📖 25 min read

Chapter 29: OWASP Security for AI Agents #

Neam v1.0 is the first programming language to implement the complete OWASP Top 10 for Agentic AI (ASI01-ASI10) and the OWASP Top 10 for MCP (MCP01-MCP10) as compiled language declarations. Security is not a library you import -- it is built into the compiler and enforced at build time.

💡 Tip

Every code example in this chapter compiles with neamc and runs with neam on v1.0.

Why Language-Level Security? #

Traditional agent frameworks bolt security on as middleware or runtime checks that can be bypassed. Neam takes a different approach: security constructs are parsed, type-checked, and compiled just like agents and skills. The compiler rejects programs that reference invalid security fields, and the VM enforces constraints at runtime.

Approach	Enforcement	Bypass Risk
Library middleware	Runtime only	High -- can be skipped
Configuration files	Load-time	Medium -- can be overridden
Neam declarations	Compile-time + Runtime	None -- compiler enforces

OWASP Agentic Security (ASI01-ASI10) #

Each of the 10 OWASP Agentic Security risks maps to a dedicated Neam declaration:

Risk	Neam Keyword	Purpose
ASI01: Prompt Injection	`goal_integrity`	Prevent goal hijacking
ASI02: Tool Misuse	`tool_validator`	Schema validation, rate limits
ASI03: Identity Spoofing	`agent_identity`	Ephemeral credentials, scoped access
ASI04: Supply Chain	`supply_chain_policy`	Signed Agent.MD, tool pinning
ASI05: Code Execution	`code_sandbox`	Container isolation, resource limits
ASI06: Memory Poisoning	`memory_integrity`	Hash verification, provenance
ASI07: Output Handling	`message_security`	Signing, encryption, authentication
ASI08: Cascading Failures	`circuit_breaker`	Failure thresholds, blast radius
ASI09: Excessive Agency	`human_gate`	Human approval for high-risk actions
ASI10: Rogue Agents	`agent_attestation`	Periodic health checks, kill switches

ASI01: Goal Integrity #

Prevents agent goal hijacking by declaring expected objectives and detecting runtime drift via semantic similarity:

neam

goal_integrity ChurnGoal {
    declared_objectives: [
        "predict customer churn within 90 days",
        "identify top 5 churn drivers per customer",
        "deploy prediction API with monitoring"
    ],
    verification: {
        method: "semantic_similarity",
        threshold: 0.75,
        check_frequency: "per_phase",
        on_drift: "halt_and_escalate"
    },
    input_guard: "InjectionScanner",
    output_guard: "GoalAlignmentChecker",
    audit: true
}

Field	Required	Description
`declared_objectives`	Yes	Array of expected agent objectives
`verification`	No	Drift detection: method, threshold, frequency, action
`input_guard`	No	Guard reference for input validation
`output_guard`	No	Guard reference for output alignment
`audit`	No	Log all checks (default: true)

ASI02: Tool Validator #

Prevents tool misuse through strict schema validation, rate limiting, and recursion detection:

neam

tool_validator StrictValidator {
    schema_enforcement: "strict",
    additional_properties: false,
    rate_limits: {
        per_agent: 100,
        per_tool: { "deploy": 3, "delete": 1 },
        per_phase: 50
    },
    max_call_depth: 5,
    detect_cycles: true,
    budget_per_call: { max_tokens: 4000, max_cost: 0.50 }
}

ASI03: Agent Identity #

Manages non-human identity lifecycle with ephemeral, scoped credentials:

neam

agent_identity SecureID {
    credential_mode: "ephemeral",
    ttl: "15m",
    rotation: "per_phase",
    scope: {
        datascientist: ["read:ml_features", "write:ml_predictions"],
        mlops: ["read:ml_predictions", "write:deployments"],
        causal: ["read:ml_features"]
    },
    session_binding: true,
    cross_agent_sharing: false
}

