awossAgentic Workspace Security Standard

Standard

Assurance Levels

Working draft

This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

awoss uses candidate assurance levels to describe increasing rigor for agentic workspace systems. The levels are inspired by levelled security standards such as CCSS and OWASP AISVS, but they are scoped to agentic workspace systems and do not claim equivalence to either source.

The levels are cumulative in intent. Level 2 should build on Level 1. Level 3 should build on Level 2. Future released profiles may refine whether every lower-level requirement is mandatory for a higher-level claim.

6.1 Level 1: Foundation

Level 1 is intended for low-risk pilots, local workspace use, limited internal agent workflows, or early deployments where the organization needs a basic security foundation before expanding agent authority.

Level 1 focuses on:

  • defined system boundary
  • inventory of runtimes, tools, skills, connectors, and connected resources
  • assigned owners for workspace, runtime, skill or skill-set source, governance, and evidence responsibilities
  • basic source hygiene for skills, tools, and connectors
  • separation of secrets from portable context and evidence
  • identification of high-impact action classes
  • basic approval or human review expectations
  • minimal evidence packet sufficient for internal review

Level 1 should be achievable without specialized audit infrastructure. It should still require enough structure to prevent invisible, unowned, or unbounded agentic work.

6.2 Level 2: Managed Production

Level 2 is intended for production agentic workspace systems where agents can perform recurring business work, access meaningful internal resources, or invoke tools with material operational impact.

Level 2 focuses on:

  • repeatable policy enforcement for delegated authority and high-impact action gates
  • scoped permissions and least-privilege runtime configuration
  • documented approval policies with reviewable receipts
  • maintained provenance records for skills, tools, connectors, and dependencies
  • validation of denied-action paths, approval gates, and critical policy decisions
  • durable logs, receipts, and evidence artifacts
  • exception tracking and risk acceptance
  • periodic review by named control owners

Level 2 should assume production operations and repeatable evidence. It should not rely only on informal operator judgment or ad hoc chat transcripts.

6.3 Level 3: High Assurance

Level 3 is intended for high-impact, regulated, sensitive, externally exposed, or mission-critical agentic workspace systems.

Level 3 focuses on:

  • strong runtime mediation before high-impact actions execute
  • hardened workspace and execution boundaries
  • tamper-evident or independently retained action and approval records
  • stronger provenance controls such as pinned sources, checksums, signatures, attestations, independent review, or controlled release channels where practical
  • recurring validation, red-team exercises, tabletop exercises, or adversarial testing
  • separation of duties between builders, operators, approvers, and reviewers
  • emergency stop, rollback, and incident-response testing
  • independent review readiness
  • documented governance for changes, exceptions, and reassessment

Level 3 should assume stronger independence and recurring validation. It should not be treated as a simple checklist upgrade from Level 2.

6.4 Level Selection

Organizations should select a target level based on risk, not marketing preference.

Factors that should push a system toward Level 2 or Level 3 include:

  • access to production systems
  • ability to send external communications
  • ability to write, delete, deploy, or execute code
  • access to confidential, regulated, customer, financial, legal, or security data
  • ability to change access controls or credentials
  • reliance on third-party skills, plugins, tools, or connectors
  • use by multiple teams or business units
  • material impact if the agent acts incorrectly or maliciously

6.5 Level Claims In The Working Draft

Because this is a working draft, organizations should not claim that a system has achieved awoss Level 1, Level 2, or Level 3.

Acceptable working-draft phrasing:

  • "reviewed against candidate awoss Level 1 expectations"
  • "maps to selected candidate awoss Level 2 runtime controls"
  • "collects evidence relevant to candidate awoss Level 3 logging and review expectations"

Unacceptable working-draft phrasing:

  • " awoss Level 2 certified"
  • " awoss Level 3 compliant"
  • "approved under awoss"
Previous
Conformance Model
Next
System Boundary And Responsibility Owners