Glossary key terms used across the handbook

A Agents & autonomy

Agent

A software system that perceives its environment, reasons over that perception (usually via an LLM), and acts autonomously across one or more steps (reading files, calling APIs, spawning sub-agents) without requiring a human to confirm each action. Helmwart treats any system that can plan and act across a multi-step loop as an agent. See: Agents primer →

Agentic AI

The collective category of AI systems that operate as agents: autonomous, tool-using, multi-step. The OWASP Agentic AI publications (Threats & Mitigations v1.1, MAS Guide v1.0) are the primary source for agentic-AI threat intelligence in this handbook. See: References →

Agentic factor

One of four properties used by the OWASP v1.1 catalog to explain agentic risk: autonomy, non-determinism, identity management, and agent-to-agent communication. The catalog tags threats with the factors that are relevant to their failure mode. See: Agentic factors primer →

Autonomy

The degree to which a system decides and acts without human approval. High autonomy means the agent proceeds through multi-step plans and tool calls without asking; low autonomy means frequent check-ins. Autonomy is one of the four agentic factors and affects how far a compromised or mistaken step can propagate.

Non-determinism

The property of LLM-based systems where identical inputs may produce different outputs across runs. Non-determinism complicates threat modelling because an attack that fails once may succeed on a subsequent attempt, and testing cannot fully cover the output space. It is one of the four agentic factors.

NHI (non-human identity)

A credential or identity principal assigned to a machine, service, or agent rather than a person. Examples include API keys, OAuth service accounts, and agent-to-agent tokens. NHIs are a major attack surface in agentic systems because they are often over-privileged, long-lived, and absent from IAM reviews designed for human users. See: Threats catalog →

HITL / HOTL

Human-in-the-loop (HITL) means a human reviews and approves individual high-stakes actions before an agent proceeds. Human-on-the-loop (HOTL) means a human monitors at a higher level and can intervene, but does not gate every action. Helmwart uses both as a spectrum; the HITL program page covers the specific six-mitigation escalation flow. See: HITL program →

B Frameworks & standards

MAESTRO

An OWASP analytical framework (v1.0, Apr 2025) that decomposes an agentic system into seven architectural layers (L1 through L7) plus a Cross-Layer category for emergent failures that span multiple layers. Helmwart uses MAESTRO as the structural lens for every threat: each T-number is tagged with the layer(s) it primarily affects. See: MAESTRO reference → · References §04D →

MAESTRO layers (L1–L7)

The seven layers are: L1 Foundation Model (the LLM weights and inference substrate), L2 Data Operations (retrieval, memory, vector stores), L3 Agent Frameworks (orchestration and agent runtime), L4 Agent Deployment (the runtime host, container, and environment), L5 Agent Observability (monitoring, logging, audit), L6 Agent Identity & Access (credentials, authorisation, NHI), L7 Ecosystem Integration (external APIs, tools, third-party services). A threat tagged L3/L6 is one that exploits both the agent runtime and its credential handling.

OWASP Agentic Top 10 (ASI)

A separate OWASP awareness publication (v2026, Dec 2025) listing the ten highest-impact agentic risks in the standard OWASP Top 10 format (ASI01–ASI10). It is not a parallel threat taxonomy. Each ASI entry maps onto one or more T-numbers from the master Threats & Mitigations catalog. Use ASI as a fast orientation; use T-numbers when you need specifics. See: References §04B →

Threat catalogue (T-numbers)

Helmwart's merged list of 49 named threat entries numbered T1–T49. T1–T17 come from OWASP Agentic AI Threats & Mitigations v1.1 (Dec 2025). The remaining entries normalize scenario-specific threats in the OWASP MAS Threat Modelling Guide v1.0 (Apr 2025), which reuses some IDs across worked systems. Its RPA entries originally numbered T16 and T17 are represented here as T48 and T49 to avoid collisions. See: Threats catalog →

C Threats & patterns

Lethal trifecta

Simon Willison's three-leg deployment pattern: an agent has access to private data, consumes untrusted content, and can communicate externally. A successful prompt injection can then turn legitimate access into an exfiltration path. See: Lethal trifecta primer →

Confused deputy

A classic security pattern where a system acting on behalf of a principal (the "deputy") is tricked into using its authority in ways the principal did not sanction. In agentic systems the deputy is typically an agent or orchestrator with elevated credentials; the confused-deputy attack leads it to perform actions the human user never authorised, often via prompt injection or a malicious tool response. See: Principles →

Prompt injection

An attack where adversarial text embedded in external content (web pages, documents, tool outputs, emails) is processed by an LLM as if it were a trusted instruction, causing the agent to deviate from its intended behaviour. In agentic systems, prompt injection is especially dangerous because the agent has tool access, so a single successful injection can trigger real-world actions. See: T1 → · LLM01 →

Memory poisoning

An attack that corrupts the persistent memory store an agent reads across sessions by embedding malicious instructions or false context that will influence the agent's future behaviour long after the attacker's initial access is gone. Related to prompt injection but specifically targets the persistence layer (vector stores, session memory, knowledge bases). See: Threats catalog →

Blast radius

The scope of damage a single compromised agent or action can cause. Blast radius depends on the agent's tool access, credential scope, network position, and autonomy level. Helmwart uses blast radius as a mental model for prioritising mitigations: controls that reduce blast radius (least-privilege, sandboxing) are often more cost-effective than controls that aim to prevent compromise entirely.

D Controls & mitigations

Mitigation maturity tier

A three-level rating Helmwart assigns to each mitigation entry. Tier 1 (established in production) means the control has clear vendor support, established deployment patterns, and real-world evidence. Tier 2 (available with integration work) means the control is implementable but requires composition or lacks first-class tooling. Tier 3 (experimental) means operational evidence is limited. See: Mitigations catalog →

Design principle

A durable architectural guideline that reduces attack surface across many specific threats. Helmwart documents 40 principles — Zero Trust, least privilege, least agency, fail-securely, defence-in-depth, and others — each with agentic failure modes, framework mappings, and the controls that implement it. See: Principles →

Defence-in-depth

The security principle that multiple independent controls are layered so that no single failure leads to full compromise. In agentic systems this means combining input validation, tool sandboxing, credential scoping, HITL gates, and anomaly detection. Each layer catches what the others miss. See: Principles →

E Protocols & infrastructure

MCP (Model Context Protocol)

An open protocol, originated by Anthropic, that standardises how an LLM or agent connects to external tools, data sources, and services. MCP servers expose capabilities (tools, resources, prompts) that an MCP client (the agent host) can discover and invoke. MCP is a significant attack surface because tool descriptions arrive as text the model trusts. See: MCP primer →

A2A (agent-to-agent communication)

Any protocol or pattern by which one agent sends instructions, data, or tool results to another agent. A2A interactions are a major source of trust-boundary complexity: the receiving agent cannot verify whether the sending agent has been compromised or is relaying injected content from an untrusted source. See: A2A primer →

RAG (retrieval-augmented generation)

A pattern where the LLM's context window is supplemented at inference time with documents retrieved from an external store (typically a vector database). RAG introduces a data-pipeline trust boundary: content in the retrieval corpus may be attacker-controlled, making retrieval a vector for prompt injection, knowledge poisoning, and information disclosure. See: RAG primer →