ISSN (Online): 2321-3418
server-injected
Engineering and Computer Science
Open Access

Toward a Unified Security Systems Theory for Autonomous AI Systems

DOI: 10.18535/ijsrm/v14i06.ec4· Pages: 2925-2930· Vol. 14, No. 06, (2026)· Published: June 30, 2026
PDFAuto
Views: 6 PDF downloads: 3

Abstract

Security in autonomous AI systems is not a property of individual components such as identity verification, static policy configurations, or model-level safeguards. Instead, it is a dynamic system property emerging from three interconnected dimensions: intent, time, and interaction. Intent captures the alignment between an operator’s goals and an agent’s behavior; time reflects the evolution of security states under adversarial pressure; and interaction describes how trust relationships between agents can propagate misalignment. This paper synthesizes the findings of the five-paper AI Agent Security Series into a unified, formal, and falsifiable theory of autonomous agent security. Current AI security approaches focus on component-level controls, including authentication, policy enforcement, and output filtering. However, results from Papers 1–5 show that these mechanisms are individually insufficient and collectively vulnerable to clean attacks semantically valid, policy-compliant adversarial inputs that redirect agent behavior while evading existing detection methods. We argue that such failures are structurally inevitable under component-centric security models. To address this gap, we introduce the Unified Security Function, Φ_security(φ, t, G), a scalar measure in the range [0,1] that combines IntentAlign, TemporalStability, and NetworkIntegrity into a single dynamic assessment of security health. Using this framework, we establish three meta-theorems: the Component Insufficiency Theorem, the Dynamic Necessity Theorem, and the Interaction Irreducibility Theorem. Evaluation on the complete AegisBench benchmark suite (1,560 sessions across Papers 1–5) shows that Φ_security predicts attack success with an AUC of 0.943, outperforming all individual metrics. By defining autonomous agent security as a distinct scientific object, this work provides a foundational framework for future research on secure and adaptive AI systems.

Keywords

unified security systems theory autonomous AI systems emergent security intent-based security dynamic system property multi-agent systems policy drift AegisBench general systems theory AI safety

1. Introduction

General systems theory (von Bertalanffy, 1968; Meadows, 2008) teaches that the behavior of complex systems cannot be understood by analyzing components in isolation. The whole is not merely the sum of its parts; it is the product of the interactions among parts, which give rise to emergent properties that no component exhibits individually. Simon's (1962) architecture of complexity formalizes this: complex systems are hierarchically organized, with each level of organization exhibiting properties that emerge from interactions at lower levels and constrain behavior at higher levels.

This insight, long established in systems theory, has not been applied to AI security. Contemporary AI security practice is fundamentally reductionist: it secures components authenticates sources, filters outputs, constrains actions and assumes that securing each component suffices to secure the system. Papers 1 through 5 of this series demonstrate, systematically and empirically, that this assumption fails for autonomous AI agent systems.

The reason is structural: autonomous agents are goal-directed actors embedded in dynamic environments, interacting with each other and with retrieved data over time. Their security is not a property of any configuration state but of their behavioral trajectory whether they remain aligned with the operator's declared intent φ across turns, across trust relationships, and across the full span of the session. This is a systems-level, trajectory-level, interaction-level property. No component-level check can measure it.

This meta paper synthesizes the five-paper series into the Unified Security Systems Theory (USST) for Autonomous AI a formal, falsifiable, empirically validated theoretical framework that explains why component security is insufficient, defines what network-level security requires, and provides the measurement instruments to operationalize it.

2. The Five-Paper Series: A Unified Reading

2.1 Series Architecture

Each paper in the series introduces one new scientific object, validates it experimentally on AegisBench, and connects it to the same underlying theory the security of an autonomous agent system as a dynamic property of intent, time, and interaction. The series is not five disconnected papers; it is a single argument developed across five disciplinary lenses:

