EVIDENCE TRAIL
Behavioural anomaly isolation — auto-quarantine on observable drift
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The quarantine sequence (identity revocation → message-queue isolation → in-flight rollback → incident ticket) is Helmwart's normalised pattern. The closest upstream statement is OWASP Agentic AI v1.1 Playbook 6 Step 2, which names isolation, access restriction, privilege revocation, and automatic process disabling verbatim.
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§T13 Rogue Agents in Multi-Agent Systems — Mitigation column
"Restrict AI agent autonomy using policy constraints and continuous behavioral monitoring. While cryptographic attestation mechanisms for LLMs do not yet exist, agent integrity can be maintained via controlled hosting environments, regular AI red teaming, and input/output monitoring for deviations."
Supports: Names "continuous behavioral monitoring" and "input/output monitoring for deviations" as the primary detection mechanism for rogue agents — the observable-drift signal this control acts on.
Does not prove: Does not name automatic isolation or credential revocation as the response; the table-level mitigation stops at monitoring and hosting controls. Helmwart extends to automatic quarantine.
OWASP Agentic AI — Threats & Mitigations v1.1
§T12 Agent Communication Poisoning — Mitigation column
"Deploy cryptographic message authentication, enforce communication validation policies, and monitor inter-agent interactions for anomalies. Require multi-agent consensus verification for mission-critical decision-making processes."
Supports: Names monitoring inter-agent interactions "for anomalies" as the detection step; this is the observable-drift signal that fires this control's quarantine path when a peer agent deviates.
Does not prove: Focuses on channel-level controls (authentication, validation) rather than per-agent isolation. Does not prescribe automatic credential revocation on anomaly detection.
OWASP Agentic AI — Threats & Mitigations v1.1
Playbook 6: Securing Multi-Agent Communication & Trust Mechanisms — Step 2: Detect & Block Rogue Agents (Reactive)
"Isolate detected rogue agents, their communication history and memory, to prevent further actions. Immediately restrict network and system access for flagged agents. Revoke privileges of AI agents exhibiting suspicious behavior. Temporarily downgrade permissions until the anomaly is reviewed. Enforce dynamic response actions for rogue agents. Automatically disable unauthorized AI agent processes to contain threats."
Supports: Most direct upstream precedent for this control. Names isolation, access restriction, privilege revocation, and automatic process disabling as the complete reactive sequence — matching this control's four-step quarantine (identity revocation → message-queue isolation → action rollback → incident ticket).
Does not prove: Does not specify that rollback of in-flight actions is required, and does not name the anomaly-score threshold mechanism. Helmwart adds the score-gated automation layer and the rollback step.
OWASP Top 10 for Agentic Applications 2026
§ASI03 Identity and Privilege Abuse — Mitigation 7 (non-human identity lifecycle controls)
"Include automated revocation on idle or anomaly."
Supports: Verbatim use of "automated revocation on … anomaly" in an agentic identity context — the closest upstream phrase for the identity-revocation leg of this control.
Does not prove: Framed as an NHI lifecycle item, not an anomaly-isolation pattern per se. Does not describe message-queue isolation or action rollback as companion steps.
NIST SP 800-61 Rev 2 — Computer Security Incident Handling Guide
§3.3.1 Choosing a Containment Strategy
"Containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making (e.g., shut down a system, disconnect it from a network, disable certain functions). Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident."
Supports: Establishes the principle that containment must fire early — before damage scales — and that pre-defined automated strategies are the practical way to achieve timely containment. This is the foundational IR principle this AI control specialises into the agentic context.
Does not prove: Predates agentic AI; containment targets are hosts and network segments, not software agents. Does not address credential revocation or message-queue isolation as containment mechanisms.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
AML.M0024 description
"Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts."
Supports: Names per-agent identity, intermediate agentic steps, and tool use as the logging targets whose anomalous values produce the observable-drift signal this control responds to.
Does not prove: Logging is prerequisite infrastructure; AML.M0024 does not prescribe what automated response to fire when anomaly is detected. That reactive step is Helmwart's addition.
MITRE ATLAS AML.M0032 — Segmentation of AI Agent Components
AML.M0032 description
"Define security boundaries around agentic tools and data sources with methods such as API access, container isolation, code execution sandboxing, and rate limiting of tool invocation. When sandboxing, limit resource and network access and build the container or virtual machine from a clean base image before each run. This restricts untrusted processes or potential compromises from spreading throughout the system."
Supports: Names container isolation and limiting network access as the architectural means for restricting a compromised component from spreading — the same blast-radius goal as message-queue isolation in this control's quarantine sequence.
Does not prove: Describes a proactive architectural pattern (sandbox per run), not a reactive quarantine triggered by a runtime anomaly score. Helmwart's control is the runtime complement to this static boundary.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MANAGE 2.4 — header statement
"Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use."
Supports: Names deactivation of AI systems on behavioural inconsistency as a required organisational capability — the NIST-level mandate that this control operationalises through automated quarantine.
Does not prove: MANAGE 2.4 is a governance requirement (processes, responsibilities, criteria), not a technical specification. It does not prescribe automation, anomaly scores, or the four-step quarantine sequence.