Microsoft Agent Control Specification
Open-source agent control spec / governance toolkitMicrosoft's open-source spec defines deterministic allow/deny policy for AI agents at five lifecycle checkpoints, with mandatory logging, human-approval hooks, and regulatory mapping. Prove7 enforces at the same points natively.
| Agent Control Specification | Prove7 control |
|---|---|
| Deterministic allow / deny | Default-deny policy engine; every action is permitted only by an explicit, evaluated rule |
| Checkpoint 1 — Input | Agent-entry gate: identity + intent + RBAC verified before anything runs |
| Checkpoint 2 — LLM / model | Inference gate: prompt/data-protection guards and policy on the model call |
| Checkpoint 3 — State | State/memory governance with provenance and change auditing |
| Checkpoint 4 — Tool execution | Connector/tool-out gate: per-tool entitlements, default-deny on unapproved tools |
| Checkpoint 5 — Output | Output gate: policy + classification checks before results leave the boundary |
| Human approval for designated actions | Approval gates with assignee, deadline, and escalation |
| Mandatory decision logging | Hash-chained, tamper-evident audit of every decision |
| Signed plugin / marketplace supply chain | Signed skills & plugins with registration + trust-tiered promotion gating |
| Regulatory mapping (EU AI Act, HIPAA, SOC 2) | One control plane that maps the same evidence across frameworks |
OWASP Top 10 for Agentic Applications
OWASP GenAI Security Project · Dec 2025The agent threat model the industry is standardizing on. Prove7's Seven Gates and Governed Execution Layer are built to close each risk.
| OWASP agentic risk | Prove7 mitigation |
|---|---|
| 1. Agent Goal Hijack | Intent attribution binds each agent to an approved purpose; drift from intent is detected and gated |
| 2. Identity & Privilege Abuse | Cryptographic agent identity + RBAC scoped per org/tenant/instance; least-privilege enforced |
| 3. Unexpected Code / Tool Execution | Default-deny tool-out gate; only registered, entitled connectors run |
| 4. Insecure Inter-Agent Communication | Federated identity + governed, tenant-scoped agent-to-agent calls |
| 5. Human–Agent Trust Exploitation | Human-in-the-loop approval gates; live trust surfaced; no silent escalation |
| 6. Tool Misuse & Exploitation | Per-tool entitlements, rate limits, and enforcement at the connector boundary |
| 7. Agentic Supply-Chain Vulnerabilities | Signed skills/plugins, registration + promotion gates, provenance |
| 8. Memory & Context Poisoning | Input data-protection guards; provenance on context; audited state changes |
| 9. Cascading Failures | Kill switch + circuit-breaking; trust-weighted enforcement halts propagation |
| 10. Rogue Agents | Continuous trust scoring + revoke/kill switch; default-deny for unregistered or regressed agents |
NIST AI Risk Management Framework
AI RMF 1.0 (AI 100-1) + Generative AI ProfileThe U.S. voluntary standard, organized around four functions. Prove7 runs all four as a continuous runtime loop rather than a periodic review.
| NIST AI RMF | Prove7 control |
|---|---|
| Govern — policies & processes | Policy-as-code with governed promotion (Build → Decide → Act) |
| Govern — accountability & roles | RBAC (platform/super/org admins), ownership, segregation of duties, kill switch |
| Govern — third-party & supply chain | Signed skills/plugins, registration & trust-gated promotion |
| Map — context & system boundaries | Discovery of agents, workflows, and tools across runtimes and clouds |
| Map — intended use & identity | Cryptographic identity + intent attribution to approved templates |
| Measure — assess & evaluate risk | Agent Trust Score™, eval suites, conformance baselining |
| Measure — track over time | Continuous drift detection and live trust telemetry |
| Manage — prioritize & treat risk | Runtime enforcement: allow, throttle, gate, or kill |
| Manage — monitor & respond | Tamper-evident audit, remediation, and phase regression |
| Generative AI Profile risk categories | Mapped to enforced, live runtime controls |
EU AI Act
Regulation (EU) 2024/1689 — high-risk requirementsFor higher-risk AI, the Act sets requirements across the lifecycle. Prove7 enforces the controls and emits the records those obligations call for. (References are illustrative; confirm scope with counsel.)
