AI Agent Security Glossary

This glossary defines essential terms for understanding AI agent security, execution authority governance, and cryptographic control systems. Each term includes a definition, explanation of significance, and how ExecLayer implements the concept. This glossary serves as an internal linking hub connecting terminology to detailed documentation and blog posts.

Core Concepts

Deterministic Execution

An AI agent's behavior is fully determined by its inputs, internal rules, and decision logic. The same inputs always produce the same outputs. No randomness, no learning during execution, and no environment-dependent variation.

Critical for safety and accountability. If an agent's behavior is deterministic, it can be tested, verified, and predicted. Non-deterministic systems cannot be certified safe and cannot generate cryptographically binding authority for decisions.

ExecLayer enforces deterministic execution by freezing agent parameters at deploy time, preventing in-flight learning, and executing agents in isolated runtimes without environmental side effects. See Healthcare AI Governance.

Execution Authority

The specific permissions granted to an AI agent to perform actions on real systems. Authority is scoped by business function, data access, resource constraints, and user oversight requirements.

Prevents agents from exceeding their intended scope. Unauthorized execution is the primary failure mode for AI agent systems. Clear authority boundaries are foundational to safety.

ExecLayer implements tier classification (T0-T3) where each tier carries specific authorization requirements. T0 agents read-only. T1 require single human approval. T2 require portfolio manager signatures. T3 require multi-signature governance. See Financial AI Governance.

Authority Receipt

A cryptographically signed document proving that a specific agent took a specific action and that a specific human authorized it. The receipt contains the agent's action, the authorization basis, timestamps, and both parties' signatures.

Creates irrefutable evidence for regulatory review, litigation, and audit. Authority receipts survive network isolation, are tamper-proof, and can be independently verified by third parties.

ExecLayer generates authority receipts automatically for all T1+ actions. Receipts are stored in an immutable Merkle audit ledger and signed with FIPS-approved cryptography. See AB 489 Compliance Guide.

Runtime Policy Gating

The execution kernel checks all actions against a policy bundle before allowing execution. If an action violates policy, execution is denied. This happens at runtime, immediately before the action would take effect.

Prevents violations before they occur. Prospective control is far more effective than retrospective auditing. Policy gating eliminates the risk window where unauthorized actions could execute.

ExecLayer's execution kernel evaluates policy bundles at runtime. Actions that violate policy trigger mechanical refusal. Policies are cryptographically signed and immutable. See Government AI Governance.

Intent Canonicalization

Converting natural language or high-level direction into a canonical form that the execution kernel can evaluate. This eliminates ambiguity and ensures that all parties interpret the directive identically.

Prevents misinterpretation of instructions. If a human tells an agent to "be conservative," this is ambiguous. Canonicalized intent translates this to specific rules (e.g., "require three approval signatures for orders over 1M").

ExecLayer uses SovereignIR (Intermediate Representation) to canonicalize intent. Human-readable policies are compiled to SovereignIR form, which the execution kernel evaluates deterministically.

Governance Architecture

SovereignIR

ExecLayer's intermediate representation language for expressing policies and authorization rules. SovereignIR is compiled to a form the execution kernel can evaluate deterministically.

Allows human-readable policy expression while enabling cryptographic enforcement. Policies written in SovereignIR cannot be bypassed through configuration changes or prompt injection.

Policies are written in SovereignIR and cryptographically signed by authorized parties. The execution kernel validates signatures and evaluates policies using a deterministic interpreter.

Tier Classification

A hierarchical authorization framework (T0-T3) where each tier represents increasing levels of business impact and requires proportionate human oversight. T0 = read-only, no authority. T3 = strategic decisions requiring multi-signature approval.

Allows risk-proportionate governance. Routine actions (T0) don't need approval. Strategic actions (T3) require multiple approvals. This is operationally efficient and regulatory-aligned.

ExecLayer classifies all agent actions into tiers during policy definition. The execution kernel enforces tier requirements through mechanical refusal. See Healthcare, Finance, and Government pages for tier definitions by industry.

Threshold Signatures

Cryptographic signatures that require multiple parties to sign before a transaction is valid. For example, a 2-of-3 threshold requires any two of three designated signatories to approve. The system cannot execute without the threshold being met.

Prevents any single person from making very-high-risk decisions unilaterally. Ensures consensus for material actions. Is cryptographically enforced, not procedurally enforced.

