awossAgentic Workspace Security Standard

Control Families

AWOSS-VAL: Validation, Testing, And Review

Working draft

This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

Objective:

The scoped agentic workspace system should validate that important agentic workspace controls exist and operate as intended, especially for high-impact actions, source trust, context boundaries, sensitive data handling, logging, output behavior, human oversight, monitoring, and emergency procedures.

Primary layer: evidence and audit.

Typical owner: security validation, assurance, or independent review.

Applicability:

Applies to candidate controls that require evidence beyond documentation, especially controls involving runtime enforcement, approval gates, denied actions, workspace boundaries, context integrity, sensitive data, provenance, logs, human intervention, monitoring signals, and change management.

Level 1 Candidate Requirements

AWOSS-VAL-L1-001: The scoped agentic workspace system MUST identify which candidate controls are reviewed by documentation, configuration inspection, sampled evidence, manual test, automated test, monitoring review, or not reviewed in the current draft assessment.

AWOSS-VAL-L1-002: The scoped agentic workspace system MUST maintain at least one validation or review artifact for the scoped boundary before using awoss candidate controls in internal assurance discussions, including scope, method, reviewer or owner, date, and finding status.

AWOSS-VAL-L1-003: The scoped agentic workspace system MUST record known gaps, assumptions, exceptions, residual risks, or untested controls discovered during review.

Level 2 Candidate Requirements

AWOSS-VAL-L2-001: The scoped agentic workspace system MUST test or review approval gates, denied-action paths, source-trust controls, sensitive-data controls, and logging controls before production deployment or material boundary expansion, including human oversight paths and incident or rollback procedures for high-impact workflows.

AWOSS-VAL-L2-002: The scoped agentic workspace system MUST track validation findings, remediation status, risk acceptance, owners, target dates, and retest or review triggers for material gaps.

AWOSS-VAL-L2-003: The scoped agentic workspace system SHOULD use repeatable validation fixtures, review checklists, policy tests, adversarial prompts, context-boundary tests, or evidence queries for recurring production reviews.

Level 3 Candidate Requirements

AWOSS-VAL-L3-001: The scoped agentic workspace system MUST perform recurring validation for high-impact workflows, including boundary enforcement, runtime action control, context-poisoning resistance, sensitive-data handling, logging integrity, and incident or rollback procedures, with review of drift, monitoring signals, and human-intervention records where applicable.

AWOSS-VAL-L3-002: The scoped agentic workspace system MUST use separated, independent, or qualified review for high-assurance validation where feasible, and MUST record the reviewer relationship or qualification basis.

AWOSS-VAL-L3-003: The scoped agentic workspace system SHOULD include adversarial testing, red-team exercises, tabletop exercises, or abuse-case testing for material agentic workspace risks, including source-trust abuse, context manipulation, tool misuse, sensitive-data exposure, and incident-response paths.

Minimum evidence examples:

  • validation plan
  • control coverage matrix
  • test fixture or review checklist
  • policy test results
  • context-boundary or denied-action test result
  • monitoring or drift review
  • red-team or adversarial test summary
  • findings and remediation tracker
  • risk acceptance record
  • independent review summary where applicable

Mapping notes:

  • The completed crosswalk treats AWOSS-VAL as the broadest validation and review family, shaped by human oversight, output and denied-path testing, recurring review, vulnerability scoring, monitoring, red-team exercises, evidence review, and drift signals from EU AI Act, OWASP AISVS, OWASP Agentic Skills Top 10, OWASP AIVSS, CSA AICM, CSA MAESTRO, NIST AI RMF, NIST AI 600-1, ISO/IEC 42001, ISO/IEC 23894, AIUC-1, Five Eyes guidance, and MITRE ATLAS. Validation evidence must remain scoped to the tested controls, fixtures, workflows, and review period.

Claim limits:

  • Validation evidence supports selected candidate controls. It does not create certification, third-party assurance, legal conformity, complete safety, or complete external-framework coverage unless a future profile defines those conditions and an assessor model exists.
Previous
AWOSS-LOG: Logs, Receipts, And Traceability
Next
AWOSS-GOV: Governance, Exceptions, And Change Management