Implementing Forrester's AEGIS Framework at the Infrastructure Layer

Forrester's AEGIS framework (Agentic AI Enterprise Guardrails For Information Security) defines 39 controls across six domains for securing AI agents in the enterprise. It is the most comprehensive analyst framework for agentic AI security to date, with regulatory cross-mapping to NIST AI RMF, ISO/IEC 42001:2023, OWASP Top 10 for LLMs, the EU AI Act, and MITRE ATLAS. CISOs are adopting it as the evaluation standard for agent governance.

The framework is strong on what organizations need. It is intentionally silent on how to implement it. That's by design: AEGIS is vendor-neutral and architecture-agnostic. But it leaves platform engineers and security architects with a practical question: where do these 39 controls actually get enforced?

This post maps AEGIS's six domains and three core principles to Traefik Hub's Triple Gate architecture (API Gateway, AI Gateway, MCP Gateway), with configuration examples showing how specific AEGIS controls translate to Kubernetes CRDs that enforce at the infrastructure layer.

Key Takeaways

• Forrester's AEGIS framework defines 39 controls across 6 domains. Its Zero Trust domain explicitly calls for "policy gateways" that all agent traffic must flow through.
• Traefik Hub's Triple Gate architecture maps to 4 of 6 AEGIS domains (IAM, Data Security, Application Security, Zero Trust) with strong, product-native implementation from a single platform.
• AEGIS's core principle, "least agency," is the design philosophy behind TBAC (Tools/Tasks/Transactions-Based Access Control): infrastructure-layer enforcement of what agents can do, independent of the agent runtime.
• The remaining 2 domains (GRC and Threat Management) require organizational processes and complementary solutions, as expected for any infrastructure product.
• We also published a companion post mapping infrastructure-layer enforcement to the OWASP Top 10 for Agentic Applications.

Why Infrastructure-Layer Enforcement Matters for AEGIS

Before mapping individual domains, it's worth understanding why AEGIS repeatedly calls for enforcement at the infrastructure layer rather than inside the agent runtime.

AEGIS's Zero Trust domain is explicit: "all access to APIs or data [must] flow through Zero Trust enforcement layers such as policy gateways or conditional access controls." The Application Security domain requires "channeling agent interactions through secure gateways with runtime policy enforcement and input sanitization."

The reason is architectural. Agent platforms are adding application-level controls: RBAC, audit logging, policy SDKs, signed skills. These operate inside the agent runtime. If the runtime is compromised through prompt injection, jailbreak, or privilege escalation, the governance is compromised with it. Application-layer controls and infrastructure-layer enforcement serve different purposes. Application-layer tools govern the agent's logic: what it should do. Infrastructure-layer enforcement governs the traffic: what it's allowed to do, regardless of what the runtime thinks is appropriate.

AEGIS treats both as necessary. This post focuses on the infrastructure layer. For a deeper look at how infrastructure-layer enforcement maps to specific agentic risks, see our companion post on the OWASP Agentic Top 10.

AEGIS Core Principles: Least Agency, Continuous Assurance, and Securing Intent

Before mapping individual domains, AEGIS is built on three core principles. Each maps to a Traefik Hub architectural decision.

Principle 1: Least Agency

AEGIS introduces "least agency" as its foundational principle. It extends the concept of least privilege beyond access control to cover decisions and actions. Agents should receive only the minimum permissions, capabilities, tools, and decision-making authority necessary for a specific task.

Traefik Hub implements least agency through TBAC (Tools/Tasks/Transactions-Based Access Control) in the MCP Gateway. TBAC enforces actions an agent identity is authorized to commit at the infrastructure layer: which tools it can invoke, which tasks it can perform, which transaction parameters are permitted, and under what conditions.

The enforcement is scoped to the agent's JWT identity. The same identity context that authenticates an API call (Gate 1), governs token budgets (Gate 2), and authorizes tool invocations (Gate 3). There's no gap where an agent can authenticate as one identity and act with the permissions of another.

Here's what least agency looks like in practice. Consider an inventory management agent that should be able to look up stock levels and create alerts, but should never be able to approve purchase orders:

Request flow for agent identity "inventory-agent-prod-01":

Gate 1 (API Gateway):
  → JWT validated: agent=inventory-agent-prod-01, team=warehouse, role=inventory-reader
  → Rate limit checked: 1,000 requests/hour for this identity based on the agent scope

Gate 2 (AI Gateway):
  → Token budget checked: 50,000 tokens/day remaining
  → Safety pipeline: all configured tiers execute in parallel
  → Token consumption recorded against this identity

Gate 3 (MCP Gateway):
  → TBAC evaluated:
    - Tool: inventory-lookup (authorized, read-only)
    - Tool: stock-alert (authorized, max 10 creates/hour)
    - Tool: purchase-order (DENIED, requires manager-agent role)
  → Agent tool call budget checked: 10,000 calls/day remaining
  → Invocation executed and logged with full parameter capture

The agent can look up inventory. It can create stock alerts, up to 10 per hour. It cannot approve purchases. These constraints are enforced at the traffic layer, below the agent runtime. If the agent is prompt-injected into believing it has purchase authority, TBAC still blocks the tool invocation because the authorization check happens in the gateway process, not in the agent process.

This is what AEGIS means by least agency: not just controlling access to systems, but controlling what an agent can do within those systems, enforced independently of the agent's own understanding of its permissions.

Principle 2: Continuous Risk Management

AEGIS's second principle replaces periodic audits with continuous evaluation of data, model, and agent integrity. Continuous assurance, not point-in-time compliance.

In Traefik Hub, this translates to per-request enforcement. The composable safety pipeline runs on every request and every response. TBAC evaluates every tool invocation. Token budgets are checked before every LLM interaction. There is no sampling, no periodic scan, no batch evaluation.

JWT validation happens on every request, not once per session. If a token expires, the next request is denied. If a TBAC policy is updated via a Kubernetes CRD change, the updated policy is enforced on the next request, with no redeployment required.

Deployment via Kubernetes CRDs enables GitOps-driven policy management. TBAC policies and safety pipeline configurations are version-controlled, auditable, and continuously reconciled by the Kubernetes controller. Drift from the declared state is automatically corrected. This means governance policies are not just continuously enforced; they're continuously reconciled to the desired state.

Principle 3: Securing Intent

AEGIS's third principle shifts the focus from infrastructure-centric controls to intent-centric controls. Organizations need to understand whether an agent's actions are malicious or benign, intentional or unintentional.

The Triple Gate architecture provides intent visibility across the full AI workflow:

• Gate 1 (API Gateway): Who is this user or agent, and are they authorized to access this API?
• Gate 2 (AI Gateway): What is the user asking the LLM? Is the content safe? Is the LLM's response factually grounded and free of harmful content?
• Gate 3 (MCP Gateway): What tool is the agent invoking, with what parameters? Is this action authorized for this agent identity?

The same JWT identity is tracked across all three gates. When an incident occurs, the audit trail shows the full chain: who authenticated, what they asked, what the model responded, what tool the agent invoked, with what parameters, and what the governance decision was at every step. This is the evidence chain AEGIS requires for securing intent.

Mapping the Six AEGIS Domains

With the principles established, here's how each AEGIS domain maps to infrastructure-layer enforcement. Domains are covered in order. Coverage depth varies: four domains map strongly to product-native capabilities, two require organizational processes where we provide the enforcement layer but not the full domain.

Domain 1: Governance, Risk, and Compliance

AEGIS's GRC domain covers organizational governance: oversight functions, AI system inventories, risk classification, acceptable use policies, and cross-functional governance groups.

Coverage: Partial (enforcement layer). This is primarily an organizational domain, not a product-layer domain. No gateway product provides governance committees or risk classification taxonomies. What Traefik Hub provides is the enforcement infrastructure that makes GRC decisions machine-executable.

GRC policies that exist only in documents don't enforce themselves. A policy that says "agents must not access customer PII without explicit authorization" is only as strong as the system that enforces it. In Traefik Hub, that policy becomes a TBAC CRD that blocks unauthorized access at the traffic layer, plus a safety pipeline rule that masks PII in transit. The GRC team defines what should be allowed; the infrastructure enforces it.

For AI system inventory and risk classification, integration with an existing CMDB or governance platform is required. Traefik Hub's telemetry (which agents exist, what they access, how much they consume, what governance decisions were made) provides the operational evidence that feeds inventory and risk processes.

Domain 2: Identity and Access Management

AEGIS's IAM domain treats agents as a new identity class (neither fully human nor fully machine) that requires unique identification, just-in-time privileges, human oversight, and contextual authentication.

Coverage: Strong. Traefik Hub's implementation centers on JWT-based identity continuity. Every agent interacting with the Triple Gate is identified by its JWT claims. Token rate limiting, safety pipeline logging, TBAC authorization, and observability telemetry all track against this unique identity. This enables:

• Per-agent token consumption tracking and budget enforcement
• Per-agent distributed traces across all three gates, capturing authentication decisions, guard results, and tool invocations per call via OpenTelemetry
• Per-agent safety pipeline results
• Per-agent tool invocation history with full parameter capture

For just-in-time privileges, TBAC supports conditional, scoped authorization. High-risk tool invocations can require human approval. Time-windowed permissions can restrict agent capabilities to specific operational hours. Parameter-level constraints can limit the scope of approved actions.

Authentication is continuous. JWT validation occurs on every request at Gate 1. The validated identity propagates through Gates 2 and 3, where it is re-evaluated against the relevant TBAC policies and token budgets. There is no session-based trust. Every interaction is independently validated.

Domain 3: Data Security and Privacy

AEGIS's Data Security domain covers data classification for agent contexts, controls for agent memory, data enclaves, anonymization, privacy-preserving AI operations, and data provenance.

Coverage: Strong. The composable safety pipeline is Traefik Hub's implementation of these controls. It operates bidirectionally (on both requests and responses) across four tiers, each with different detection capabilities.

Here's a configuration that implements multiple AEGIS data security controls in a single middleware:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: aegis-data-protection
  namespace: ai-services
spec:
  plugin:
    content-guard:
      engine:
        regex: {}

      request:
        # Prevent data extraction via prompt manipulation
        - jsonQueries:
            - ".messages[].content"
          block: true
          reason: "data_extraction_detected"
          entities:
            - "(?i)repeat.*(training|system|original).*(data|prompt|instructions)"
            - "(?i)output.*(everything|all).*(you know|in your|you were)"

        # Mask Social Security numbers before they reach the LLM
        - jsonQueries:
            - ".messages[].content"
            - ".context"
          mask:
            char: "*"
            unmaskFromLeft: 0
            unmaskFromRight: 4
          entities:
            - "\\d{3}-\\d{2}-\\d{4}"

        # Mask credit card numbers
        - jsonQueries:
            - ".messages[].content"
            - ".customer.payment"
          mask:
            char: "*"
            unmaskFromLeft: 0
            unmaskFromRight: 4
          entities:
            - "\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}"

      response:
        # Prevent infrastructure data leakage in LLM responses
        - jsonQueries:
            - ".choices[].message.content"
          mask:
            char: "X"
            unmaskFromLeft: 0
            unmaskFromRight: 0
          entities:
            - "192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3}"
            - "10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
            - "(?i)(postgres|mysql|redis)://[^\\s]+"

This configuration covers three AEGIS data security requirements:

Data loss prevention (request-side): The first rule blocks prompts that attempt to extract training data or system instructions. This is deterministic, sub-millisecond, and catches the most common data extraction patterns.

PII anonymization (request-side): The second and third rules mask SSNs and credit card numbers before they reach the LLM. The data is redacted in-place: the request continues with ***-**-1234 instead of the full SSN. The LLM never sees the original value.

Infrastructure data protection (response-side): The fourth rule prevents the LLM from leaking internal IP addresses and database connection strings in its responses. This catches a common failure mode where models trained on internal documentation inadvertently expose infrastructure details.

This is Tier 1 (Regex Guard) only. For PII that doesn't follow strict patterns (misspelled names, partial phone numbers, context-dependent personal data), add Tier 2 (Microsoft Presidio). For semantic threats (prompt injection attempts that don't use obvious keywords, off-topic drift, harmful content), add Tier 3 (NVIDIA NIMs) and Tier 4 (IBM Granite Guardian). All tiers run in parallel. For a detailed walkthrough of the full four-tier pipeline, see From Regex to GPU: Building a Multi-Vendor AI Safety Pipeline.

A note on deployment model: Traefik Hub is self-hosted. All safety pipeline processing runs on the customer's infrastructure. No data leaves the customer's environment for governance evaluation. For organizations subject to data residency requirements (EU AI Act, GDPR, NIS2), this is not a feature but a requirement. Air-gapped deployment is fully supported.

Domain 4: Application Security and DevSecOps

AEGIS's Application Security domain covers the agent software lifecycle: risk evaluation, DevSecOps practices, supply chain assessment, adversarial testing, embedded telemetry, sandbox interactions, input sanitization, and runtime policy enforcement.