ASI04: Supply Chain Policy #

Verifies Agent.MD signatures, pins tool descriptions, detects rug-pull attacks, and generates AIBOM:

neam

supply_chain_policy SecureChain {
    agent_md_signing: {
        algorithm: "ed25519",
        verify_on_load: true,
        reject_unsigned: true
    },
    tool_pinning: {
        method: "sha256",
        pin_descriptions: true,
        pin_schemas: true,
        alert_on_change: true,
        block_on_change: true
    },
    mcp_verification: {
        require_signed_cards: true,
        block_shadow_servers: true,
        verify_tls_cert: true
    },
    aibom: {
        format: "cyclonedx",
        auto_generate: true,
        output: "./aibom.json"
    }
}

ASI05: Code Sandbox #

Isolates agent-generated code execution in containers with filesystem, network, and resource restrictions:

neam

code_sandbox ForgeSandbox {
    runtime: "container",
    filesystem: {
        read_only: ["/data", "/models"],
        writable: ["/tmp"],
        blocked: ["/etc", "/root", "/var"]
    },
    network: { allow_outbound: false },
    resources: {
        max_cpu: "1 core",
        max_memory: "512MB",
        max_time: "60s"
    },
    pre_execution_review: {
        scan_for: ["eval", "exec", "subprocess", "os.system"],
        block_on_match: true,
        human_review_threshold: 0.7
    },
    log_all_executions: true
}

ASI06: Memory Integrity #

Protects agent memory and context from poisoning with hash verification and provenance tracking:

neam

memory_integrity MemGuard {
    hash_algorithm: "sha256",
    verify_on_read: true,
    verify_on_write: true,
    provenance: {
        track_author: true,
        track_timestamp: true,
        track_context: true,
        immutable_after: "24h"
    },
    access_guard: {
        classification_aware: true,
        cross_agent_read: "restricted",
        admin_audit: true
    }
}

ASI07: Message Security #

Signs, encrypts, and authenticates all inter-agent messages:

neam

message_security InterAgentSec {
    signing: {
        algorithm: "ecdsa_p256",
        sign_all_messages: true,
        include_nonce: true,
        include_timestamp: true,
        max_age: "60s"
    },
    encryption: {
        algorithm: "aes_256_gcm",
        key_exchange: "ecdh",
        encrypt_artifacts: true
    },
    authentication: {
        verify_sender_identity: true,
        verify_phase_permission: true,
        reject_unknown_agents: true
    }
}

ASI08: Circuit Breaker #

Prevents cascading agent failures with configurable thresholds:

neam

circuit_breaker AgentCB {
    failure_threshold: 3,
    success_threshold: 5,
    half_open_timeout: "30s",
    isolation: {
        scope: "per_agent",
        propagation: "block",
        fallback: "graceful_degrade"
    }
}

The circuit breaker follows three states:

State	Description
Closed	Normal operation -- all calls pass through
Open	Failures exceeded threshold -- all calls blocked, fallback used
Half-Open	After timeout -- allow one probe call to test recovery

ASI09: Human Gate #

Requires human approval for high-risk agent actions with confidence-calibrated escalation:

neam

human_gate HighRiskApproval {
    approve_before: ["deploy", "delete", "transfer_data", "grant_access"],
    confidence_escalation: {
        below_threshold: 0.7,
        report_uncertainty: true,
        no_false_authority: true
    },
    workflow: {
        channel: "slack",
        timeout: "15m",
        default_on_timeout: "deny",
        require_reason: true
    },
    log_all_decisions: true
}

ASI10: Agent Attestation #

Detects rogue agents through periodic self-reporting, behavioral profiling, and kill switches:

neam

agent_attestation HealthCheck {
    attest_interval: "5m",
    report_fields: ["current_objective", "tools_used", "tokens_consumed"],
    baseline: {
        method: "welford_online",
        sigma_threshold: 3.0,
        min_samples: 20
    },
    kill_switch: {
        api_enabled: true,
        auto_kill_on: ["budget_exhausted", "goal_drift_detected", "rogue_score > 0.8"],
        require_human_confirmation: false
    },
    collusion_detection: {
        monitor_cross_agent_patterns: true,
        flag_coordinated_actions: true,
        max_mutual_reinforcement: 3
    }
}

