Attacks and Mitigations for Distributed Governance of Agentic AI under Byzantine Adversaries

TL;DR

This paper analyzes attacks on distributed agentic AI governance systems vulnerable to malicious providers and proposes multiple architectures, including Byzantine-resilient, monitoring, auditing, and hybrid solutions, to enhance security with different performance trade-offs.

Contribution

It introduces new architectures for securing agentic AI governance against Byzantine and insider threats, balancing security and performance.

Findings

SAGA-BFT offers strongest security but high performance cost.

SAGA-MON and SAGA-AUD provide lightweight security with minimal overhead.

SAGA-HYB balances security and performance through hybrid architecture.

Abstract

Agentic AI governance is a critical component of agentic AI infrastructure ensuring that agents follow their owner's communication and interaction policies, and providing protection against attacks from malicious agents. The state-of-the-art solution, SAGA, assumes a logically centralized point of trust, the Provider, which serves as a repository for user and agent information and actively enforces policies. While SAGA provides protection against malicious agents, it remains vulnerable to a malicious Provider that deviates from the protocol, undermining the security of the identity and access control infrastructure. Deployment on both private and public clouds, each susceptible to insider threats, further increases the risk of Provider compromise. In this work, we analyze the attacks that can be mounted from a compromised Provider, taking into account the different system components and realistic deployments. We identify and execute several concrete attacks with devastating effects: undermining agent attributability, extracting private data, or bypassing access control. We then present three types of solutions for securing the Provider that offer different trade-offs between security and performance. We first present SAGA-BFT, a fully byzantine-resilient architecture that provides the strongest protection, but incurs significant performance degradation, due to the high-cost of byzantine resilient protocols. We then propose SAGA-MON and SAGA-AUD, two novel solutions that leverage lightweight server-side monitoring or client-side auditing to provide protection against most classes of attacks with minimal overhead. Finally, we propose SAGA-HYB, a hybrid architecture that combines byzantine-resilience with monitoring and auditing to trade-off security for performance. We evaluate all the architectures and compare them with SAGA. We discuss which solution is best and under what conditions.