OASB
v1.0

Specification

OASB-1

The first version of the Open Agent Security Benchmark. 46 controls across 10 categories with three maturity levels. Designed for automated verification using HackMyAgent.

View all controlsAttack payloads

What is OASB-1?

OASB-1 is an open security benchmark for AI agents. It provides a structured set of controls that can be audited, tested, and verified to assess the security posture of any AI agent, regardless of its underlying model or framework.

Each control follows the CIS Benchmark methodology: a clear requirement statement, rationale for why it matters, audit procedures to verify compliance, and remediation guidance to fix gaps. Controls map to existing frameworks including NIST CSF, CIS Controls, and the OWASP LLM Top 10.

OASB-1 is maintained by the OpenA2A community and is licensed under Apache 2.0.

Maturity levels

Three tiers of security

L1
Essential26 controls

Baseline security every AI agent should implement. Covers identity, input/output validation, credential management, and basic operational security.

All agents, including prototypes and development environments.

L2
Standard18 controls

Defense-in-depth for production systems. Adds trust management, agent-to-agent security, audit logging, and advanced context protection.

Production agents handling sensitive data or operating in multi-agent environments.

L3
Hardened2 controls

Maximum security for high-risk environments. Includes multi-modal input scanning and summarization security.

Regulated industries, financial services, healthcare, and government deployments.

Control categories

10 security domains

1

Identity & Provenance

Who is this agent? Can we verify?

1.11.21.31.4
2

Capability & Authorization

What can this agent do?

2.12.22.32.42.5
3

Input Security

How do we protect against malicious input?

3.13.23.33.43.5
4

Output Security

How do we validate agent outputs?

4.14.24.34.4
5

Credential Protection

How do we protect secrets?

5.15.25.35.45.5
6

Supply Chain Integrity

How do we trust components?

6.16.26.36.46.5
7

Agent-to-Agent Security

How do agents trust each other?

7.17.27.37.4
8

Memory & Context Integrity

How do we protect agent memory?

8.18.28.38.4
9

Operational Security

How do we run agents safely?

9.19.29.39.49.5
10

Monitoring & Response

How do we detect and respond?

10.110.210.310.410.5

Quick reference

46 controls at a glance

ID
Control
Level
Category
1.1
Agent Cryptographic Identity
L1
Identity & Provenance
1.2
Verified Ownership
L1
Identity & Provenance
1.3
Provenance Chain
L2
Identity & Provenance
1.4
Identity Lifecycle Management
L2
Identity & Provenance
2.1
Explicit Capability Grants
L1
Capability & Authorization
2.2
Least Privilege Principle
L1
Capability & Authorization
2.3
Capability Boundaries
L1
Capability & Authorization
2.4
No Implicit Trust Escalation
L2
Capability & Authorization
2.5
Human-in-the-Loop for Sensitive Actions
L2
Capability & Authorization
3.1
Prompt Injection Protection
L1
Input Security
3.2
Instruction Boundary Enforcement
L1
Input Security
3.3
Input Validation
L1
Input Security
3.4
URL and Resource Validation
L1
Input Security
3.5
Multi-Modal Input Security
L3
Input Security
4.1
Output Validation
L1
Output Security
4.2
Action Confirmation for Destructive Operations
L1
Output Security
4.3
Data Exfiltration Prevention
L1
Output Security
4.4
Output Attribution
L2
Output Security
5.1
No Hardcoded Credentials
L1
Credential Protection
5.2
Context Window Isolation
L1
Credential Protection
5.3
Credential Scope Limitation
L2
Credential Protection
5.4
Credential Rotation
L2
Credential Protection
5.5
Secrets Not Logged
L1
Credential Protection
6.1
Verified Component Sources
L1
Supply Chain Integrity
6.2
Cryptographic Integrity Verification
L1
Supply Chain Integrity
6.3
Rug Pull Protection
L1
Supply Chain Integrity
6.4
Dependency Vulnerability Scanning
L1
Supply Chain Integrity
6.5
Software Bill of Materials
L2
Supply Chain Integrity
7.1
Mutual Authentication
L2
Agent-to-Agent Security
7.2
Message Integrity
L2
Agent-to-Agent Security
7.3
Trust Boundary Enforcement
L2
Agent-to-Agent Security
7.4
Communication Logging
L2
Agent-to-Agent Security
8.1
Conversation Integrity
L2
Memory & Context Integrity
8.2
Context Injection Protection
L1
Memory & Context Integrity
8.3
Memory Isolation
L2
Memory & Context Integrity
8.4
Summarization Security
L3
Memory & Context Integrity
9.1
Non-Root Execution
L1
Operational Security
9.2
Resource Limits
L1
Operational Security
9.3
Network Isolation
L1
Operational Security
9.4
Sandboxing
L2
Operational Security
9.5
Secure Configuration Defaults
L1
Operational Security
10.1
Security Event Logging
L1
Monitoring & Response
10.2
Anomaly Detection
L2
Monitoring & Response
10.3
Kill Switch
L1
Monitoring & Response
10.4
Incident Response Procedures
L2
Monitoring & Response
10.5
Recovery and Rollback
L2
Monitoring & Response

Compliance mapping

Framework compatibility

OASB-1 controls map to existing compliance frameworks, making it easier to integrate AI agent security into existing governance programs.

CIS Controls v8

Direct mappings for asset management, access control, data protection, and incident response controls.

NIST CSF

Identify, Protect, Detect, Respond, and Recover functions mapped to agent-specific controls.

OWASP LLM Top 10

Prompt injection, insecure output, data poisoning, and other LLM-specific risks addressed.

Assessment

Compliance ratings

After running the benchmark, agents receive a compliance score based on the percentage of controls that pass at their target maturity level.

A90-100%Fully compliant
B70-89%Mostly compliant
C50-69%Partially compliant
F<50%Non-compliant

Run the benchmark

Use HackMyAgent to verify your agent against OASB-1 controls.

$npx hackmyagent secure --benchmark oasb-1