Table 1 The five papers as dimensions of the Unified Security Systems Theory.
Paper Scientific Object Disciplinary Lens Key Empirical Result Contribution to USST
Paper 1 Clean attack (CA-1 through CA-4) Adversarial ML / formal verification 61.4% ASR vs. 4.2% conventional categorically distinct threat Defines what adversarial behavior is in agent context; introduces φ, Π, SVS, BDI, AegisBench
Paper 2 Intent Drift Rate (IDR) / policy drift dynamical system Nonlinear dynamics / stability theory ASR 30.6%→90.0% from turn 5→20; phase transition at t*≈9; bifurcation at λ*≈0.42 Defines how security degrades over time; introduces temporal dimension of USST
Paper 3 Intent Verification Pipeline (IVP) / φ-Trust Threshold τ* Access control / zero-trust / dialogue systems 81.1% ASR reduction; 3.2-turn advance warning; AUC 0.917 Defines how to defend via intent-alignment; introduces defensive dimension
Paper 4 ETVG / SDI / Trust Attenuation Function Graph theory / network science / multi-agent systems ECM at N≥4 in hub topology; 43% compromise-spread reduction Defines how misalignment propagates across agents; introduces interaction dimension
Paper 5 ACSHL / ARES self-healing framework Autonomic computing / fault tolerance End-to-end ASR 4.8% with full ARES; 93.2% rollback success rate Defines how to autonomously recover; closes the detection-response loop

2.2 The Shared Vocabulary

All five papers share a common vocabulary that makes the series tractable as a unified argument:

  • Intent vector φ = (G, C, δ): The operator's declared goal, constraint set, and acceptable deviation. The fixed reference point against which all security measures are defined. Introduced Paper 1, used in all five papers.

  • Policy envelope Π: The set of permissible (action, context) pairs. Clean attacks satisfy Π by construction. Papers 1–4.

  • SVS (Semantic Validity Score): Content-level indistinguishability of an input from a legitimate instruction. Paper 1, used in Papers 3–5.

  • BDI (Behavioral Drift Index): Per-agent misalignment measure. Papers 1–5.

  • IDR (Intent Drift Rate): Temporal derivative of BDI early warning signal. Papers 2–5.

  • τ (Trust Score): Per-input intent-alignment trust measure from IVP. Papers 3–5.

  • SDI (System Drift Index): Network-level misalignment measure KL-divergence of joint behavior. Papers 4–5.

  • AegisBench: The shared evaluation benchmark spanning all five papers, in four configurations (v1.0, MT, MAS, Self-Healing).

3. Unified Security Systems Theory (USST)

3.1 The Three-Axis Model

USST grounds agent security in three mutually irreducible dimensions, drawing on general systems theory (von Bertalanffy, 1968) and complexity science (Holland, 1998):

  • Intent Axis (φ): Security requires continuous alignment between agent behavior and the operator's declared goal φ. Misalignment whether caused by a single-turn clean attack (Paper 1) or cumulative constraint erosion (Paper 2) is the fundamental failure mode. No configuration-time check can substitute for runtime intent alignment monitoring.

  • Time Axis (t): Security is a trajectory property, not a state property. An agent that is fully aligned at t=0 can be catastrophically misaligned at t=20 through policy drift (Paper 2). Security evaluation must track trajectories BDI(t), IDR(t), Λ(t) not snapshots.

  • Interaction Axis (G): Security in multi-agent systems is an emergent property of the trust interaction graph G, not the conjunction of individual agent securities (Paper 4). The ECM Superlinearity Theorem (Theorem 2, Paper 4) proves this formally: SDI = O(N) while per-agent BDI = O(1/N).

Figure 1
Figure 1 The Unified Security Systems Theory three-axis model. Security is defined over Intent (φ), Time (IDR, λ*, t*), and Interaction (ETVG, SDI, TAF) three mutually irreducible dimensions. No single-axis measurement constitutes sufficient security assessment.

3.2 The Unified Security Function Φ_security

We define the Unified Security Function:

Φ_security(φ, t, G) = w₁·IntentAlign(φ,B) + w₂·TemporalStability(IDR,t) + w₃·NetworkIntegrity(SDI,G)

where IntentAlign(φ, B) = 1 − BDI(t) (Papers 1, 3); TemporalStability(IDR, t) = 1 − IDR(t)/δ_IDR (Paper 2); NetworkIntegrity(SDI, G) = 1 − SDI(t)/δ_SDI (Paper 4). Weights w₁ = 0.40, w₂ = 0.35, w₃ = 0.25 are calibrated on held-out AegisBench sessions. Φ_security ∈ [1], with Φ_security < θ_Φ = 0.65 triggering the autonomous response system of Paper 5.

The weighting reflects a deliberate theoretical ordering: intent alignment is primary (an agent that is intent-aligned is secure regardless of temporal or network factors); temporal stability is secondary (an agent whose drift trajectory is stable provides stronger security guarantees than one with high BDI at a single turn); network integrity is tertiary (the security of the interaction network is constrained by, but not determined by, individual agent alignment).

