Leanpub Header

Skip to main content

AI Agent Security: A Field Manual

This book is 100% completeLast updated on 2026-07-03
Free With Membership

With Membership

Free!

$9.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
WEB
APP
About

About

About the Book

Your AI agent can read email, browse the web, call APIs, and execute code. So can anyone who successfully injects instructions into it. The difference between a chatbot failure and an agent failure is that an agent failure is an action.

AI Agent Security: A Field Manual is a working reference for engineers who build, deploy, or operate LLM-based agents. It is not a collection of scary anecdotes. It is a traceable system: every threat has an ID (TH), every threat maps to a control (CT), every control to a requirement (REQ), and every requirement to a verification test (VT). If you cannot trace a security claim to a test, the claim is decoration. This book is built so you never have to make decorated claims.

Inside: prompt injection and untrusted-content handling, agent identity and short-lived credentials, egress allowlists and sandboxed execution, MCP supply-chain pinning and rug-pull detection, Enterprise-Managed Authorization (EMA), memory provenance, and logging you can actually reconstruct an incident from. Plus configuration checklists you can apply this week.

The book is free, and it stays current. Agent security shifts monthly — new tool protocols, new injection classes, new platform controls. Each revision is logged in the Changelog & Errata chapter, and Leanpub notifies you when an update ships. Treat it less like a book and more like a subscription to a threat model.

One thing this manual deliberately does not do: run the tests for you. That job belongs to the companion AI-Agent Security Verification Kit — a CLI that executes the checks against your agent configuration and emits signed, RFC 3161 timestamped evidence you can gate CI on or hand to an auditor. The manual explains the threats; the kit executes the tests and produces the evidence. Explanation is free. Execution and defensible evidence are paid:

https://0xshugo.gumroad.com/l/AI-Agent

Licensed CC BY-NC-ND 4.0. Read it, apply it, argue with it.

Share this book

License

Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License

Author

About the Author

Contents

Table of Contents

AI Agent Security: A Field Manual

  1. Threats, Controls, and Verifiable Assurance for Autonomous Systems

Preface

  1. Who this is for
  2. How to read this book
  3. A note on scope and honesty

The Agent Security Problem

  1. What changes when a model can act
  2. Why existing security models are necessary but not sufficient
  3. The four attacker assumptions
  4. The chain this book enforces
  5. What “good” looks like

The Threat Taxonomy

  1. Why a taxonomy, and how to use it
  2. The ten threat classes
  3. Reading the taxonomy as a system

The Control Taxonomy

  1. From threats to a catalogue of moves
  2. The four hardening surfaces
  3. The fifteen control areas
  4. Four principles that make the catalogue hold together

Identity and Authority

  1. The question the log has to answer
  2. Agent identity is distinct from human identity
  3. Workload identity, short-lived and scoped
  4. Delegated authority must be scoped, time-bound, and auditable
  5. The delegate never holds scope greater than or equal to its parent
  6. Correlation IDs across the delegation chain
  7. What this buys you, and what comes next

Tool and Action Safety

  1. Where a paragraph becomes a consequence
  2. The tool registry and allowlist
  3. Scope minimization and input validation
  4. Sandboxing and execution isolation
  5. Approval gates that check authority, not intent
  6. MCP: the supply chain the agent trusts implicitly
  7. EMA and the MCP Gateway pattern
  8. An MCP and EMA configuration checklist

Untrusted Content, RAG, and Memory

  1. The channel with no boundary
  2. Provenance, trust metadata, and TTL
  3. RAG poisoning: trusted by design, and that is the problem
  4. Memory writes are privileged and reversible
  5. Rollback as a first-class capability
  6. Putting the three together

Monitoring, Evaluation, and Incident Response

  1. What only exists once the agent is live
  2. Logging that can reconstruct the episode
  3. Monitoring and feed integration
  4. Evaluation as standing regression
  5. Rollback exercises
  6. Incident response for agents
  7. The abuse path: when the agent is the weapon

Runtime Security Posture

  1. The gap between knowing and fixing
  2. A dual-loop design
  3. The posture state machine
  4. Trigger classes and their SLAs
  5. The kill switch and granular revocation
  6. Policy version binding, the signal queue, and reconciliation

The Requirement Specification

  1. Why controls have to become requirements
  2. RFC 2119, used honestly
  3. Scope
  4. Identity and delegation (TH-05, TH-06)
  5. Tool and action safety (TH-02, TH-07)
  6. Untrusted content, RAG, and memory (TH-01, TH-03, TH-04)
  7. Monitoring, evaluation, and incident response (general; TH-09, TH-10 abuse)
  8. Runtime security posture (general)
  9. Governance and compliance (general)
  10. How to read the tables as a whole

Verification and Testing

  1. Turning SHALL into pass or fail
  2. Four verification methods
  3. Requirement-to-test mapping
  4. Operational rules
  5. Regression, not a gate
  6. The companion kit and the signed artifact

Governance and Compliance

  1. The accountability the technical controls assume
  2. The governance record
  3. Roles and responsibilities
  4. Risk assessment and review records
  5. High-risk determination and human oversight
  6. Governance as living artifacts

About the Companion Kit

Appendix A — Cross-Reference Tables

  1. The master traceability table (TH → CT → REQ → VT)
  2. Requirement-to-threat index (REQ → TH)
  3. Control-to-chapter index (CT → where it is treated)

Appendix B — Source Register

  1. Primary sources
  2. Secondary signals
  3. A note on coverage and gaps

Changelog & Errata

  1. Revision history
  2. Errata process
  3. Known items carried forward

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub