Glossary — Agent Runtime Authorization

Definitions for the vocabulary of agent runtime authorization. Each definition is intended to be authoritative and citable. This glossary is maintained as a public reference; corrections to security@intentgate.app.

Agent Runtime Authorization: The security control category that governs the actions an authenticated AI agent takes on internal tools, APIs, and data — gating what an authenticated agent can do, evaluating every tool call against user intent, capability scope, content classification, and policy in real time.
Agent Runtime: The execution environment in which an AI agent runs — typically a long-lived process hosting one or more agent loops with session state, LLM-provider connections, and tool credentials.
AI Agent: A software entity that uses an LLM to interpret natural-language instructions, plan actions, and execute by calling tools. Distinguished from a chatbot by the ability to take actions with side effects.
Service Identity: The non-human identity an AI agent runs under — typically a Microsoft Entra ID Managed Identity, AWS IAM role, or GCP service account — that holds the agent's tool credentials.
Tool Call: A single invocation by an AI agent of an external tool — a function call, API request, database query, or webhook — with resolved verb, arguments, and expected response shape.
Tool Catalogue: The set of tools an agent is permitted to invoke, expressed as a list of tool definitions and bound to the agent via the capability token.
Capability Token: An HMAC-bound credential that scopes an agent to specific tools, tenants, and time windows. Minted by the gateway, presented on every tool call, verified before other checks.
Capability Attenuation: The process of deriving a more restrictive capability token from a more permissive one — typically when a parent agent delegates work to a sub-agent.
Intent: The user's declared structured goal for an agent session, captured at session start and signed into the capability token.
Intent Check: The gateway control that compares the resolved tool call against the user's declared intent and refuses calls that fall outside that intent — the primary defence against prompt injection.
Policy Engine: The component that evaluates declarative policy on every tool call. IntentGate's policy engine is built on Open Policy Agent and expresses rules in Rego.
Rego: The declarative policy language used by Open Policy Agent (OPA) to express authorization rules — the language in which IntentGate's destructive-verb deny-list and other policy rules are written.
Destructive Verb: A tool-call verb whose effect is to delete, drop, truncate, or mass-update data. Blocked by default by a destructive-verb deny-list unless explicitly whitelisted.
Destructive-Verb Deny-list: A policy rule that blocks tool calls whose resolved verb falls into a defined set of destructive operations unless the calling agent's role explicitly permits the specific verb.
Bulk-row Ceiling: A policy rule that caps the number of rows a tool call can return or modify in a single invocation. Prevents mass data hijack and mass destructive writes.
Value Threshold: A policy rule that caps the value of a single tool call argument — most commonly the amount of a transfer_funds call. Defends against the financial-verb variant of agent hijack.
Budget: A per-tenant or per-session ceiling on token consumption, cost, or call volume. The defence against unbounded consumption from runaway agent loops or token-bomb upstreams.
Memory Provenance: The mechanism by which the gateway attaches signed chain-of-custody to every write to an agent's persistent memory, so that subsequent reads can require verified provenance.
Chain-of-custody: The cryptographically-verifiable record of who wrote a piece of memory, when, under what intent, and with what capability.
PII Filter: A content-inspection control that detects and strips personally identifiable information from prompts going outbound to LLM providers and from responses coming back inbound.
Bidirectional Filter: A content filter that operates on both directions of agent ↔ LLM traffic: outbound (stripping PII from prompts) and inbound (stripping PII from responses).
Counts-only Audit: An audit pattern in which the gateway records that a class of sensitive data was detected and stripped, but does not persist the matched values themselves.
Output Schema Validation: The gateway control that validates the response from a tool call conforms to a declared JSON schema — both in shape and in value constraints.
Tenant Scope Check: The gateway control that verifies every tool call is executed against a tenant identifier matching the capability token's scope. Prevents cross-tenant data leakage.
Hash-chained Audit Log: An audit log structure in which each entry includes a cryptographic hash of the previous entry, forming a chain that breaks detectably if any prior entry is modified.
Tamper-evident: A property of an audit log in which any unauthorised modification to a prior entry can be detected — weaker than tamper-proof but the right property for an audit chain.
Fault Isolation: The gateway control that prevents one slow or failing tool from impacting other tools, via per-tool circuit breakers and bulkhead resource isolation.
Circuit Breaker: A control pattern that monitors failures on a downstream dependency and trips open after a threshold, so subsequent calls fail fast without consuming gateway resources.
Bulkhead Isolation: A resource-isolation pattern that gives each tool its own thread pool, connection pool, or slot allocation, so resource exhaustion on one tool cannot starve other tools.
Prompt Injection: An attack (OWASP LLM01) in which malicious instructions embedded in untrusted content an agent reads are treated as legitimate by the agent and acted on.
Goal Hijack: The agent-layer manifestation of prompt injection (OWASP AGENT01): a hijacked agent pursues an injected goal instead of the user's declared intent.
Mass Data Hijack: The headline variant of goal hijack: a hijacked agent enumerates every record it has read access to and forwards the contents to an attacker-controlled destination.
Memory Poisoning: An attack in which false facts are written into an agent's persistent memory, so later sessions read those facts and act on them as if verified.
Excessive Agency: A condition (OWASP LLM06) in which an agent has access to consequential tool actions without proportional authorization controls.