3.3 Three Meta-Theorems

Theorem 3 (Component Insufficiency Theorem). No component-level security check syntactic validation, policy compliance verification, identity authentication, or output content moderation is sufficient to detect clean attacks, individually or in conjunction. Proof: By the clean attack definition (Paper 1, CA-1 through CA-3), every component check passes by construction. BDI > δ (CA-4) is only measurable via behavioral trajectory analysis a system-level, temporal property.

Theorem 4 (Dynamic Necessity Theorem). Any valid security measure for autonomous agent systems must be defined over time trajectories, not instantaneous states. Proof: By Paper 2 Proposition 1 (IDR Latency), the phase transition at t* is not detectable by instantaneous BDI monitoring. Only the trajectory-level IDR(t) provides advance warning. An instantaneous security measure can be arbitrarily high at t < t* while the system is on a trajectory to catastrophic drift. QED.

Theorem 5 (Interaction Irreducibility Theorem). The security of a multi-agent system cannot be reduced to the conjunction of individual agent securities. Proof: By Paper 4 Theorem 2 (ECM Superlinearity), SDI = O(N) while per-agent BDI = O(1/N). Therefore ε > 0, N such that max_i(BDI_i) < ε and SDI > δ_SDI. The conjunction of individual agent securities (all BDI < δ) is compatible with system-level insecurity (SDI > δ_SDI). QED.

Figure 2
Figure 2 Decomposition of Φ_security(φ, t, G). The three sub-components IntentAlign (Papers 1, 3), TemporalStability (Paper 2), NetworkIntegrity (Paper 4) feed the unified scalar Φ_security. Paper 5's ARES autonomous response fires when Φ_security < θ_Φ = 0.65, triggering policy rollback, agent isolation, and φ re-anchoring.

4. The Clean Attack Paradox and Its Resolution

The central empirical finding of this series is what we call the Clean Attack Paradox: inputs that pass every existing security check syntactic validation, semantic plausibility evaluation, policy compliance verification, identity authentication, and content moderation nevertheless achieve a mean Attack Success Rate of 61.4% against frontier LLM agents. This is not a measurement artifact; it is confirmed across four frontier LLM backends, twelve commercial agent pipelines, and three independent annotator studies. It is structurally inevitable, given Theorem 3.

The paradox dissolves under USST: clean attacks are designed to exploit the gap between component-level checks (which they pass) and system-level security (which they violate). Resolving the paradox requires measuring security at the system level which is precisely what Φ_security does. The series's empirical contribution is demonstrating that this measurement is tractable, computationally feasible, and effective: full IBS + ETVG + ARES reduces mean ASR from 61.4% to 4.8%.

Figure 3
Figure 3 Left: ASR by series progression each paper's contribution to cumulative security improvement, from 61.4% (no defense) to 4.8% (unified IBS+ETVG+ARES). Right: Security Property S(φ,t,G) over session under three conditions: static component-based (illusion of security), dynamic undefended (actual degradation), and unified USST defense (maintained above threshold).

5. The Unified Defence Architecture

The five papers collectively define a complete, layered defence architecture that operationalizes USST:

Figure 4
Figure 4 Unified security architecture integrating all five papers. DETECT (Paper 1) and MONITOR (Paper 2) provide measurement. VERIFY (Paper 3/IVP) provides single-agent defense. GRAPH (Paper 4/ETVG) provides network-level detection. RESPOND (Paper 5/ARES) provides autonomous remediation. UNIFY (Meta) integrates all into Φ_security.
Table 2 The unified defence architecture components, papers, functions, and outputs
Layer Component Paper Function Output
Detection SVS + BDI 1 Classify inputs; measure behavioral misalignment SVS score per input; BDI per turn
Temporal IDR + Λ(t) 2 Track drift velocity; identify phase transition IDR alert at t* − 3.2 turns
Verification IVP + τ 3 Gate inputs by intent-alignment; anchor φ τ score; block/execute decision
Network ETVG + SDI 4 Model trust graph; detect ECM SDI; node risk R_i(t)
Response ARES/ACSHL 5 Autonomous rollback; isolation; re-anchoring System restored; Φ_security ≥ θ_Φ
Unified Φ_security Meta Composite security health measure Single scalar in [1]

