, not a strict taxonomy.

The Six Layers of A2S

L1 - Identity Layer: Agent IDs, Delegation and Registry

The Identity Layer solves the most basic and most easily mismanaged problem in the agent world: agent sprawl. In enterprise settings, it brings agents under governance: giving each agent a verifiable identity (Agent ID), defining owner and accountability chains, enabling revocable delegation (who they act for), and tracking lifecycle and permissions in a registry. In open agent economies or cross-org collaboration, it must make unfamiliar agents discoverable and create a minimal trust anchor: portable, verifiable identity handles and registries (with reputation/validation layered on later).

  • Microsoft Entra Agent ID: Treats agents as first-class identities in Entra, with identity governance and Conditional Access.
  • Descope Agentic Identity Hub: Identity and authorization layer for AI agents and MCP servers, based on OAuth 2.1 (with OIDC/SSO), supporting fine-grained scopes for tools/actions. Hub 2.0 (Jan 2026) added agentic identity management, comprehensive MCP Auth, a credential vault, and enterprise-grade policy controls; now used by 1,000+ organizations.
  • ERC-8004 "Trustless Agents" (EIP/Draft): Uses ERC-721 + registration files as on-chain identity handles, supports MCP/A2A/ENS/DID discovery, and connects reputation/validation registries for open agent economies.
  • Fetch.ai uAgents + Almanac: Agents register on-chain in Almanac for discovery/endpoint registry; addresses/signatures act as identity anchors for open agent networks.
  • Oasis Agentic Access Management (AAM): Purpose-built identity solution for AI agents (launched Nov 2025, backed by Sequoia). Goes beyond policy-driven JIT/ephemeral access with intent inference (LLM-driven understanding of what the agent is trying to do), deterministic policy enforcement, and just-in-time session identities with automatic teardown.

L2 - Cognition Layer: Model Robustness and Prompt Injection Defense

The Cognition Layer protects an agent's cognitive integrity: when it ingests external content (web pages, email, PDFs, tickets), can it separate data vs instructions and resist prompt injection/jailbreak/social engineering that hijacks goals, leaks system prompts, or triggers dangerous tool calls? It also reduces model failure modes: hallucination, overconfidence, misunderstood tool semantics, and errors in long-horizon planning. In practice, this layer is built from two capability types: evaluation (eval/red-team) to turn failure modes into measurable tests, and guardrails/monitors that detect and mitigate at input/output/reasoning/tool-call boundaries (block, rewrite, down-rank, or require review).

In A2S, L2 is a probabilistic risk reduction layer: it can significantly reduce manipulation and bad decisions, but it cannot deterministically guarantee safety for real-world side effects (write, pay, delete, deploy). It must be paired with L5 (Enforcement) to create a fail-closed loop.

  • UK AI Safety Institute (AISI) Inspect: Open-source evaluation framework for reproducible safety/capability testing of LLM/agentic systems.
  • Promptfoo (red-team / eval toolchain): Turns risks like OWASP LLM Top 10 into executable tests and red-team workflows for CI/regression.
  • METR / Apollo Research: Evaluation orgs focused on long-horizon autonomy and adversarial risk (capability, deception, scheming).
  • NVIDIA NeMo Guardrails: Programmable guardrails toolkit to insert input/output/dialogue rails between LLMs and tools, with ecosystem integrations.
  • Lakera Guard: Commercial prompt injection/jailbreak detection, often used as a pre-context risk signal.

L3 - Orchestration Layer: Frameworks, Runtime and Interop

The Orchestration Layer turns LLMs into a controllable runtime: how planning loops run, tasks map into workflows, state/memory is read and written, tools are selected and routed, and how multi-agent delegation/collaboration works (MCP and other protocols make interop more than glue code). This layer is the agent's "runtime kernel" - with the same model, different orchestration semantics change reliability, cost, and risk surface.

In A2S, L3 is a common source of confused deputy risk: context pollution can spread through state -> memory -> tool routing. Typical failures include memory poisoning, wrong tool selection, cross-session state leakage, and runaway loops/cost blowups. Orchestration security is not just "does it run"; it is about making the decision chain a controllable state machine: checkpoints/rollback, quotas/circuit breakers, human handoff (graceful degrade), and clear interception points for L5 enforcement (L3 provides capability, L5 provides constraint, L6 preserves evidence).

  • LangGraph: Graph/state-machine orchestration for debuggable, rollbackable workflows.
  • CrewAI: Multi-agent collaboration framework with role/task delegation.
  • MCP (Model Context Protocol): Standardized tool interop for agents; introduces new supply-chain and trust boundaries.
  • Cloud Agent Runtimes (Vertex AI Agent Builder / Agent Engine, Bedrock Agents, Azure AI Agent Service): Managed runtimes with enterprise IAM/audit/compliance.
  • Letta: Runtime centered on governable long-term memory.

L4 - Action Layer: Tools, Execution and Side Effects

The Action Layer determines how an agent turns plans/tool calls into real execution and external state writes: browser actions, email/ticketing, CRM updates, code pushes, payments. As agents connect to more systems, this layer approaches real-world write privileges. The ecosystem focus is not only more connectors, but also tool schema/contracts (validation, idempotency, rollback), execution environments (browser sessions, sandboxes, code runners), and permission/credential mapping (least privilege, short-lived creds).

In A2S, L4 is the pivot where risk becomes real-world side effects. Prompt injection that is "misdirection" in L2 becomes "transfer/send/delete" at L4. So Action Layer security centers on: classifying side effects (read-only / reversible write / irreversible write) and default isolation + kill switches (session isolation, sandboxing, circuit breakers), giving L5 clear intercept points and enabling L6 to capture audit-grade execution evidence.