| EU AI Act obligation | Prove7 control |
|---|---|
| Risk-management system (Art. 9) | Continuous, per-agent runtime risk management via trust scoring + enforcement |
| Record-keeping / logging (Art. 12) | Tamper-evident, hash-chained audit of every decision and gate |
| Transparency & information (Art. 13) | End-to-end provenance and decision lineage |
| Human oversight (Art. 14) | Approval gates and kill switch enforced before/over agent action |
| Accuracy, robustness & cybersecurity (Art. 15) | Conformance baselining, OWASP agentic coverage, default-deny gates |
| Deployer monitoring / post-market | Continuous trust scoring + live drift detection in production |
| GPAI transparency & documentation | Agent/model documentation captured and attested in the trust record |
Deloitte Trustworthy AI™
Six-dimension frameworkDeloitte's framework defines six dimensions of trust applied across the AI lifecycle. Prove7 turns each into a measured, enforced control.
| Deloitte Trustworthy AI | Prove7 control |
|---|---|
| Governance across the lifecycle | Runtime governance engine spanning Build → Decide → Act → Audit |
| Continuous monitoring | Continuous enforcement — gates and trust-derived actions, not just alerts |
| Fair & impartial | Output policy checks and bias/quality monitoring |
| Robust & reliable | Eval gates and conformance baselining before promotion |
| Transparent & explainable | Five-layer decision lineage for every action |
| Safe & secure | Default-deny gates, OWASP coverage, kill switch |
| Respectful of privacy | Data classification and data-protection guards at the boundary |
| Responsible & accountable | Identity, RBAC, ownership, and an immutable audit trail |
| Governance policies | Agent-executable policies — written once, enforced on every action |
| Compliance reporting | Real-time compliance decisions at runtime, not retrospective reports |
| Human review | Autonomous policy mediation, with human approval gates where required |
| Evidence collection | Cryptographic provenance + attestations on every decision |
EY Responsible AI
Responsible AI principles · monitoring · EY.ai Confidence IndexEY pairs nine Responsible AI principles with continuous monitoring and a lifecycle Confidence Index. Prove7 makes monitoring enforceable.
| EY Responsible AI | Prove7 control |
|---|---|
| Responsible AI | Continuous Agent Trust measurement — trust quantified per agent, per call |
| AI lifecycle governance | 7-Proves runtime governance across Build → Decide → Act → Audit |
| Continuous monitoring | Continuous policy enforcement — gates, not just alerts |
| Risk assessment | Live Trust computation driving automated decisions |
| AI inventory | Agent identity & provenance — cryptographic, discovered, and tracked |
| Governance framework | Trust execution fabric in the path of every action |
| Compliance reporting | Real-time, inline compliance decisions — not retrospective reports |
| Human oversight / HITL | Autonomous policy mediation, with human approval gates where required |
| Audit evidence | Cryptographic attestations & provenance on every decision |
| AI governance | Agentic system governance — purpose-built for autonomous agents |
Attribution. NIST AI Risk Management Framework (AI RMF 1.0) and the Generative AI Profile are publications of the U.S. National Institute of Standards and Technology. The EU AI Act (Regulation (EU) 2024/1689) is legislation of the European Union. Trustworthy AI™ is a framework of Deloitte. Responsible AI and the EY.ai Confidence Index are frameworks of Ernst & Young (EY). The Agent Control Specification and Agent Governance Toolkit are open-source projects of Microsoft. The OWASP Top 10 for Agentic Applications is a project of the OWASP GenAI Security Project. All names, marks, and frameworks are the property of their respective owners. The mappings on this page indicate framework alignment and interoperability only — they do not imply review, certification, sponsorship, or endorsement of Prove7 by any of these organizations, and are not legal or compliance advice.