Getting started

The security standard for autonomous AI agents operating in enterprise environments.

Traditional security frameworks address infrastructure, applications, and AI model integrity. None adequately address the attack surface created when autonomous agents operate on behalf of users with delegated authority. CONTINUUM/AI fills this gap with controls specifically engineered for agentic operations.

The agentic security challenge

Organizations deploy AI agents that interpret natural language instructions, invoke external tools, and operate with delegated permissions. These agents can read sensitive data, send communications, modify configurations, and execute code. The same capabilities that make agents productive also create unprecedented security risks.

An agent with valid permissions to read confidential data and send emails creates a data exfiltration vector that traditional DLP systems cannot evaluate. The system processes the egress as a legitimate operation because it originates from an authorized identity. The semantic intent of the transmission remains invisible to perimeter controls.

Prompt injection exploits the fundamental mechanism by which agents interpret instructions. Unlike SQL injection, which targets parsing vulnerabilities, prompt injection targets the interpretation layer itself. Malicious instructions embedded in documents, web pages, or API responses redirect agent behavior in ways that signature-based detection cannot anticipate.

A controls-based approach

CONTINUUM/AI defines 48 auditable controls across 10 domains. Each control specifies observable criteria that can be verified through evidence collection. The framework addresses runtime behavior rather than development practices or model characteristics.

The ten domains span the operational lifecycle of agentic systems. Governance establishes policy and ownership. Identity and Authorization manage authentication and permissions. Data Protection and Input Validation address information security. Execution Security provides isolation and containment. Observability enables detection and forensics. Intervention and Resilience support incident response. Supply Chain addresses external dependencies.

Controls apply progressively based on deployment scope and data sensitivity. The Essential profile requires 9 controls for experimental deployments. The Critical profile requires all 48 controls for systems processing regulated data with potential for severe impact.

Risk confluence

Individual permissions that appear safe in isolation become dangerous in combination. CONTINUUM/AI introduces the concept of risk confluence to address emergent risks from capability combinations.

Exfiltration confluence occurs when an agent simultaneously possesses access to restricted data, capability to process external content, and capability to transmit data externally. Persistence confluence occurs when an agent possesses write access to files, read access to credentials, and capability to create scheduled tasks.

When confluence conditions are detected, systems apply elevated controls regardless of declared certification scope. The monitoring requirement in OBS-05 operationalizes confluence detection as an ongoing operational concern rather than a point-in-time assessment.

License and attribution

CONTINUUM/AI v0.1 is published by Open Cybersecurity under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0). You may share this material with attribution. Commercial use and derivative works require explicit permission from Open Cybersecurity.

CONTINUUM™ is a trademark of Open Cybersecurity. Contact continuum@opencybersecurity.co for licensing inquiries.