A2AS: Agentic AI Runtime Security and Self-Defense
Abstract
The A2AS framework is introduced as a security layer for AI agents and LLM-powered applications, similar to how HTTPS secures HTTP. A2AS enforces certified behavior, activates model self-defense, and ensures context window integrity. It defines security boundaries, authenticates prompts, applies security rules and custom policies, and controls agentic behavior, enabling a defense-in-depth strategy. The A2AS framework avoids latency overhead, external dependencies, architectural changes, model retraining, and operational complexity. The BASIC security model is introduced as the A2AS foundation: (B) Behavior certificates enable behavior enforcement, (A) Authenticated prompts enable context window integrity, (S) Security boundaries enable untrusted input isolation, (I) In-context defenses enable secure model reasoning, (C) Codified policies enable application-specific rules. This first paper in the series introduces the BASIC security model and the A2AS framework, exploring their potential toward establishing the A2AS industry standard.
Keywords
Cite
@article{arxiv.2510.13825,
title = {A2AS: Agentic AI Runtime Security and Self-Defense},
author = {Eugene Neelou and Ivan Novikov and Max Moroz and Om Narayan and Tiffany Saade and Mika Ayenson and Ilya Kabanov and Jen Ozmen and Edward Lee and Vineeth Sai Narajala and Emmanuel Guilherme Junior and Ken Huang and Huseyin Gulsin and Jason Ross and Marat Vyshegorodtsev and Adelin Travers and Idan Habler and Rahul Jadav},
journal= {arXiv preprint arXiv:2510.13825},
year = {2025}
}