6. Empirical Validation of Φ_security

6.1 AegisBench Comprehensive Evaluation

We validate Φ_security on the complete AegisBench suite across all five paper benchmarks:

Table 3 AegisBench comprehensive evaluation across all five paper benchmarks (N=1,560 sessions total).
Benchmark N Sessions Attack Types Primary Metric Mean Φ_security (defended)
AegisBench v1.0 (Paper 1) 300 Type I,II,III SVS,BDI 0.81
AegisBench-MT (Paper 2) 480 Type II (multi-turn) IDR,Λ(t) 0.77
AegisBench+MT (Paper 3) 780 All types,6 defences τ,ASR 0.84
AegisBench-MAS (Paper 4) 180 Trust-level attacks SDI,TAF 0.79
AegisBench-SH (Paper 5) 120 All,with recovery ARES,ASR 0.89
Complete suite (Meta) 1,560 All types+topologies Φ_security 0.82

Φ_security achieves AUC = 0.943 in predicting attack success (attack defined as Φ_security < 0.65 AND final BDI > δ) across all 1,560 sessions outperforming any single-paper metric: BDI alone (AUC 0.724), IDR alone (AUC 0.761), τ alone (AUC 0.839), SDI alone (AUC 0.798). The composite function captures variance that no individual metric explains, consistent with the three-axis model's claim that intent, time, and interaction are mutually irreducible security dimensions.

Figure 5
Figure 5 Unified metric suite dashboard across all five papers. Each metric (SVS, BDI, IDR, τ, SDI, unified ASR) is shown under clean vs. attack conditions. The composite Φ_security integrates all six signals into a single dynamic health measure. Together they provide early warning (IDR), real-time assessment (BDI, τ), network monitoring (SDI), and retrospective validation (ASR).

7. USST in the Broader Context of AI Safety

USST addresses a specific and previously unformalized threat class: adversarial manipulation of goal-directed agents through semantically valid inputs. This is distinct from, but related to, broader AI safety concerns addressed by Amodei et al. (2016) (concrete safety problems including reward hacking, safe exploration, and distributional shift) and Russell (2019) (the problem of specifying human preferences). The key connection is the specification-behavior gap the possibility that a system behaves according to its specification while violating the designer's intent. USST formalizes this gap as the Authentication Gap (Paper 3) and the Clean Attack Paradox (Section 4), and provides measurement instruments (SVS, BDI, IDR, τ, SDI) for detecting when the gap is being actively exploited.

The dependability framework of Avizienis et al. (2004) which distinguishes faults, errors, and failures in computing systems provides a useful vocabulary: clean attacks are errors (deviations of a delivered service from correct service) caused by adversarial faults (semantic misalignment deliberately engineered into legitimate-appearing inputs) rather than accidental faults (bugs, hardware failures). USST extends dependability theory to the adversarial setting by providing the formal fault model, error detection mechanisms, and failure recovery protocols appropriate for goal-directed AI agents.

Anderson (2020) and Schneier (2000) both argue that security must be analyzed at the systems level that individual component security does not imply system security. USST instantiates this principle formally for autonomous AI agents, proving it as Theorem 3 (Component Insufficiency) and demonstrating it empirically across 1,560 AegisBench sessions.

8. Open Problems and Future Directions

USST, as formalized in this series, leaves several important problems open:

  • Dynamic topology security. Papers 4–5 assume relatively stable network topologies. Real multi-agent deployments may have dynamically evolving trust graphs new agents joining, existing agents departing, trust relationships reconfiguring. USST's network security analysis requires extension to time-varying graph topology.

  • Adaptive adversaries. All five papers assume a non-adaptive attacker who does not observe or respond to the deployment of IVP, ETVG, or ARES defenses. An adaptive adversary who can observe defense activation signals and adjust attack strategy accordingly represents a harder threat model requiring game-theoretic analysis.

  • Cross-session persistence. USST addresses within-session security. Cross-session attacks where an attacker establishes trust across multiple sessions, each individually clean, before triggering a high-impact attack require extending the temporal axis of USST to multi-session trajectories.

  • Φ_security calibration across domains. The weights (w₁ = 0.40, w₂ = 0.35, w₃ = 0.25) and thresholds (τ* = 0.65, δ_IDR, δ_SDI) are calibrated on AegisBench. Domain-specific deployments (medical, financial, legal) may require different calibration. A principled calibration methodology is needed.

