EVIDENCE TRAIL
Graceful degradation — fail closed where it matters, fail open where it's safe
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The title is Helmwart's normalised label. No single upstream source uses the phrase "fail-open vs fail-closed per action class" — that per-action-class taxonomy is Helmwart's operationalisation of the OWASP T4 Resource Overload mitigation and the canonical SRE graceful-degradation pattern.
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 3 — Securing AI Tool Execution & Preventing Unauthorized Actions, Step 3 "Prevent AI Resource Exhaustion" (Detective measures)
"Enforce auto-suspension of AI processes that exceed predefined resource consumption thresholds."
Supports: Verbatim endorsement of auto-suspension on quota breach — the reactive half of this control. Playbook 3 explicitly covers T4 Resource Overload.
Does not prove: Does not use the phrase "fail-closed" or distinguish write-authority paths from read-only paths. The per-action-class taxonomy is Helmwart's operationalisation of the underlying principle.
OWASP Agentic AI — Threats & Mitigations v1.1
§T4 Resource Overload — Description
"Resource Overload occurs when attackers deliberately exhaust an AI agent's computational power, memory, or external service dependencies, leading to system degradation or failure. Unlike traditional DoS attacks, AI agents are especially vulnerable due to resource-intensive inference tasks, multi-service dependencies, and concurrent processing demands, making them susceptible to delays, decision paralysis, or cascading failures across interconnected systems."
Supports: Establishes the threat context this mitigation responds to: resource exhaustion causing degradation or failure in agentic systems, including cascading failures across interconnected agents.
Does not prove: Threat description, not a mitigation prescription. Does not name fail-open vs fail-closed as the response decision.
OWASP Top 10 for Agentic Applications 2026
§ASI08 Cascading Failures — Mitigation 7 "Rate limiting and monitoring"
"Implement blast-radius guardrails such as quotas, progress caps, circuit breakers between planner and executor."
Supports: Explicitly names circuit breakers and quotas as the blast-radius controls between agentic planning and execution — the same structural position this control occupies.
Does not prove: Framed as a cascading-failure defence (ASI08), not a resource-overload response (ASI02/T4). The fail-open vs fail-closed decision logic is not discussed.
Google SRE Book — Handling Overload
Chapter "Handling Overload" — §Degraded Responses
"One option for handling overload is to serve degraded responses: responses that are not as accurate as or that contain less data than normal responses, but that are easier to compute."
Supports: Canonical SRE definition of the graceful-degradation pattern: reduced-quality responses under overload, rather than a binary refuse/fail. Directly cited as the vendor evidence in the MDX.
Does not prove: Does not address agents, write-authority paths, or the fail-closed decision. Applies to general-purpose backend services, not AI action execution. Also cites load shedding via per-customer quotas, but does not use the phrase "fail closed" or distinguish action classes by authority level.
NIST SP 800-160 v2 Rev. 1 — Developing Cyber Resilient Systems
Appendix D.5.2.10 — Design Principle "Maintain situational awareness and adapt" (strategy examples)
"Reallocating resources (e.g., reallocating processing, communications, or storage resources to enable graceful degradation and the repurposing of resources)"
Supports: The MDX cites NIST SP 800-160 v2 §3.4 for graceful degradation. The phrase "graceful degradation" appears in the document in the context of resource reallocation as a cyber-resilience strategy, confirming the principle is present. The broader document defines cyber-resilient systems as those that "can withstand cyberattacks, faults, and failures and continue to operate in a degraded or debilitated state."
Does not prove: The single verbatim use of "graceful degradation" is in an illustrative bulleted list in an appendix, not a dedicated §3.4 section heading. The MDX citation of "§3.4" may be imprecise — the document's section 3.4 covers cyber resiliency goals and objectives, not a dedicated graceful-degradation section. Writers should verify the exact section reference before publishing.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MANAGE 2.4 — heading text; action MG-2.4-002 adds: "Establish and maintain procedures for escalating GAI system incidents to the organizational risk management authority when specific criteria for deactivation or disengagement is met."
"MANAGE 2.4: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use."
Supports: Establishes that AI systems should have pre-declared deactivation/suspension criteria and escalation paths — the structural requirement this control fulfils through its quota-trip suspension logic.
Does not prove: Covers system-level deactivation, not per-action-class failure modes. Does not distinguish fail-open from fail-closed. The MDX's "MANAGE-2.4 names operational continuity" slightly mischaracterises the control: MANAGE 2.4 is about deactivation/disengagement, not continuity of operation. Operational continuity language appears more in MAP 1.1 and MEASURE 2.6.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
AML.M0024 — description (verbatim from ATLAS.yaml)
"Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts."
Supports: Logging agentic decisions and tool use is the observable basis for detecting degradation events and for the "suspension events per agent per hour" detection signal named in this control.
Does not prove: Telemetry logging is a detective measure, not a graceful-degradation mechanism. AML.M0024 does not address fail-open vs fail-closed or quota-triggered suspension directly.
MITRE ATLAS AML.T0029 — Denial of AI Service
AML.T0029 — description (verbatim from ATLAS.yaml)
"Adversaries may target AI-enabled systems with a flood of requests for the purpose of degrading or shutting down the service. Since many AI systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded. Adversaries can intentionally craft inputs that require heavy amounts of useless compute from the AI system."
Supports: Names the threat class this control mitigates: deliberate resource exhaustion to degrade or shut down AI services. Confirms the threat is "demonstrated" (not hypothetical).
Does not prove: Attack technique description, not a mitigation prescription. Does not address the fail-open vs fail-closed response decision.