EdictumOWASP Agentic Starter
Starter runtime controls for common OWASP-style agentic risks.
Right page if: you want a starter set of Edictum controls for common agentic risks such as tool misuse, excessive agency, identity abuse, unexpected code execution, and human approval gaps. Wrong page if: you need a formal compliance mapping -- see https://docs.edictum.ai/docs/security/compliance. Gotcha: this is a starter control set, not a certification or audit attestation. Edictum enforces tool-call behavior; model safety, OS sandboxing, network policy, and compliance process still matter.
This starter maps common agentic risks to concrete runtime controls.
Use it as a first pass before tailoring rulesets to your own tools, principals, data scopes, and approval process.
Starter Controls
| Risk | Runtime control | Start here |
|---|---|---|
| Tool misuse | Allowlist tools, paths, commands, and domains with sandbox rules | Sandbox rules |
| Excessive agency | Cap attempts, executions, and per-tool calls with session rules | Session rulesets |
| Identity and privilege abuse | Require principal role, ticket, org, or claim fields before risky calls | Principals |
| Unexpected code execution | Block destructive shell patterns and restrict command families | Change control patterns |
| Sensitive data exposure | Block sensitive reads and redact sensitive output | Data protection patterns |
| Human approval gaps | Use ask for high-impact actions and record approval decisions | Human-in-the-loop approvals |
| Process skipping | Use Workflow Gates for read-before-write, verification, approval, and terminal stages | Workflow Gates Runtime |
| Unreviewed rule changes | Use observe mode, replay, and blast-radius preview before promotion | Observe mode |
Minimal Ruleset Shape
apiVersion: edictum/v1
kind: Ruleset
metadata:
name: owasp-agentic-starter
rules:
- id: require-ticket-for-production-write
type: pre
tool: "*"
when:
side_effect:
in: [write, irreversible]
environment:
equals: production
principal.ticket_ref:
exists: false
then:
action: block
message: "Production writes require a ticket reference."
- id: ask-before-destructive-command
type: pre
tool: Bash
when:
args.command:
matches: "(rm\\s+-rf|kubectl\\s+delete|terraform\\s+destroy)"
then:
action: ask
message: "Destructive command requires human approval."
timeout: 300
timeout_action: block
- id: redact-secrets-from-output
type: post
tool: "*"
when:
output:
matches: "(sk-[A-Za-z0-9]+|AKIA[0-9A-Z]{16})"
then:
action: redact
message: "Secret-like output was redacted."Evidence To Keep
- the ruleset YAML in version control
edictum validateoutput in CI- observe-mode decision logs before enforcement
- replay or blast-radius preview before stricter rollout
- approval records for
askdecisions - audit events with
policy_version,principal,decision_source, andreason
Related
Last updated on