EU AI Act Cybersecurity Controls for Autonomous Agents

What cybersecurity means for an agent runtime

The EU AI Act expects high-risk AI systems to achieve an appropriate level of cybersecurity and resilience against attempts to alter their use, behavior, or outputs. For an autonomous agent, the most dangerous failure is not a leaked prompt. It is a manipulated or compromised instruction that becomes a real action against a system of record. The threat model therefore has to include the path between model generation and execution, not just the model API.

SovereignClaw approaches this by treating the language model as untrusted input and gating execution behind a deterministic kernel. The model proposes; the runtime decides. Because the tier-driving facts are derived independently from operation semantics rather than taken from the model, a manipulated agent cannot simply assert that an action is low-risk to slip past policy.

• Model-supplied facts are never trusted (security property S3).
• Inputs are canonicalized and byte-frozen before risk is computed (S2).
• Any deny is final and cannot be downgraded later (S4, monotonic policy).

Defending against replay, tampering, and TOCTOU

Classic execution attacks try to reuse a valid authorization, or to change an action between the moment it is approved and the moment it runs. The runtime addresses this with a unique nonce per execution, so a captured authorization cannot be replayed, and with adapter binding, so an artifact authorized for one adapter cannot be redirected to another. These are enforced properties, verified across the Rust kernel test suite, rather than configuration suggestions.

Crucially, an unauthorized action does not get blocked after the fact. It receives no execution path at all: the adapter is simply unreachable without a valid gate artifact bound to the intent hash, policy bundle, adapter identity, and nonce. This mechanical refusal is what converts a cybersecurity claim into something auditors can reason about.

• Nonce uniqueness rejects replay and TOCTOU (S5).
• Adapter binding prevents artifact redirection (S6).
• Execution boundary blocks any op lacking a valid gate artifact (S1).

Evidence the runtime produces

Cybersecurity obligations are easier to defend when the system emits verifiable evidence. Every permitted execution produces a signed Authority Receipt recording the intent hash, policy version, decision and rationale, risk tier, approval state, adapter identity, tenant scope, correlation ID, and outcome. Receipts are written to an append-only Merkle ledger that can be verified externally without access to private keys.

Signatures use Ed25519 and canonical hashing uses SHA3-256, so the integrity of the evidence chain rests on standard cryptography rather than a vendor portal. For an incident review tied to a suspected compromise, this gives a security team a tamper-evident record of exactly what was authorized, denied, or escalated.

Enterprise evaluation checklist

When mapping a platform to EU AI Act cybersecurity expectations, push past marketing language about safety and ask how the runtime behaves under adversarial conditions. The goal is to confirm that a manipulated model cannot reach production authority and that you can prove it later.

SovereignClaw is intended to support and provide evidence for these obligations. It does not replace penetration testing, threat modeling, or the formal compliance work your organization still owns.

• Can a captured or replayed authorization execute again?
• Can an authorized action be redirected to a different adapter?
• Is there a signed, externally verifiable record of every execution decision?
• Are tier-driving facts derived independently of the model?