Tool Misuse: The use of a legitimate tool in an unauthorised way (OWASP AGENT02) — most commonly bulk-reading PII through a list_* tool or destructive writes via routine update tools.
Identity Spoofing: An attack (OWASP AGENT09) in which a request asserts a tenant identifier the calling agent does not hold a capability token for — typically a pivot attempt after compromise.
Misaligned Action: A condition (OWASP AGENT07) in which an agent calls a tool that technically resolves the request but is not what the user would recognise as fulfilling it.
Cascading Failure: A condition (OWASP AGENT08) in which one slow or failing tool causes the entire agent to become unavailable because the agent's resource pool is exhausted waiting on the failing tool.
Unbounded Consumption: A runaway agent loop or token-bomb upstream (OWASP LLM10) that exhausts per-tenant LLM budget or downstream system capacity.
Audit Log Tampering: An attack in which an attacker who has reached the audit store rewrites or removes prior entries to hide the trail of an incident.
Rogue Agent: An agent operating without authorisation in the customer's environment (OWASP AGENT10) — a developer's experimental agent in production, a leftover agent after a project ended, or an unauthorised deployment.
Inline Gateway: A deployment topology in which the gateway sits in the network path between agent runtime and tools, terminating the connection, evaluating policy, and forwarding only on allow.
Fail-closed: The property that a control denies the action when it cannot reach a definitive allow decision. The right default for a security control; the alternative (fail-open) bypasses the control during outages.
Six Controls: The six categories of control a complete agent runtime authorization solution provides: capability, intent, policy, budget, memory provenance, and bidirectional content filtering — typically with a hash-chained audit log as a cross-cutting concern.
HMAC: Hash-based Message Authentication Code. The cryptographic primitive used to bind capability tokens to specific tools, tenants, and time windows, and to bind memory writes to their chain-of-custody.
API Gateway: A general-purpose gateway for managing APIs at scale — TLS termination, JWT validation, rate limiting, JSON schema shape validation, traffic logging. Examples: Azure API Management, Kong, Apigee, AWS API Gateway.
Prompt Firewall: A category of AI security product that inspects prompt text going from user to LLM and filters for harmful content. Examples: Lakera, Prompt Security. Complementary to but distinct from agent runtime authorization.
Zero Trust: A network security model in which no actor is trusted by default and access is granted on a per-request basis after explicit verification. Agent runtime authorization applies the same principle to agent actions.
IGA: Identity Governance and Administration. Products that manage the lifecycle of identities — joiner/mover/leaver, entitlement reviews, certifications. Examples: SailPoint, Saviynt, Okta Identity Governance.
ABAC: Attribute-Based Access Control. An access control model in which decisions are made based on attributes of subject, resource, action, and environment. The underlying model for Rego policy.
PAM: Privileged Access Management. Products that manage privileged access — credentials vaulting, just-in-time elevation, session recording. Examples: CyberArk, BeyondTrust, Delinea.
SIEM: Security Information and Event Management. Products that aggregate and correlate security events. Examples: Microsoft Sentinel, Splunk, Elastic Security, Google Chronicle.
XDR: Extended Detection and Response. Products that correlate detection across endpoint, identity, email, network, and cloud telemetry. Examples: Microsoft Defender XDR, CrowdStrike Falcon, SentinelOne.
OWASP Top 10 for LLM Applications: The Open Web Application Security Project's published list of the ten most critical security risks specific to large language model applications. The 2025 version is the reference list.
OWASP Top 10 for Agentic AI Applications: The Open Web Application Security Project's published list of the ten most critical security risks specific to agentic AI systems — distinct from the LLM Top 10, focused on multi-step autonomous agent behaviour.
NIST AI RMF: The U.S. National Institute of Standards and Technology AI Risk Management Framework — a voluntary framework organised around Govern, Map, Measure, Manage functions.
MITRE ATLAS: The MITRE Adversarial Threat Landscape for AI Systems — an ATT&CK-style framework cataloguing tactics and techniques attackers use against AI systems.
EU AI Act: The European Union's regulation on AI systems, effective in phases from 2024–2026. Imposes obligations on providers and deployers of high-risk AI systems including risk management, governance, transparency, human oversight, and cybersecurity.
ISO/IEC 42001: The international standard for AI management systems, published 2023. Establishes requirements for an organisation to establish, implement, maintain, and continually improve an AI management system.
Improper Output Handling: An attack class (OWASP LLM05) in which an LLM response contains content that downstream code will execute or store unsafely — SQL fragment, script payload, malformed JSON. Defence: output schema validation at gateway boundary.
MCP: Model Context Protocol — a JSON-RPC-based open specification published by Anthropic for communication between AI agents and the tools, resources, and prompts the agents consume.
JSON-RPC: The remote procedure call protocol used by MCP and many tool-call APIs. Provides request/response structure with method, params, and id fields.
OPA: Open Policy Agent. The open-source general-purpose policy engine that evaluates Rego policy. CNCF graduated project. Embedded in IntentGate to evaluate per-call authorization rules.
Apache 2.0: The open-source software licence under which the IntentGate gateway is published. Permits commercial use, modification, distribution, and sublicensing with patent grant and notice requirements.