  • Browserbase + Stagehand: Managed browser infrastructure + automation SDKs.
  • Composio: Tool connectors (including MCP form) that make app capabilities reusable actions.
  • E2B: Isolated sandboxes/micro-VMs for code execution in controlled environments.
  • browser-use: Open-source LLM -> web actions library with production deployment paths.
  • Steel: Browser execution infrastructure focused on long sessions and production execution.
  • Skyvern: Open-source AI web automation platform for parallel browser workflows.

L5 - Enforcement Layer: Policy Gates, Approvals and Runtime Constraints

The Enforcement Layer answers "can it do this?" by making policy non-bypassable gates before tool execution (allow / block / modify / require review), and insisting on fail-closed defaults. If L2 is about risk detection, L5 is about forcing the constraint - turning ability boundaries from "model judgment" into "system enforcement."

In A2S, L5 is the deterministic last line of defense: even if L2 misses, L3 is polluted, and L4 is about to write, L5 still decides allow/deny/review for every tool call and cannot be socially engineered. This layer must sit at the real execution interception point (gateway/proxy or MCP boundary), or policies are easy to bypass.

  • Invariant (now Snyk Labs; Gateway + Guardrails): Transparent proxy in the LLM-MCP path that enforces guardrailing rules. Acquired by Snyk in June 2025; open-source tools (mcp-scan, Guardrails, Gateway) remain on GitHub.
  • Snyk AI Trust Platform: Post-Invariant acquisition, Snyk offers integrated scanning + runtime enforcement for agentic AI. Includes Snyk Guard (adaptive policy enforcement) and Evo (agentic security orchestration, Oct 2025).
  • BlueRock MCP Server Protection: Pre-execution enforcement at tool/data/execution boundaries.
  • Zenity (Agentic AI Security): Full-lifecycle security and governance for AI agents spanning discovery, posture management, and runtime detection/response. Gartner Cool Vendor in Agentic AI TRiSM (2025); raised $55M+ total with Microsoft M12 as strategic investor.
  • Straiker Defend AI: Runtime guardrails across prompts, reasoning steps, and tool calls with real-time blocking. Emerged from stealth (March 2025, $21M from Lightspeed + Bain); also offers Ascend AI for adversarial red-teaming and MCP security research (MCP rebinding attacks).
  • Meta LlamaFirewall: Open-source guardrail framework with layered scanners for agentic operations (released April 2025 at LlamaCon). Includes PromptGuard 2, Agent Alignment Checks, and CodeShield — spans detection (L2) through enforcement (L5).
  • Akto (AgentGuard / MCP Proxy): Inline MCP proxy for real-time request/response enforcement.

L6 - Evidence Layer: Tracing, Audit and Replay

The Evidence Layer answers "can you prove it?" by turning every agent run's intent, inputs, decisions, actions, and outcomes into an auditable evidence chain (prompts, tool calls, inputs/outputs, critical context, policy/approval decisions). It serves engineering debug/replay and security/compliance forensics. Without this layer, organizations often only know "something happened" but cannot prove who authorized it, what the agent saw, or which external writes occurred.

In A2S, L6 is the line between "observability" and "audit." Logs only say something happened; audit-grade evidence must support reconciliation and accountability. That requires binding identity/delegation with decisions and tool calls in a unified schema, with tamper resistance (append-only + signing/hashing + timestamps), controlled replay (necessary context, redaction/permission/retention), and capture at execution interception points to avoid evidence gaps.

  • Langfuse: Open-source tracing + prompt versioning/metrics.
  • Helicone: Gateway/proxy collecting model calls as a full-traffic evidence entry point.
  • Traceloop OpenLLMetry: OpenTelemetry-based instrumentation for standardized evidence capture.
  • PromptLayer: Prompt versioning and call records to prevent prompt audit gaps.

Cross-cut: Agent Economy

AgentSec is the engineering discipline that makes agents trustworthy and controllable. Agent Economy is the application domain where agents participate in value flow. They are interdependent: Agent Economy needs AgentSec as trust infrastructure, and high-risk economic scenarios accelerate the maturity and standardization of AgentSec.

So Agent Economy is not a "seventh layer"; it is the stress test that maxes out L1-L6. When agents represent you with budgets and create priced, settleable side effects (payments, purchasing, subscriptions, high-cost tool use), security is no longer just "avoid bad prompts" - it is "control economic exposure + reconcile responsibility chains."

Minimal mapping (economic delegation forces each layer to answer one more question):

LayerIn an economic context, what must it answer?
L1 IdentityWho delegated the budget? Can authorization be tiered and revoked anytime?
L2 CognitionCan it detect social engineering, invoice swaps, and refund scams?
L3 OrchestrationHow are budgets allocated across subtasks? How is cost attributed per run/tool/vendor?
L4 ActionHow are payment/procurement actions wrapped as auditable tools?
L5 EnforcementHow are limits, approvals, vendor allowlists, and throttles enforced?
L6 EvidenceCan transactions, receipts, and approvals be reconciled? Can disputes be replayed and non-repudiated?

Call for Action: Help Improve This Map

This ecosystem map is open and living - we will track changes continuously and update on a regular cadence.

If you find:

  • A relevant player/project is missing

  • A description is inaccurate or outdated

  • A project belongs in a different layer

  • You have real-world case studies to share

  • Submit a project / feedback ->

Update cadence:

  • We review submissions monthly
  • Accepted contributions will be credited in the Contributors section (unless you choose to stay anonymous)
  • Major updates will be announced by email to subscribers

Contributors

Thanks to the following contributors for improving this map (sorted by time):

None yet - looking forward to your first submission! -> Submit here

agentseca2secosystemsecurity