EVIDENCE TRAIL
Per-agent quota budgets
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The control is well-supported: OWASP Threats & Mitigations v1.1 §T4 names rate-limiting per agent session verbatim; OWASP LLM10:2025 names user quotas by source entity; OWASP Top 10 Agentic 2026 §ASI02 names cost/rate/token budgets together. The per-agent-identity and per-task dimensions are Helmwart's operational extension of these upstream controls.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§T4 Resource Overload — Mitigation summary (navigator table)
"Deploy resource management controls, implement adaptive scaling mechanisms, establish quotas, and monitor system load in real-time to detect and mitigate overload attempts. Implement AI rate-limiting policies to restrict high-frequency task requests per agent session."
Supports: Verbatim mandate for per-agent-session rate-limiting and quota enforcement as the primary mitigations for Resource Overload. "Per agent session" is the upstream phrasing that Helmwart extends to per-agent-identity and per-task dimensions.
Does not prove: Summary row; detailed per-identity and per-task budget dimensions, token-budget specifics, and fan-out detection are Helmwart additions not stated in this source.
OWASP Agentic AI — Threats & Mitigations v1.1
§T4 Resource Overload — Description, second paragraph
"The threat is related to LLM10:2025 Unbounded Consumption – Agentic AI systems are particularly vulnerable to resource overload because they autonomously schedule, queue, and execute tasks across sessions without direct human oversight. Unlike standard LLM applications, agentic AI agents can self-trigger tasks, spawn additional processes, and coordinate with multiple agents, leading to exponential resource consumption, a more complex and systemic threat."
Supports: Establishes the structural reason why agentic systems require quota controls beyond standard LLM rate limits: autonomous scheduling, task self-triggering, and cross-agent coordination each create independent fan-out paths. This is the threat model the mitigation is calibrated to.
Does not prove: Describes the threat; does not prescribe per-identity vs per-IP quota dimensions, nor quantitative budget calibration guidance.
OWASP Agentic AI — Threats & Mitigations v1.1
§T13 Rogue Agents in Multi-Agent Systems — Scenario 3
"Scenario 3: Coordinated Agent Flooding – Multiple rogue agents simultaneously generate excessive task requests, overwhelming computing resources and delaying critical decision-making processes"
Supports: Names "Coordinated Agent Flooding" as a distinct multi-agent DoS scenario, providing the threat label used in the MDX coverage notes. Per-agent quotas are the primary rate-containment control for this scenario.
Does not prove: Scenario description only; T13's mitigations focus on isolation and identity attestation, not quota budgets specifically. Quota budgets are the Helmwart-layer control for this scenario.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 3 — Securing AI Tool Execution & Preventing Unauthorized Actions — Step 1: Restrict AI Tool Invocation (Proactive)
"Use rate-limiting for API calls and computationally expensive tasks."
Supports: Direct instruction to apply rate-limiting at the tool-invocation layer, covering both API calls and compute-expensive tasks — the two primary budget axes in the MDX deployment section.
Does not prove: Single-line instruction with no granularity on per-agent-identity keying, session scoping, token budgets, or calibration methods. Implementation specifics are Helmwart additions.
OWASP LLM Top 10 v2025 — LLM10:2025 Unbounded Consumption
§LLM10:2025 Unbounded Consumption — Mitigation strategies
"Apply rate limiting and user quotas to restrict the number of requests a single source entity can make in a given time period."
Supports: Establishes "user quotas" restricting requests by source entity as a named mitigation for Unbounded Consumption — the upstream LLM risk that OWASP T4 Resource Overload explicitly inherits. Directly cited in the MDX independentEvidence field.
Does not prove: Source entity = user / IP / API key in the LLM context; per-agent-identity and per-task scoping are the agentic additions not yet articulated in this document.
OWASP Top 10 for Agentic Applications 2026
§ASI02 Tool Misuse and Exploitation — Prevention and Mitigation Guideline 5 "Adaptive Tool Budgeting"
"Adaptive Tool Budgeting. Apply usage ceilings (cost, rate, or token budgets) with automatic revocation or throttling when exceeded."
Supports: Names the same three budget axes — cost, rate, token — that the MDX mitigation deploys across its three implementation layers (API gateway, agent runtime, downstream cost). "Automatic revocation or throttling when exceeded" is the fail-closed behaviour the MDX describes.
Does not prove: The phrase "Adaptive Tool Budgeting" appears in the context of ASI02 Tool Misuse, not a dedicated resource-quota entry. It does not specify per-agent-identity keying, per-task resets, or calibration methodology.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MEASURE 2.7 — "AI system security and resilience" — Suggested Action MS-2.7-001
"Apply established security measures to: Assess likelihood and magnitude of vulnerabilities and threats such as backdoors, compromised dependencies, data breaches, eavesdropping, man-in-the-middle attacks, reverse engineering, autonomous agents, model theft or exposure of model weights, AI inference, bypass, extraction, and other baseline security concerns."
Supports: Explicitly lists "autonomous agents" alongside conventional security threats as a vulnerability class requiring assessment under the security and resilience measure. Provides the NIST policy footing for treating agentic resource consumption as an information security concern rather than purely an operational one.
Does not prove: Does not prescribe rate-limiting or quota controls specifically. The MDX citation in independentEvidence states NIST AI 600-1 "explicitly lists rate limiting under the Unbounded Consumption risk category" — this wording is not precisely correct; the document lists rate limiting in the context of LLM10:2025 Unbounded Consumption via OWASP, not as a standalone NIST action. The strongest on-point NIST wording is the MEASURE 2.7 reference to autonomous agents as a security threat class.