AEGIS·AI

Technical brief · v2026.05

AEGIS·AI: a security operations platform for AI systems

Hesed & Emet Advisory Pte Ltd, SingaporeOCSF 1.3, OpenTelemetry, SPIFFELast revised 2026-05-19

This brief describes the AEGIS·AI architecture, the production data plane, the agentic and full-stack red-team evaluation methodology, the threat model used in design, and the public-benchmark methodology against which the platform is measured. It is intended for CISOs, model-risk teams, and AI safety researchers performing due diligence.

1. System architecture

AEGIS·AI is deployed as a tenant-isolated control plane and a tenant-resident data plane. The data plane sits on top of the customer's existing identity, telemetry and SIEM stack and emits an OCSF-aligned event schema (proposed AI extension) over OpenTelemetry. The control plane is multi-region (ap-southeast-1, eu-west-1, us-east-1) and active-active. Policy is compiled to WebAssembly and delivered to inline enforcement points (an L7 gateway and a non-human identity broker) signed with Ed25519.

CUSTOMER ENVIRONMENT (data plane) AEGIS CONTROL PLANE DOWNSTREAM Gateway · L7 inline (optional) NHI broker · SPIFFE/SPIRE Discovery agents · read-only OTel collector · OCSF Memory / RAG hooks Existing SIEM (Splunk/Sentinel/…) Ingest · Kafka · OCSF normaliser Correlator · AI kill-chain Policy · OPA/Rego → wasm Red team (incl. agentic) engine Audit · framework mappers Evidence log · WORM · Ed25519 Investigation console Reports · board / regulator ITSM · ServiceNow/Jira Notify · PagerDuty/Slack Customer SIEM (round-trip) Regulator submission
Figure 1 · High-level component view. Inline enforcement points are optional; the read-only discovery and OTel collector provide visibility on day one.

1.1 Data plane components

1.2 Control plane components

2. Event schema (proposed OCSF AI extension)

All events conform to OCSF 1.3 with an AI-specific extension. A canonical example:

// llm.completion event (OCSF AI ext, draft)
{
  "metadata": { "version": "1.3.0", "log_version": "0.1.0" },
  "category_uid": 99, "class_uid": 99001, "type_uid": 9900101,
  "time": 1747627331184,
  "actor": { "user": { "name": "svc-rag-07", "type": "non-human" } },
  "tenant_uid": "meridian-prod", "region": "ap-southeast-1",
  "ai": {
    "model": { "name": "llm-prod", "vendor": "managed", "version": "2026.05.17" },
    "request_id": "01HZK9X8M5T7V2QZ...", "trace_id": "...", "span_id": "...",
    "input_tokens": 518, "output_tokens": 812, "latency_ms": 940,
    "cost_usd": 0.0143, "policy_decision": "ALLOW"
  }
}

3. Agentic red-team methodology

The agentic engine maps the target agent's graph (tools, sub-agents, memory stores, trust edges) before generating adversarial objectives. Tests are executed against a production-equivalent replica with simulated tools, in a sandbox with a scoped blast radius and a kill switch. Each campaign is pinned: library@version, seed, target.commit. Findings are stored with the full transcript and re-run on every release until they fail.

Threat classes (twelve, covered in v2026.05):

  1. Goal & instruction hijacking · indirect injection via content channels
  2. Tool misuse & excessive agency
  3. Long-term memory poisoning
  4. Multi-agent collusion & A2A spoofing
  5. MCP tool poisoning & rug-pull
  6. Confused-deputy privilege escalation
  7. Compositional exfiltration
  8. Human-in-the-loop bypass
  9. Denial-of-wallet & runaway loops
  10. Code-tool sandbox escape
  11. Plan & reasoning manipulation
  12. Secret & credential harvesting

4. Evaluation against public benchmarks

Detection content is exercised against published adversarial corpora. Results below are block-rate measurements against the bundled (and pinned) libraries; numbers represent the fraction of attack prompts/sequences caught at or before exfiltration.

BenchmarkVersionBlock rateΔ vs prior release
JailbreakBenchv0.2 (2026-03)96.4%+2.1pp
HarmBenchv1.1 (2026-02)93.8%+1.4pp
AdvBench (text)v2 (2026-01)98.1%+0.6pp
OWASP LLM Top 10v17.299.2%+0.0pp
MITRE ATLAS techniquesv442 / 46 covered+3
PyRIT scenariosv0.5128 / 132 passed+6
Garak (LLM probes)v0.10191 / 198 passed+9

Methodology notes: every measurement is paired with the target system commit, the detection content version, and the random seed; bootstrapped 95% CIs are appended in the full report. Numbers are not extrapolated and exclude post-hoc tuning on the test set.

5. Platform SLOs

ServiceIndicatorObjectiveTrailing 90d
aegis-ingestavailability99.95%99.97%
aegis-correlatorp99 detect latency≤ 600 ms412 ms
aegis-brokertoken issue p99≤ 250 ms184 ms
aegis-auditevidence dispatch≤ 5 s1.8 s
aegis-redteamqueue lag≤ 10 s2.4 s

6. Threat model summary

7. Compliance and assurance

SOC 2 Type II (in audit window). ISO/IEC 27001 in progress. Penetration tested quarterly by an independent third party. Platform red-teams itself continuously and publishes results internally. Sub-processor list is maintained at the trust page. Coordinated vulnerability disclosure: see /security.txt.

References

  1. OCSF (Open Cybersecurity Schema Framework), v1.3, 2024.
  2. OpenTelemetry specification, v1.x.
  3. SPIFFE/SPIRE, workload identity, CNCF, 2024.
  4. OWASP LLM Top 10 v17, 2026. OWASP Agentic AI Top 10, 2026.
  5. MITRE ATLAS, v4.
  6. NIST AI RMF 1.0; ISO/IEC 42001:2023; EU AI Act 2024/1689.
  7. Singapore IMDA Model AI Governance Framework (GenAI, AI Verify).
  8. MAS FEAT principles, Singapore.
  9. JailbreakBench (Chao et al., 2024); HarmBench (Mazeika et al., 2024); AdvBench (Zou et al., 2023); HELM-safety (Stanford CRFM).
  10. PyRIT (Microsoft); Garak (NVIDIA / leondz).
© 2026 Hesed & Emet Advisory Pte Ltd · Singapore Site · Status · Security