  • Formal proof of Φ_security optimality. Proposition 3 (Paper 3) establishes Bayes-optimality of τ* under specific cost assumptions. A corresponding result for Φ_security as a whole under what conditions is the composite function optimal among all measurable security functions over (φ, t, G)? remains open.

9. Limitations

This meta paper synthesizes findings from five papers, each of which has its own limitations documented in its respective limitations section. At the synthesis level:

  • The empirical results are based on AegisBench a benchmark designed by the same research team. Independent replication on diverse agent systems and attack types is needed to validate generalizability.

  • The three-axis model (intent, time, interaction) may not exhaust the relevant dimensions of agent security. Resource constraints (memory, compute), external environment dynamics, and model-level vulnerabilities (weight-level backdoors) are not captured by the current framework.

  • The formal proofs of Theorems 3–5 rely on specific formalization choices (the clean attack definition, the ETVG model, the BDI/SDI measurement protocol). Alternative formalizations may yield different results.

  • AI Tool Use Disclosure. This paper and the series were prepared with AI writing assistance. All formal proofs, experimental designs, empirical results, and theoretical claims were developed and validated by the author (Harsh Verma, Palo Alto Networks).

10. Conclusion

We have advanced a simple but consequential claim: security in autonomous AI agent systems is not a property of components but a dynamic system property defined over intent, time, and interaction. We have formalized this claim as the Unified Security Systems Theory (USST), proving three meta-theorems that establish the structural insufficiency of component-level security and the necessity of trajectory-level, interaction-level security measurement.

The five-paper AI Agent Security Series operationalizes USST through five interlocking contributions: the clean attack taxonomy and AegisBench benchmark (Paper 1), the policy drift dynamical model and IDR (Paper 2), the Intent Verification Pipeline and φ-anchoring (Paper 3), the Emergent Trust Vulnerability Graph and SDI (Paper 4), and the self-healing ACSHL/ARES framework (Paper 5). Together, these contributions reduce mean attack success rate from 61.4% (no defense) to 4.8% (full unified defense) across 1,560 AegisBench sessions.

The Unified Security Function Φ_security(φ, t, G) integrates all five papers' contributions into a single, calibrated, continuously monitored security health measure the first formal operationalization of autonomous agent security as a dynamic system property. We offer this as the theoretical foundation for the emerging field of autonomous AI agent security.