ExecLayer uses threshold signatures for T2 and T3 actions. The execution kernel cryptographically validates that the threshold has been met before executing the action.

Mechanical Refusal

An agent's action is refused by the execution system because it violates policy or authorization rules. The refusal is deterministic and unconditional. The agent cannot override or persuade the system to permit the action.

Ensures that rules are genuinely enforced. No human has the discretion to violate policy. Rules cannot be bypassed through arguments or threats.

When an agent's action violates policy, the execution kernel refuses execution and returns a deterministic error response explaining the policy violation. See Government AI Governance for classified environment examples.

Cryptographic Infrastructure

Merkle Audit Ledger

An append-only data structure using Merkle trees to link transactions cryptographically. Each new entry hashes the previous entry, creating an immutable chain. Tampering with any historical entry breaks the chain hash, which is immediately detectable.

Creates immutable audit trails that survive network isolation and organizational changes. Regulators can verify that no records have been altered or deleted.

ExecLayer stores authority receipts in a Merkle audit ledger. Each receipt is linked to the previous receipt through cryptographic hashing. The ledger can be queried and verified without requiring central authority.

Cryptographic Gating

Using cryptographic operations to control access to resources or execution of actions. A resource is accessible only if the requester possesses the correct cryptographic key or can generate the correct signature.

Provides access control that cannot be bypassed by configuration changes or social engineering. Cryptographic enforcement is mathematically provable.

ExecLayer uses cryptographic gating for all T1+ actions. Agents cannot execute actions without the required cryptographic signatures from authorized parties.

Policy Bundle

A cryptographically signed collection of rules and policies governing an agent's behavior. The bundle specifies what the agent can do, under what conditions, with what oversight requirements, and what data it can access.

Centralizes authorization rules in a single, signed artifact. Policy bundles cannot be modified without invalidating their signatures. They survive code pushes and updates.

Policy bundles are created by authorized personnel using the SovereignIR policy language. They are cryptographically signed and distributed to the execution kernel. The kernel validates signatures before accepting the policy.

Agent Control and Safety

Execution Kernel

The trusted runtime environment where agents execute. The kernel enforces policies, gates actions, generates authority receipts, and maintains audit logs. It operates independently of the agent's code.

Separates execution control from agent logic. An agent cannot modify the kernel or bypass its policies. The kernel can be audited and certified independent of agent behavior.

ExecLayer's execution kernel is a hardened process that runs agents in sandboxes, validates policies before execution, and enforces mechanical refusal when policies are violated. It can run in air-gapped, classified environments with no external dependencies.

Nonce Uniqueness

Every signed action includes a unique nonce (number used once). The execution kernel tracks all seen nonces and rejects any action with a duplicate nonce, preventing replay attacks.

Prevents attackers from replaying previously-signed actions. An attacker cannot capture a signed trade execution and replay it to execute the same trade twice.

ExecLayer includes nonce tracking in the execution kernel. Every action signature includes a unique nonce. The kernel verifies nonce uniqueness before executing.

Adapter Binding

Cryptographically binding an agent to the specific external system it is authorized to control. The agent can only communicate with the intended system, not with other systems.

Prevents agent code from pivoting to other systems. An agent authorized to access a trading system cannot be repurposed to access customer databases.

ExecLayer binds agents to specific adapters (API interfaces) at policy definition time. The binding is cryptographically enforced. Agents cannot call adapters outside their binding.

Skill Publication Binding

Cryptographically binding an agent's capabilities (skills) to specific, authorized operations. A skill is a unit of functionality (e.g., "read patient labs", "execute equities trade"). Binding specifies which operations the agent can perform.

Prevents scope creep. An agent designed to read patient data cannot be modified to prescribe medications. Skills are immutable once published.

Agent skills are published with cryptographic signatures. Agents can only invoke skills they are explicitly authorized to invoke. Attempting to invoke unauthorized skills triggers mechanical refusal.

Frozen Input

Input data that is captured at a specific point in time, cryptographically signed, and immutable thereafter. An agent executes against frozen input, not live data that could change during execution.

Prevents race conditions and ensures deterministic execution. The agent's input is identical every time it executes, producing identical outputs.

ExecLayer freezes input data at the moment an agent begins execution. The frozen input is cryptographically hashed and stored with the execution record.

