1
Indirect prompt injection
A malicious document parsed by the agent contains hidden instructions that hijack it from its task.
Loading...
Loading...
Zero Standing Privilege, Just-In-Time access, reverse offensive audit, 'data stays client-side' doctrine. The Access agentic security framework — for banking, insurance, healthcare, public sector, and all regulated contexts.
An agent swarm reading your mailbox, parsing your files, writing to your ERP, and running code in your cloud — that is a new actor in your security perimeter. Four classes of risks specific to agentic systems emerge and require a dedicated framework.
A malicious document parsed by the agent contains hidden instructions that hijack it from its task.
The agent exfiltrates sensitive data through logs, file names, variable names, or message length.
The agent alters a critical file without triggering alerts if classical controls aren't adapted.
The agent, by bug or maliciously, hides its own traces in logs.
PrincipleNo agent has permanent rights on your systems. No persistent credentials, no long-lived API keys, no service account shared between agents.
BenefitEliminates the entire class of risks tied to compromised credentials — the attacker finds no reusable token to steal.
PrincipleConcrete mechanism enforcing ZSP. The access key lives only as long as strictly necessary for the operation, then self-destructs.
BenefitAn attacker intercepting a key has minutes at most, not days.
PrincipleAttacking agents continuously probe the perimeter of defensive agents. Inverts the classical one-shot pentest logic into a permanent and large-scale mode.
BenefitZero-day vulnerabilities are detected before exploitation.
PrincipleZero context mixing across clients or entities. Even if the same swarm serves multiple subsidiaries, each session is logically and auditably isolated.
BenefitDemonstrable to DPO, CISO, external auditor. Non-negotiable prerequisite for banking / insurance / healthcare.
Doctrine shared with our ServiceNow ITSM nearshore offering — it applies fully to agentic: the architecture adapts to the data sensitivity level, not the other way around.
Public cloud LLM (Claude API, GPT API, Mistral La Plateforme), nearshore Tunis.
Public cloud LLM with GDPR-compliant DPA, Vivantro France swarm hosting.
Sovereign LLM (Mistral on-premise or open-weight models) + Confidential Computing + sovereign hosting.
Open-weight LLM deployed on-premise client + zero network egress.
European Union — standard DPA, processing register, data subject rights integrated by design.
Saudi Arabia — regional hosting, framed transfers, explicit consent.
United States — healthcare. On specific configuration with appropriate hosting and BAA.
Payment — systematic PAN tokenization before agent ingestion.
Quebec — local GDPR equivalent.
European Union — 24h incident notification, cyber risk management, regular audits.
European Union — high-risk AI system classification, register, documentation, human supervision.
Note: Access does not claim certification on these frameworks — we operate in applicative compliance. Organization certifications (ISO 27001, HDS, etc.) must be completed by your CISO or auditor.
3-agent swarm scanning transactions 24/7 for AML patterns. ZSP on core banking access. JIT per analyzed transaction. Reverse offensive audit to validate robustness against adversarial attacks.
Swarm pre-instructing claim files: PDF extraction, normalization, contract cross-checking. Client data isolated per tenant. Auditable multi-tenancy isolation for ACPR demonstration.
Multi-specialty appointment coordination swarm. On-premise sovereign LLM, zero patient data leaving. HDS hosting compliance upstream, agent applicative compliance downstream.
Administrative file instruction swarm. Strict per-file isolation, full audit trail for the control authority, selective supervision by human instructor on contested cases.
Yes. Persistent state (conversational memory, vector store, audit trail) is stored separately from access permissions. The agent recovers its state at session start, but without permanent privilege on downstream systems.
Yes, marginally (5-20 % typically depending on load). For cases where latency trumps radical confidentiality (e.g. a public conversational swarm), we recommend a standard architecture. For sensitive cases, the latency cost is acceptable.
Selective supervision puts the human in validation of critical decisions. For routine decisions executed autonomously, responsibility is contractually framed: business guardrails signed by the client, observed-behavior register, remediation plan. Every contestable decision is tracked and reviewed.
Mandatory quarterly recertification policy: at every major update of a used LLM, the swarm is revalidated on the reference test set. If the agreement rate drops, the swarm falls back to degraded mode (humans only) until corrected.
Pre-wired degraded mode architecture. Automatic switch to secondary LLM (vendor-neutral allows this), or fallback to humans only if no compatible LLM is available. SLA defined with the client at E1 Intake.
Yes. Every agent → LLM prompt is logged with signed timestamp, origin context, session ID, and hash of received output. Full audit exportable in standard SIEM format.
No, by design. Offensive audit runs in an isolated sandbox environment isomorphic to production, never on production directly. Identified patches are proposed to the client CISO for controlled application.
Mandatory quarterly (4 times per year minimum). Additional event-driven recertification on: major LLM update used, impacting regulatory change, material security incident.
3 weeks of scoping with your CISO to assess your organization's agentic security maturity and define the industrialization plan.