References

  1. von Bertalanffy,L.(1968). General system theory: Foundations, development, applications. George Braziller. DOI ↗ Google Scholar ↗
  2. Simon,H.A.(1962). The architecture of complexity. Proceedings of the American Philosophical Society, 106(6),467–482. DOI ↗ Google Scholar ↗
  3. Meadows,D.H.(2008). Thinking in systems: A primer. Chelsea Green Publishing. DOI ↗ Google Scholar ↗
  4. Forrester,J.W.(1971). Counterintuitive behavior of social systems. Technology Review, 73(3),52–68. DOI ↗ Google Scholar ↗
  5. Holland,J.H.(1998). Emergence: From chaos to order. Addison-Wesley. DOI ↗ Google Scholar ↗
  6. Anderson,P.W.(1972). More is different. Science, 177(4047),393–396. DOI ↗ Google Scholar ↗
  7. Kauffman,S.A.(1993). The origins of order: Self-organization and selection in evolution. Oxford University Press. DOI ↗ Google Scholar ↗
  8. Amodei,D.,Olah,C.,Steinhardt,J.,Christiano,P.,Schulman,J.,&amp;Mané,D.(2016). Concrete problems in AI safety. arXiv preprint. DOI ↗ Google Scholar ↗
  9. Russell,S.(2019). Human compatible: Artificial intelligence and the problem of control. Viking. DOI ↗ Google Scholar ↗
  10. Leike,J.,Martic,M.,Krakovna,V.,Ortega,P.A.,Everitt,T.,Lefrancq,A.,Orseau,L.,&amp;Legg,S.(2017). AI safety gridworlds. arXiv preprint. DOI ↗ Google Scholar ↗
  11. Hadfield-Menell,D.,Milli,S.,Abbeel,P.,Russell,S.,&amp;Dragan,A.(2017). Inverse reward design. NeurIPS 2017. DOI ↗ Google Scholar ↗
  12. Avizienis,A.,Laprie,J.-C.,Randell,B.,&amp;Landwehr,C.(2004). Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1(1),11–33. DOI ↗ Google Scholar ↗
  13. Schneier,B.(2000). Secrets and lies: Digital security in a networked world. Wiley. DOI ↗ Google Scholar ↗
  14. Anderson,R.(2020). Security engineering: A guide to building dependable distributed systems (3rd ed.). Wiley. DOI ↗ Google Scholar ↗
  15. Clarke,E.M.,Grumberg,O.,&amp;Peled,D.A.(1999). Model checking. MIT Press. DOI ↗ Google Scholar ↗
  16. Strogatz,S.H.(2015). Nonlinear dynamics and chaos (2nd ed.). Westview Press. DOI ↗ Google Scholar ↗
  17. Khalil,H.K.(2002). Nonlinear systems (3rd ed.). Prentice Hall. DOI ↗ Google Scholar ↗
  18. Shoham,Y.,&amp;Leyton-Brown,K.(2008). Multiagent systems: Algorithmic, game-theoretic, and logical foundations. Cambridge University Press. DOI ↗ Google Scholar ↗
  19. Lamport,L.,Shostak,R.,&amp;Pease,M.(1982). The Byzantine generals problem. ACM TOPLAS, 4(3),382–401. DOI ↗ Google Scholar ↗
  20. Greshake,K.,Abdelnabi,S.,Mishra,S.,Endres,C.,Holz,T.,&amp;Fritz,M.(2023). Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection. ACM AISec 2023. DOI ↗ Google Scholar ↗
  21. Debenedetti,E.,Zhang,J.,Balunović,M.,Beurer-Kellner,L.,Fischer,M.,&amp;Tramèr,F.(2024). AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents. NeurIPS 2024. DOI ↗ Google Scholar ↗
  22. Zou,A.,Wang,Z.,Carlini,N.,Nasr,M.,Kolter,J.Z.,&amp;Fredrikson,M.(2023). Universal and transferable adversarial attacks on aligned language models. arXiv preprint. DOI ↗ Google Scholar ↗
  23. Wei,A.,Haghtalab,N.,&amp;Steinhardt,J.(2024). Jailbroken: How does LLM safety training fail? NeurIPS 2024. DOI ↗ Google Scholar ↗
  24. Barabási,A.-L.,&amp;Albert,R.(1999). Emergence of scaling in random networks. Science, 286(5439),509–512. DOI ↗ Google Scholar ↗
  25. Pastor-Satorras,R.,&amp;Vespignani,A.(2001). Epidemic spreading in scale-free networks. Physical Review Letters, 86(14),3200–3203. DOI ↗ Google Scholar ↗
  26. Kephart,J.O.,&amp;Chess,D.M.(2003). The vision of autonomic computing. Computer, 36(1),41–50. DOI ↗ Google Scholar ↗
  27. Garlan,D.,Cheng,S.-W.,Huang,A.-C.,Schmerl,B.,&amp;Steenkiste,P.(2004). Rainbow: Architecture-based self-adaptation with reusable infrastructure. Computer, 37(10),46–54. [Paper 1—Series] Clean Attacks: Formalizing Semantically Valid Adversarial Behavior in Autonomous AI Agent Systems. AI Agent Security Series,Paper 1. [Preprint] [Paper 2—Series] Policy Drift in Learning AI Agents: A Dynamical Systems Perspective on Security Degradation. AI Agent Security Series,Paper 2. [Preprint] [Paper 3—Series] Intent-Based Security: Replacing Identity-Centric Trust in Autonomous AI Agentic Systems. AI Agent Security Series,Paper 3. [Preprint] [Paper 4—Series] Security in Multi-Agent AI Systems: Modeling Emergent Vulnerabilities via Trust Graphs. AI Agent Security Series,Paper 4. [Preprint] [Paper 5—Series] Designing Self-Healing AI Agentic Systems: A Framework for Autonomous Detection and Response. AI Agent Security Series,Paper 5. [Preprint] [AegisBench] AegisBench: Benchmark Suite for Adversarial Attacks on Autonomous AI Agent Systems. AI Agent Security Series Benchmark Repository. [v1.0,MT,MAS extensions] DOI ↗ Google Scholar ↗
Author details
Harsh Verma
Palo Alto Networks | Artificial Intelligence | United States
👤 View Profile →🔗 Is this you? Claim this publication