MCP Security (MCP01-MCP10) #

The Model Context Protocol (MCP) connects agents to external tool servers. Neam v1.0 adds three declarations that cover the OWASP Top 10 for MCP:

MCP Allowlist #

neam

mcp_allowlist ApprovedServers {
    servers: [
        { url: "https://filesystem.example.com", fingerprint: "sha256:abc123" },
        { url: "https://database.example.com", fingerprint: "sha256:def456" }
    ],
    block_unlisted: true,
    alert_on_new: true
}

Tool Pinning #

neam

tool_pinning ToolHashes {
    method: "sha256",
    pin_descriptions: true,
    pin_schemas: true,
    alert_on_change: true,
    block_on_change: true
}

Context Guard #

neam

context_guard TaskIsolation {
    compartmentalize: true,
    cross_task_sharing: "none",
    max_context_age: "1h",
    purge_on_completion: true
}

AI Bill of Materials (AIBOM) #

Generate CycloneDX ML-BOM for AI system transparency and EU AI Act compliance:

neam

aibom_config BOMGenerator {
    format: "cyclonedx",
    version: "1.6",
    components: {
        models: { include: true, fields: ["name", "provider", "version"] },
        agents: { include: true, fields: ["name", "type", "skills", "permissions"] },
        dependencies: { include: true, fields: ["name", "version", "license"] }
    },
    provenance: {
        track_lineage: true,
        manufacturer: "Neam Language Project",
        copyright: "Apache 2.0"
    },
    auto_generate: true,
    trigger: "on_build",
    output: "./aibom.cdx.json",
    eu_ai_act: {
        risk_classification: "limited",
        annex_iv_compliance: true
    }
}

Full OWASP Compliance Example #

Here is a complete program that declares all 14 v1.0 security constructs:

neam

budget B { cost: 100.00, tokens: 1000000 }

// All 10 OWASP ASI constructs
goal_integrity G { declared_objectives: ["secure operations"] }
tool_validator TV { schema_enforcement: "strict", max_call_depth: 5 }
agent_identity AI { credential_mode: "ephemeral", ttl: "15m" }
supply_chain_policy SC { agent_md_signing: { algorithm: "ed25519" } }
code_sandbox CS { runtime: "container", network: { allow_outbound: false } }
memory_integrity MI { hash_algorithm: "sha256", verify_on_read: true }
message_security MS { signing: { algorithm: "ecdsa_p256", sign_all_messages: true } }
circuit_breaker CB { failure_threshold: 3 }
human_gate HG { approve_before: ["deploy", "delete"] }
agent_attestation AA { attest_interval: "5m", kill_switch: { api_enabled: true } }

// All 3 MCP security constructs
mcp_allowlist MA { servers: [{ url: "https://fs.example.com" }], block_unlisted: true }
tool_pinning TP { method: "sha256", block_on_change: true }
context_guard CG { compartmentalize: true, purge_on_completion: true }

// AIBOM for supply chain transparency
aibom_config BOM { format: "cyclonedx", auto_generate: true }

print("All 14 v1.0 security constructs declared");

bash

neamc owasp_full.neam -o owasp_full.neamb
neam owasp_full.neamb
# Output: All 14 v1.0 security constructs declared

Contextual Keywords #

All v1.0 security keywords are contextual -- they can be used as regular variable names when not starting a declaration:

neam

let goal_integrity = "just a string";
let circuit_breaker = 3.14;
let human_gate = "variable";
print(goal_integrity);   // "just a string"
print(circuit_breaker);  // 3.14

Coexistence with v0.9 Programs #

All v0.9.x programs work unchanged with v1.0. Security declarations are additive -- you add them alongside your existing agents, and the compiler validates them at build time. No existing code needs modification.