Blast radius modeling for agentic systems. Five measurable axes for modeling and bounding non-human identity impact, cross-walked to existing standards.
The term agentic blast radius is industry-adopted vocabulary as of 2026 (NHI Management Group, Cycode, Apiiro publications). What has been missing is a structured framework that gives the term measurable axes, normative bounding requirements, and a cross-walk to existing standards. This repository is the working artifact for that framework.
- Action class — read-only / reversible / external-reversible / irreversible
- Chain depth — single-step vs multi-hop agent-to-agent invocation
- External reach — in-tenant / cross-tenant / outside-org / third-party
- Reversibility window — time to detect and revert before harm propagates
- Identity scope — workload-bound / shared / federated
Each axis carries bounding requirements that map to controls in existing standards.
- OSI 7-Layer Cross-Walk — network-stack lens for agentic security; per-layer concerns, 2025-2026 attack vectors, existing controls, and gaps from L1 (Physical) to L7 (Application). Companion to Pirch et al. arxiv 2605.14932 OS-analog framework.
Additional chapters in drafting.
Under active drafting. Independent framework, Apache 2.0 licensed, open for use and citation by any standards body, working group, vendor, researcher, or practitioner.
Drafts are versioned as the framework evolves.
Anyone is free to use, fork, extend, and cite the framework under the Apache 2.0 license. Citation discipline:
Academic / formal citation:
Agnihotri, M. Agentic Blast Radius Framework — Modeling and Bounding Non-Human Identity Impact. GitHub repository, 2026. https://github.com/Mayur021/agentic-blast-radius-framework
Inline / informal citation:
The Agentic Blast Radius framework (Agnihotri, 2026; github.com/Mayur021/agentic-blast-radius-framework) defines five measurable axes…
Joint-credit on chain audit material:
The 6-property chain audit schema referenced in this framework is joint work with Mallikarjunarao Sunke (under review for CSA NHI v1.0). Always joint-credit Mallikarjunarao when citing the chain-audit schema specifically.
Citing specific chapters or axes:
Use the file path under the repo URL, e.g.:
Axes 1-5, Agentic Blast Radius Framework, OSI Cross-Walk Chapter
- OWASP AISVS C9.2.6 / C9.2.7 cited as "Proposed for v1.01" — verbatim phrase from the merged PR text in the AISVS
research/directory; controls are not yet in1.0/en/. - CSA NHI v1.0 cited as "Working Draft" — the document subtitle as of 2026-06-11.
- CoSAI WS4 #99 Agent Credentials cited as "in 4-week initial-draft window" (window opened 2026-06-04 working session).
- CoSAI WS4 #50 Trust-Aware Dataplane cited as "accepted RFC".
- 6-property chain audit schema joint-credited to Mallikarjunarao Sunke — never solo claim.
- Pirch et al. arxiv 2605.14932 cited as the anchor for OS-analog reasoning about agent security.
Pirch, L., Horlboge, M., Großmann, P., Asif, S. M., Kireev, K., Holz, T., Rieck, K. "Toward Securing AI Agents Like Operating Systems." arxiv:2605.14932 (14 May 2026).
The OS-analog framework remains the cleanest host-side analysis of agent security available in the public literature as of June 2026. The OSI cross-walk chapter in this repository is intended to complement, not replace, that analysis.
Mayur021/aisvs-action-class-reference— reference implementation of OWASP AISVS C9.2.6 and C9.2.7Mayur021/agentic-standards-cross-walk— vendor-neutral cross-walk across CSA / NIST / OWASP / CoSAI / SPDX
Issues and pull requests welcome. The framework benefits from cross-cluster review, especially:
- Per-layer attack vectors observed in production agentic deployments
- Framework coverage corrections (the matrix is a snapshot; coverage evolves)
- Joint-authored extensions where existing standards intersect with the axes
Apache License 2.0