Rationale
Why Agent Runtime Security Requires a Standard
This document explains the threat landscape, the gaps in current agent runtimes, and why AVP exists. For the technical specification, see the spec.
Security Gaps in Agent Runtimes
AI agents are powerful. They write code, deploy infrastructure, manage databases, make API calls, and operate autonomously across your development stack. Tools like Claude Code, Cursor, GitHub Copilot, LangChain, and CrewAI can access your AWS keys, database credentials, API tokens, crypto wallets, and payment integrations. Everything in your environment.
The power is real. But so is the exposure. When an agent inherits your full environment, every credential you have is one prompt injection away from exfiltration. And there is currently no standard for controlling this.
Yet there is no standard for controlling what an agent can see. No way to scope credential access. No audit trail. No revocation mechanism. If an agent is compromised, manipulated through prompt injection, or simply behaves unexpectedly, you have no defense and no record of what happened.
Known Attack Vectors
These are not theoretical risks. Researchers have demonstrated each of these attack vectors against real tools and real agent frameworks.
Tool poisoning attacks
Malicious MCP servers embed hidden instructions that trick agents into exfiltrating SSH keys and configuration files without user awareness. The agent believes it is following legitimate tool instructions, but the tool description contains adversarial prompts that redirect behavior.
Tool shadowing
Attacks that hijack trusted tools to redirect emails and data to attacker-controlled endpoints. A malicious tool registers itself with a name similar to a legitimate tool, or manipulates tool resolution order to intercept calls meant for trusted services.
Silent data exfiltration
In one demonstration, a fake tool stole WhatsApp message history by silently rerouting messages while hiding the exfiltration off-screen. The user saw normal tool behavior while data was being copied to an external endpoint. These attacks have been proven against real tools like Cursor and popular MCP integrations.
Prompt injection via environment
When agents have unrestricted access to environment variables, a compromised or malicious variable value can contain instructions that alter agent behavior. Without scoping, every environment variable is a potential injection surface.
Three Critical Gaps
Three critical gaps exist in every AI agent deployment today.
No scoping
When you run an AI agent, it inherits your entire environment. There's no way to say "allow NODE_ENV but deny AWS_SECRET_KEY." It's all or nothing.
No visibility
You have no record of which credentials an agent accessed, when, or whether it was necessary. If a secret is exfiltrated, there's no audit trail to investigate.
No revocation
Once an agent starts, you can't revoke its access to specific credentials without killing the entire process. There's no session management or kill switch.
What AVP Defines
AVP is primarily an access control and permissions layer for AI agents. It specifies an encrypted vault for storing credentials at rest (AES-256-GCM), permission profiles for scoping access, an immutable audit trail, and session management with instant revocation.
Scoped access
Permission profiles define which credentials each agent can see: allow, deny, or redact per variable.
Full visibility
Every access decision is logged before enforcement. Immutable, append-only, queryable.
Instant revocation
Kill all active agent sessions in one command. SIGTERM to processes, access cut immediately.
Encrypted at rest
AES-256-GCM encryption with scrypt key derivation and per-file random salts.
Implementation Contexts
Depending on your role, AVP solves different problems.
For tool builders
Implement AVP once in your agent, IDE extension, or framework, and users get granular control over what secrets your tool can see. No proprietary permission systems needed. Just YAML profiles and a simple pattern-matching algorithm.
For platform & security teams
AVP gives you encrypted-at-rest credential storage, immutable audit trails, session TTLs, and an emergency kill switch. Every access decision is logged before enforcement. Deploy agents in CI/CD, staging, or production with a compliance-ready audit trail.
For end users
Your credentials are encrypted, agent access is scoped to what's necessary, and you can see exactly what was accessed and when. If something goes wrong, you have a full audit trail and can revoke all agent sessions instantly.
Relationship to Existing Secret Managers
Tools like HashiCorp Vault and AWS Secrets Manager answer "where do I store, rotate, and distribute secrets across services?"
AVP answers a different question: "when an AI agent runs, which credentials can it access, and how is every access decision recorded?"
They are complementary. You can use a centralized secret manager to store and rotate credentials, then use AVP to control which of those credentials an agent can see at runtime.