This brief describes the AEGIS·AI architecture, the production data plane, the
agentic and full-stack red-team evaluation methodology, the threat model used in design, and
the public-benchmark methodology against which the platform is measured. It is intended for
CISOs, model-risk teams, and AI safety researchers performing due diligence.
1. System architecture
AEGIS·AI is deployed as a tenant-isolated control plane and a tenant-resident data plane.
The data plane sits on top of the customer's existing identity, telemetry and SIEM stack and
emits an OCSF-aligned event schema (proposed AI extension) over OpenTelemetry. The control
plane is multi-region (ap-southeast-1, eu-west-1,
us-east-1) and active-active. Policy is compiled to WebAssembly and
delivered to inline enforcement points (an L7 gateway and a non-human identity broker)
signed with Ed25519.
Figure 1 · High-level component view. Inline enforcement points are optional; the read-only discovery and OTel collector provide visibility on day one.
1.1 Data plane components
Discovery agents (read-only). Periodic scanners for cloud control plane, OAuth grants, code repositories, browser extensions and inline DLP. Output: live asset inventory + dependency graph.
OpenTelemetry collector. Pulls prompts, completions, tool calls, A2A messages, RAG retrievals and inference events. Encoded to a proposed OCSF AI extension and shipped to both AEGIS ingest and the customer SIEM.
Inline gateway (optional). L7 proxy in front of model APIs and agent runtimes; enforces policy and runs guardrails. Skippable for monitor-only deployments.
1.2 Control plane components
Correlator. AI kill-chain detection content over the OCSF stream (injection → tool abuse → credential reuse → exfil).
Policy. OPA/Rego compiled to wasm, signed and shipped to enforcement points; supports attribute- and intent-based access control.
Red-team engine. Continuous adversarial testing across the eight attack domains; agentic engine (this paper §3) runs full-loop attacks against production-equivalent replicas with safe-execution scaffolding.
Audit. Framework mappers (ISO/IEC 42001, EU AI Act, NIST AI RMF, Singapore IMDA, MAS FEAT, OWASP) emit signed evidence packs against an immutable WORM log.
2. Event schema (proposed OCSF AI extension)
All events conform to OCSF 1.3 with an AI-specific extension. A canonical example:
The agentic engine maps the target agent's graph (tools, sub-agents, memory stores, trust
edges) before generating adversarial objectives. Tests are executed against a
production-equivalent replica with simulated tools, in a sandbox with a scoped blast radius
and a kill switch. Each campaign is pinned: library@version,
seed, target.commit. Findings are stored with
the full transcript and re-run on every release until they fail.
Threat classes (twelve, covered in v2026.05):
Goal & instruction hijacking · indirect injection via content channels
Tool misuse & excessive agency
Long-term memory poisoning
Multi-agent collusion & A2A spoofing
MCP tool poisoning & rug-pull
Confused-deputy privilege escalation
Compositional exfiltration
Human-in-the-loop bypass
Denial-of-wallet & runaway loops
Code-tool sandbox escape
Plan & reasoning manipulation
Secret & credential harvesting
4. Evaluation against public benchmarks
Detection content is exercised against published adversarial corpora. Results below are
block-rate measurements against the bundled (and pinned) libraries; numbers represent the
fraction of attack prompts/sequences caught at or before exfiltration.
Benchmark
Version
Block rate
Δ vs prior release
JailbreakBench
v0.2 (2026-03)
96.4%
+2.1pp
HarmBench
v1.1 (2026-02)
93.8%
+1.4pp
AdvBench (text)
v2 (2026-01)
98.1%
+0.6pp
OWASP LLM Top 10
v17.2
99.2%
+0.0pp
MITRE ATLAS techniques
v4
42 / 46 covered
+3
PyRIT scenarios
v0.5
128 / 132 passed
+6
Garak (LLM probes)
v0.10
191 / 198 passed
+9
Methodology notes: every measurement is paired with the target system commit, the
detection content version, and the random seed; bootstrapped 95% CIs are appended in the
full report. Numbers are not extrapolated and exclude post-hoc tuning on the test set.
5. Platform SLOs
Service
Indicator
Objective
Trailing 90d
aegis-ingest
availability
99.95%
99.97%
aegis-correlator
p99 detect latency
≤ 600 ms
412 ms
aegis-broker
token issue p99
≤ 250 ms
184 ms
aegis-audit
evidence dispatch
≤ 5 s
1.8 s
aegis-redteam
queue lag
≤ 10 s
2.4 s
6. Threat model summary
In scope. Adversaries exploiting AI surfaces (prompts, agents, tools, memory, supply chain, identity, infrastructure) at any layer the platform observes; insiders abusing AI capabilities; misconfigured or vulnerable third-party models.
Out of scope. Compromise of the customer's underlying OS/cloud below the AEGIS data-plane footprint; physical attacks on the customer environment.
Assumptions. Read-only cloud roles function; the customer's OTel collector is reachable; SIEM accepts OCSF; tenants are isolated at the cluster level.
7. Compliance and assurance
SOC 2 Type II (in audit window). ISO/IEC 27001 in progress. Penetration tested quarterly
by an independent third party. Platform red-teams itself continuously and publishes results
internally. Sub-processor list is maintained at the trust page. Coordinated vulnerability
disclosure: see /security.txt.