awossAgentic Workspace Security Standard

Control Families

AWOSS-CTX: Context, Memory, And Instruction Boundary Control

Working draft

This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

Objective:

The scoped agentic workspace system should protect instruction hierarchy, workspace context, retrieval inputs, tool outputs, memory, and handoff state from unsafe influence, unintended persistence, secret exposure, and cross-boundary confusion.

Primary layer: runtime platform.

Typical owner: runtime configuration and data/context governance.

Applicability:

Applies when agents use project instructions, user-local context, retrieved documents, memory, conversation history, tool outputs, skill instructions, handoff notes, external data, vector or retrieval stores, or other context sources to make decisions or take actions.

Level 1 Candidate Requirements

AWOSS-CTX-L1-001: The scoped agentic workspace system MUST identify the context and instruction sources that can influence agent behavior, including user instructions, project instructions, skill instructions, retrieved documents, memory, and tool outputs where applicable, and MUST distinguish trusted, user-provided, retrieved, external, generated, and lower-trust sources where practical.

AWOSS-CTX-L1-002: The scoped agentic workspace system MUST define the intended precedence or trust relationship between instruction sources that can conflict, including which sources may set policy, request actions, provide evidence, or only supply data.

AWOSS-CTX-L1-003: The scoped agentic workspace system MUST identify context locations where secrets, credentials, confidential data, or private operational details should not be stored, retrieved, summarized into memory, exported as evidence, or used as examples.

Level 2 Candidate Requirements

AWOSS-CTX-L2-001: The scoped agentic workspace system MUST enforce or document controls that prevent lower-trust content, retrieved content, tool output, or user-provided documents from silently overriding higher-priority instructions or approval requirements, including human-approval, runtime-policy, and boundary requirements.

AWOSS-CTX-L2-002: The scoped agentic workspace system MUST control memory or durable context writes that could affect future high-impact actions, including approval, review, owner expectations, retention, deletion, and change-attribution expectations for persistent changes.

AWOSS-CTX-L2-003: The scoped agentic workspace system SHOULD sanitize handoffs, summaries, memory records, and evidence exports to avoid storing secrets, credentials, session cookies, confidential payloads, untrusted instructions, hidden prompt content, or unnecessary private content.

Level 3 Candidate Requirements

AWOSS-CTX-L3-001: The scoped agentic workspace system MUST test instruction-boundary and context-poisoning scenarios for high-impact workflows, including untrusted documents, retrieved content, tool outputs, memory interactions, skill instructions, external data, and poisoned retrieval records.

AWOSS-CTX-L3-002: The scoped agentic workspace system MUST retain reviewable records of material memory, retrieval, context, or instruction changes that can influence high-impact workflows, including actor, source, timestamp, rationale, and review status where practical.

AWOSS-CTX-L3-003: The scoped agentic workspace system SHOULD isolate high-risk workflows from lower-trust memory, retrieval corpora, or shared context unless the lower-trust source is explicitly approved for the workflow, and SHOULD provide a clean context mode or equivalent boundary for high-impact action review where practical.

Minimum evidence examples:

  • context-source inventory
  • instruction precedence rules
  • memory write policy
  • retrieval or vector-store source inventory
  • sanitized handoff or memory examples
  • durable context change records
  • prohibited-storage or redaction policy
  • prompt/context boundary test results
  • context-poisoning, retrieval-poisoning, or indirect-prompt-injection review or red-team summary

Mapping notes:

  • The completed crosswalk treats AWOSS-CTX as a candidate-control family shaped by instruction hierarchy, memory and vector-store security, RAG and data-flow threat modeling, prompt-injection, context poisoning, tool-output poisoning, privacy, information-integrity, and goal-drift signals from OWASP AISVS, CSA MAESTRO, NIST AI 600-1, ISO/IEC 23894, Five Eyes guidance, MITRE ATLAS, and selected EU AI Act prohibited-practice and disclosure signals.

Claim limits:

  • Context-boundary controls support evidence for selected candidate controls. They do not prove model robustness, prompt-injection immunity, absence of prohibited practices, legal sufficiency, or safe behavior for all untrusted content, retrieved content, tool output, or memory state.
Previous
AWOSS-SRC: Skill, Tool, And Connector Source Trust
Next
AWOSS-SEC: Secrets, Credentials, And Sensitive Data Handling