Coverage: Strong. Two aspects of this domain are particularly relevant at the infrastructure layer: runtime policy enforcement and supply chain security.

Runtime policy enforcement: TBAC policies are expressed as Kubernetes CRDs and enforced on every MCP tool invocation. This is runtime enforcement that operates independently of the agent's application code. The agent framework does not evaluate TBAC policies, cannot modify them, and has no mechanism to bypass them.

AEGIS also requires that governance controls work with agent architectures, not against them. Traditional gateways return an HTTP 403 Forbidden when a policy blocks a request. For autonomous agents executing multi-step workflows, a 403 breaks the agent's control flow. The agent can't distinguish between "the guardrail blocked this specific request" and "something is fundamentally wrong with the system." Most agent frameworks treat non-2xx responses as system errors.

Traefik Hub's onDenyResponse feature addresses this. When a guard blocks a request, the response can be configured to return a structured, schema-compliant refusal (HTTP 200 with a conversational message) instead of a raw 403:

blockConditions:
  - reason: harmful_content
    condition: Contains("yes")
    onDenyResponse:
      statusCode: 200
      message: >
        This request was blocked by organizational security policy.
        Please reformulate your request within acceptable use guidelines.

An agent receiving this structured refusal can parse it as a valid conversational turn, understand that the request was refused (not that the system failed), and decide what to do next. The middleware chain downstream continues to function normally. This is what makes infrastructure-layer governance agent-aware: enforcement that works with autonomous workflows rather than breaking them.

Supply chain security for agent tools: AEGIS calls for software supply chain assessment, which in the agentic AI context means securing the MCP tool supply chain. The risk is real: malicious MCP servers have already been documented in the wild (the Postmark MCP backdoor in September 2025 shipped 15 clean versions before injecting a backdoor in v1.0.16, affecting approximately 500 organizations).

The MCP Gateway addresses this at the infrastructure layer:

• Server allowlisting: TBAC policies explicitly define which MCP servers each agent identity can connect to. Connections to unlisted servers are denied at the gateway.
• Tool-level authorization: Even within an allowed MCP server, TBAC controls which specific tools the agent can invoke.
• Parameter constraints: TBAC can limit the parameters an agent passes to authorized tools (read-only database queries, restricted file paths, capped transaction values).
• Outbound inspection: The MCP Gateway can inspect outgoing API calls from agent tool invocations, preventing data exfiltration through tool parameters.

An agent that gets prompt-injected into connecting to a malicious MCP server is blocked by the TBAC allowlist. These are infrastructure-layer controls that the agent runtime cannot override.

Domain 5: Threat Management and Security Operations

AEGIS's Threat Management domain covers real-time monitoring, anomaly detection, comprehensive logging, rapid containment, hallucination detection, and incident response readiness.

Coverage: Partial (detection and containment). Traefik Hub covers the detection and containment aspects of this domain through the composable safety pipeline and operational controls.

Hallucination detection deserves specific attention because AEGIS calls it out as a required capability and because it is architecturally distinct from other threat types. IBM Granite Guardian provides hallucination detection and RAG quality assessment through the LLM Guard middleware. The useRequestHistory: true parameter provides the request context so the model can evaluate whether the response is factually supported. Regex patterns and NLP-based entity detection cannot detect hallucinations because they match surface patterns, not factual accuracy. This requires a semantic model.

Parallel threat detection across multiple guard providers (NVIDIA NIMs for 22+ harm categories and jailbreak detection, IBM Granite Guardian for hallucination and harm) runs concurrently. Total enforcement time equals the slowest guard, not the sum.

Rapid containment via the Failover Router implements circuit-breaker chains. When a provider returns error status codes (429, 500-504), traffic is automatically rerouted to fallback providers. All safety policies remain enforced regardless of which provider is serving the request. The governance doesn't degrade when the model does.

Comprehensive logging across every gate emits structured telemetry: API authentication results (Gate 1), safety pipeline guard decisions with reasons (Gate 2), and TBAC authorization decisions with tool and parameter details (Gate 3). All telemetry includes the agent identity for cross-gate correlation and is exported via OpenTelemetry to the observability platform of your choice.

Request mirroring provides a distinct and complementary capability worth calling out specifically. Traefik Hub can forward a live copy of every request and response to an external destination in parallel with the primary traffic flow, with no impact on latency for the agent workload. For SIEM and UEBA integration, this means security tooling receives the actual payloads in real time, not just metadata after the fact. Threat detection models can analyze live traffic, identify anomalous patterns, and feed updated policy signals back to the gateway. This is the integration point where infrastructure-layer enforcement connects to SOC workflows.

