Two OWASP frameworks now apply to LLM and agent deployments: the Top 10 for LLM Applications, and the Top 10 for Agentic AI Applications. Below is honest, per-risk mapping of where IntentGate is a direct mitigation, a partial mitigation, or out of scope — with the specific mechanism in each case. For risks marked ★ Live demo, you can watch IntentGate block a real attack in our hosted lab.
Hosted lab. Real gateway. Fourteen scripted attacks across both OWASP frameworks. You drive; we provide the credentials.
The original framework, focused on risks specific to language-model-backed applications. IntentGate is the runtime layer for LLM01, LLM02, LLM05, LLM06, LLM08, and LLM10 — six of the ten.
Intent check. The extractor surfaces divergence between the user's original ask and the agent's tool-call arguments. Injected instructions redirect the agent's action; this check catches the redirect.
Bidirectional PII filter. Tool-call arguments scanned on the way out, tool-call responses scanned on the way back — same engine, same audit chain. Built-in classes (email, phone, IBAN, BSN, credit card, US SSN, EU VAT, IPv4/6) plus customer-declared patterns; each with a numeric validator (mod-97, mod-11, Luhn, SSA prefix rules) to keep false positives low. Three actions: redact, block, or escalate. Per-request override via Rego; counts-only in the audit chain — matched values are never persisted.
Out of scope. IntentGate ships SBOMs and signed releases for its own components but doesn't address the customer's model and library supply chain.
Out of scope. Risk sits at training time; IntentGate is runtime.
Output schema validation. Operators declare a JSON-Schema-subset shape per tool. Every upstream response is checked: undeclared fields stripped (default), wrong-type scalars dropped, enum violations refused. Three actions — allow, strip, block — with per-tool overrides. Runs after the PII filter on the response path, so PII-redacted text is also schema-checked before reaching the agent. Counts-only in audit; matched values never persisted.
Capability tokens enforce least-privilege tool access. Rego policy enforces scope limits. Escalate decision gates high-impact actions for human approval.
Out of scope. Model-internal concern; IntentGate sits outside the model.
Per-tenant scope enforcement. Operators mark vector-store and RAG tools as tenant-scoped. The gateway verifies the tool-call's tenant filter argument matches the verified capability token's tenant claim before forwarding. Missing filters can be auto-injected from the token; mismatched or wildcard filters are blocked (-32017). Closes the cross-tenant query path on shared embedding backends.
Escalate decision routes high-stakes outputs to a human approver before they execute. Doesn't validate model factuality.
Budget check. Per-token call/cost ceilings, per-tenant quotas, circuit-breaker behavior on exhaustion.
The newer framework, specific to agents that plan, call tools, and act in multi-step workflows. IntentGate is the operational substrate this framework presumes — eight of the ten risks map to direct IntentGate mechanisms.
Intent check captures the user's original ask and compares to actual tool calls. Goal-drift from injected upstream data blocks at the gate.
Capability tokens allowlist tools per agent. Escalate routes sensitive tool calls to human approval with TOTP step-up. Audit chain monitors usage.
Short-lived capability tokens, per-agent identity, RBAC in the Pro console, continuous identity monitoring via audit chain.
Out of scope. Customer's responsibility to vet agent code and dependencies.
Out of scope. IntentGate does not execute agent or model code.
Opt-in memory provenance (enable per tenant): each memory entry the agent writes is signed with HMAC-SHA256 keyed by a per-session key derived (HKDF) from the capability token. At tool-call time the gateway re-derives the session key, verifies the HMAC over each entry the agent declares, and walks the per-session hash chain. Tampered entries — including the sophisticated case where the attacker swaps argument values but keeps the signature — fail verification before the call reaches the toolserver.
Capability-token attenuation provides byte-compatible signing and intent across agents. Gateway forces TLS. Audit chain captures every inter-agent call with root and parent JTIs.
Per-tool fault isolation. Bulkhead semaphores cap concurrent forwards per tool so one slow tool can't starve the rest. Per-tool circuit breaker opens after N consecutive upstream failures; fails-fast for the cooldown window, then probes via half-open. Independent state per tool — a breaker open on the billing tool doesn't affect the search tool. Combined with the budget check's per-token ceilings, this contains blast radius to a single failing dependency.
Step-up authentication for sensitive actions. Approval workflows with TOTP/WebAuthn. Clear agent identity in audit chain so operators distinguish agent from human action.
Capability tokens ARE the registration. Revocation list deny-lists rogue agents at the gate. Audit chain is the continuous inventory. Per-agent anomaly detection via SIEM queries.
Not a replacement for your AI security program. The runtime authorization layer that answers, for every tool call: "given everything we know about the originating request and the agent's identity right now — should this be allowed?"
SBOM hygiene, signed releases, vendor due diligence, model provenance, training-data validation.
Capability, intent, policy, budget. Tamper-evident audit. Step-up for high-risk actions. The five-check authorization pipeline between every agent call and every tool.
Sandbox tool execution, code review of agent orchestration, RCE prevention, dependency scanning.
A CISO evaluating IntentGate isn't replacing their entire AI-security program. They're filling in the layer that handles runtime authorization, intent verification, and tamper-evident audit — usually the layer that's most conspicuously missing today.