Policy and Compliance

Monotonic Policy

A policy that becomes more restrictive over time, never less restrictive. Once an authorization is revoked, it is never re-granted. Once a restriction is added, it is never removed.

Prevents accidental or malicious policy relaxation. Organizations cannot accidentally grant excessive permissions. Regulators can verify that policies never weaken.

ExecLayer enforces monotonic policy through cryptographic policy versioning. Each policy version includes a hash of the previous version. Attempting to relax restrictions breaks the chain.

AI Control Plane

The centralized system for managing agent policies, monitoring agent behavior, and making governance decisions. The control plane is separate from the agents themselves and can operate in a more restricted environment.

Separates governance (control plane) from execution (agents). The control plane can be audited more rigorously and has fewer dependencies than individual agents.

ExecLayer provides a control plane for policy management, monitoring dashboards, and audit log review. The control plane can run on a restricted network separate from deployed agents.

AI Guardrails

Constraints on agent behavior that prevent harmful outcomes. Guardrails can be hard (mechanical refusal) or soft (monitoring with alerts).

Provides defense-in-depth. Even if one control fails, guardrails prevent catastrophic failures. Guardrails are the difference between a "fail safe" and "fail dangerous" system.

ExecLayer implements hard guardrails through policy gating (mechanical refusal) and soft guardrails through monitoring. Violations of hard guardrails trigger deterministic refusal. Violations of soft guardrails trigger alerts. See AIGP 2026 Financial AI Governance.

Security and Threats

Prompt Injection

An attacker embeds malicious instructions in data that an agent processes, attempting to override the agent's intended behavior. For example, embedding instructions in a document that an agent reads, causing the agent to extract and send confidential information.

Prompt injection is an active threat to LLM-based agents. Without controls, injected instructions can cause agents to exceed their intended scope.

ExecLayer prevents prompt injection through multiple controls: policy gating prevents injected instructions from overriding policy, skill publication binding prevents agents from accessing unauthorized resources, and adapter binding prevents agents from communicating with unintended systems. See this glossary for detailed security measures.

OWASP Agentic Top 10

A list of ten critical security risks specific to AI agent systems, published by OWASP (Open Worldwide Application Security Project). Includes prompt injection, unrestricted tool use, excessive agency, and similar threats.

Provides a standardized framework for evaluating agent security. Organizations can audit against OWASP Top 10 to identify vulnerabilities.

ExecLayer addresses all OWASP Agentic Top 10 risks through its design. Skill publication binding prevents unrestricted tool use. Policy gating prevents excessive agency. Mechanical refusal prevents unauthorized actions. Deterministic execution prevents non-deterministic failures.

Zero Trust AI

A security model where no entity (agent, user, service) is trusted by default. All actions require explicit authorization and cryptographic proof. Trust is never assumed; it is verified.

Prevents security failures caused by assumed trust. In zero trust AI, if an agent has not been explicitly authorized for an action, it cannot take that action, period.

ExecLayer implements zero trust AI through policy bundles that explicitly enumerate what each agent can do. The execution kernel trusts nothing; it verifies all actions against policy.

Content and Information Quality

E-E-A-T

Expertise, Experience, Authority, Trustworthiness. A framework for evaluating content quality, particularly for Your-Money-Your-Life (YMYL) content like healthcare and financial advice.

Agent-generated recommendations in healthcare and finance must meet high E-E-A-T standards. Authority receipts prove that recommendations were reviewed by authorized experts and documented appropriately.

ExecLayer's authority receipt framework demonstrates E-E-A-T: it proves that authorizing parties (experts) reviewed recommendations, that human oversight (experience) was applied, that authorized decision-makers (authority) approved the action, and that cryptographic signatures (trustworthiness) make the decision irrefutable.

Execution-Bound Governance

Policies and authorization rules that are cryptographically bound to specific execution instances. Once bound, policies cannot be modified without invalidating the execution record.

Prevents policy changing. An organization cannot retroactively claim that an unauthorized action violated policy if the action was executed under the original policy. Execution-bound governance creates immutable records.

ExecLayer binds policies to execution through cryptographic hashing. Each authority receipt includes the hash of the policy bundle that governed execution. If the policy bundle is later modified, the hash changes, and the breach is immediately detectable.

Request Early Access