A note on scope: Traefik Hub provides detection and containment at the traffic layer. Behavioral anomaly detection (establishing baseline invocation patterns and alerting on deviation) and incident response workflows are organizational capabilities that require SIEM/UEBA integration and SOC processes. AEGIS expects both. The gateway provides the telemetry and the live traffic mirror that those processes require; the analytical and response layers sit above it.

Domain 6: Zero Trust Architecture

AEGIS's Zero Trust domain is the most direct validation of infrastructure-layer enforcement. The AEGIS framework requirements read as a description of a policy gateway architecture:

• "All access to APIs or data [must] flow through Zero Trust enforcement layers such as policy gateways or conditional access controls."
• Network access layer controls for agent workloads.
• Continuous validation of agent runtime environment.
• Agent-to-agent communication monitoring.
• Ephemeral identities for autonomous systems.

Coverage: Strong. The Triple Gate architecture is a policy gateway. Every API call (Gate 1), every LLM interaction (Gate 2), and every MCP tool invocation (Gate 3) flows through the gateway with policy enforcement. There is no bypass path.

TBAC enforces least agency at the infrastructure layer. Agents receive only the tools, tasks, and transaction authority explicitly granted by their TBAC policy. No implicit permissions. No inheritance of elevated privileges from the agent runtime.

When agents communicate via API calls or MCP tool invocations, both sides of the interaction pass through the Triple Gate. The initiating agent's request is authenticated and authorized via TBAC. The receiving agent's response passes through the safety pipeline. The full interaction is logged with both agent identities.

JWT-based identity supports scoped tokens with configurable expiration. Agents can be issued tokens that are task-scoped, with a short time-to-live set at issuance time. Expired tokens and tokens with incorrect scopes are rejected.

For organizations in regulated industries where SaaS governance tools are not permitted, Traefik Hub is self-hosted on the customer's infrastructure. Air-gapped deployment is fully supported. Traefik Hub is FIPS 140-2 validated and FIPS 140-3 ready (native Go BoringCrypto). No governance data, telemetry, or policy configurations leave the customer's environment.

Putting It Together: One Request, Five Domains

Here's how AEGIS domains intersect in a single request through the Triple Gate:

1. Request arrives. Gate 1 validates the agent's JWT and enforces API rate limits. → Domain 2 (IAM), Domain 6 (ZTA)
2. Token budget check. If the estimated input tokens would exceed the agent's remaining budget, the request is blocked before any guard runs. → Domain 6 (ZTA: least agency applied to resource consumption)
3. Safety pipeline executes. Regex Guard masks SSNs and credit cards. Presidio catches context-dependent PII. NVIDIA NIMs scan for prompt injection and harmful content. All tiers run in parallel. → Domain 3 (Data Security), Domain 5 (Threat Management)
4. LLM responds. The response passes back through the pipeline. Granite Guardian checks for hallucination against the request context. Regex Guard masks any internal IP addresses in the output. → Domain 3 (Data Security), Domain 5 (Threat Management)
5. Agent invokes an MCP tool. TBAC validates the tool invocation against the agent's authorized tools, permitted parameters, and usage limits. → Domain 4 (Application Security), Domain 6 (ZTA: least agency)
6. Telemetry emitted. Every gate logs the agent identity, governance decisions, guard results, tool invocations, and token consumption. → Domain 1 (GRC: evidence for governance reporting), Domain 5 (Threat Management: SOC monitoring)

Five of six AEGIS domains are enforced in a single request, through one platform, with one identity context.

Coverage Summary

Not every AEGIS domain is a product-layer control. AEGIS is a comprehensive organizational framework, and some domains require processes, teams, and governance structures that no infrastructure product can provide. Here's our assessment of where Traefik Hub's Triple Gate provides strong coverage and where complementary solutions are required:

AEGIS Domain	Triple Gate Coverage	What's Covered	What Requires Complement
Domain 1: GRC	Partial (enforcement)	Machine-executable policy enforcement, governance evidence via telemetry	Governance oversight function, AI system inventory, risk classification
Domain 2: IAM	Strong	JWT identity continuity, per-agent tracking, TBAC-scoped authorization, continuous authentication	Agent onboarding/offboarding workflows (requires IdP integration)
Domain 3: Data Security	Strong	4-tier PII detection and masking, bidirectional enforcement, DLP, self-hosted data processing	Data classification taxonomy, agent memory controls
Domain 4: Application Security	Strong	TBAC runtime policy enforcement, MCP supply chain security, agent-aware error handling, input sanitization	SDLC integration, adversarial red teaming
Domain 5: Threat Management	Partial (detection + containment)	Hallucination detection, content threat detection, prompt injection defense, circuit breakers, comprehensive logging	Behavioral anomaly detection, forensic investigation workflows, incident response playbooks
Domain 6: Zero Trust	Strong	Policy gateway enforcement, least agency via TBAC, continuous validation, agent-to-agent monitoring, air-gapped deployment	Network segmentation (requires CNI integration)

Four of six domains with strong, product-native implementation. Two domains with partial coverage that requires organizational processes or complementary solutions. This is an expected distribution for an infrastructure product: GRC and SecOps are organizational capabilities, while IAM, Data Security, Application Security, and Zero Trust are enforceable at the infrastructure layer.

What's Next

AEGIS is gaining traction as the evaluation standard for agentic AI governance. As CISOs adopt it, the question shifts from "do we need agent governance?" to "how do we implement these 39 controls?" For the infrastructure-layer controls, the answer is a policy gateway that enforces identity, data security, application security, and zero trust on every request, every response, and every tool invocation.

For a complementary perspective on infrastructure-layer enforcement, see our mapping of the OWASP Top 10 for Agentic Applications to the gateway layer. And for a deep technical walkthrough of the composable safety pipeline referenced throughout this post, see From Regex to GPU: Building a Multi-Vendor AI Safety Pipeline.

Traefik Hub v3.20 is now available as an Early Access release, with general availability planned for late April 2026. To try the capabilities described in this post, sign up for Early Access.

---

Frequently Asked Questions

What is Forrester's AEGIS framework?

AEGIS (Agentic AI Enterprise Guardrails For Information Security) is a security framework published by Forrester Research that defines 39 controls across six domains for securing AI agents in the enterprise. The six domains are: Governance, Risk, and Compliance (GRC); Identity and Access Management (IAM); Data Security and Privacy; Application Security and DevSecOps; Threat Management and Security Operations; and Zero Trust Architecture. The framework includes regulatory cross-mapping to NIST AI RMF, ISO/IEC 42001, OWASP Top 10 for LLMs, the EU AI Act, and MITRE ATLAS.

What is "least agency" in the AEGIS framework?

Least agency is AEGIS's foundational security principle. It extends the concept of least privilege beyond access control to cover decisions and actions. Under least agency, AI agents should receive only the minimum permissions, capabilities, tools, and decision-making authority necessary for a specific task. It is the agentic equivalent of the principle of least privilege, applied to autonomous systems that make decisions, not just access resources.

How do you implement AEGIS controls at the infrastructure layer?

AEGIS controls can be implemented at the infrastructure layer through a policy gateway that sits between agent workloads and the services they consume. Traefik Hub's Triple Gate architecture (API Gateway, AI Gateway, MCP Gateway) enforces AEGIS controls on every API call, LLM interaction, and MCP tool invocation. Identity controls are enforced via JWT-based authentication. Data security controls are enforced via a composable safety pipeline. Application security controls are enforced via TBAC (Tools/Tasks/Transactions-Based Access Control). Zero trust controls are enforced through continuous per-request validation.

How many AEGIS domains can be enforced at the infrastructure layer?

Four of six AEGIS domains (IAM, Data Security, Application Security, Zero Trust) can be strongly enforced at the infrastructure layer through a policy gateway. The remaining two domains (GRC and Threat Management/SecOps) are primarily organizational capabilities that require governance processes, SIEM integration, and SOC operations, though infrastructure-layer telemetry provides the evidence these processes need.

What is the difference between AEGIS and the OWASP Top 10 for Agentic Applications?

AEGIS is a comprehensive organizational security framework with 39 controls across six governance domains, focused on how enterprises should structure their AI agent security programs. The OWASP Top 10 for Agentic Applications is a risk taxonomy that identifies the ten most critical security risks for autonomous AI agents (such as goal hijacking, tool misuse, and identity abuse). AEGIS tells you what controls to implement; OWASP tells you what risks to prioritize. Both are complementary and map to infrastructure-layer enforcement. See our OWASP Agentic Top 10 mapping for the risk-level view.