a2aws2Agentic Workspace Security Standard

Control Families

AWS2-WSB: Workspace And Execution Boundaries

Working draft

This page renders the current aws2 working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

Objective:

The scoped agentic workspace system should constrain what agents can read, write, execute, reach, or modify in the workspace and endpoint environment so that agent activity remains within approved operational boundaries.

Primary layer: workspace and endpoint.

Typical owner: workspace or endpoint.

Applicability:

Applies when agents can access local files, repositories, shell, browsers, desktop apps, SaaS systems, shared drives, developer tools, or networked resources.

Level 1 Candidate Requirements

AWS2-WSB-L1-001: The scoped agentic workspace system MUST identify workspace resources that agents can read, write, execute, send to, or otherwise modify, including local files, repositories, SaaS systems, browsers, shells, network endpoints, and shared workspace resources where applicable.

AWS2-WSB-L1-002: The scoped agentic workspace system MUST identify whether agents can execute shell commands, scripts, code, browser automation, package installation, or other local automation, and MUST distinguish read-only, write-capable, execution-capable, and externally transmitting access.

AWS2-WSB-L1-003: The scoped agentic workspace system MUST document any filesystem, repository, network, sandbox, browser, hosted-service, or application boundaries used to limit agent access, including known exclusions from the boundary.

Level 2 Candidate Requirements

AWS2-WSB-L2-001: The scoped agentic workspace system MUST enforce scoped access for production workflows so agents cannot freely read, write, execute, or transmit outside the approved workspace boundary, including through shells, browser automation, connectors, repository access, or network egress where applicable.

AWS2-WSB-L2-002: The scoped agentic workspace system MUST require review or approval before agents perform workspace actions with broad filesystem impact, production write impact, access-control impact, external communication impact, sensitive data movement, or rollback-difficult infrastructure impact.

AWS2-WSB-L2-003: The scoped agentic workspace system SHOULD use sandboxing, environment profiles, repository scopes, connector scopes, network egress restrictions, filesystem monitoring, rollback points, or equivalent controls to separate low-risk work from high-impact work.

Level 3 Candidate Requirements

AWS2-WSB-L3-001: The scoped agentic workspace system MUST validate boundary enforcement for high-impact environments through tests, reviews, or controlled exercises, including attempts to cross filesystem, repository, network, connector, or execution boundaries that are material to the assessment.

AWS2-WSB-L3-002: The scoped agentic workspace system MUST retain evidence of boundary-relevant configuration for material production periods, including sandbox, deployment, network, filesystem, repository, browser, and connector-scope configuration where applicable.

AWS2-WSB-L3-003: The scoped agentic workspace system SHOULD monitor for attempts to bypass workspace boundaries, including denied file writes, denied command execution, unexpected connector use, unexpected network egress, sandbox escapes, or policy-triggered access outside the approved scope.

Minimum evidence examples:

  • reachable-resource inventory
  • workspace or endpoint boundary configuration
  • sandbox or environment profile
  • deployment architecture or execution-environment description
  • connector-scope policy
  • network egress or filesystem monitoring policy
  • denied-action or boundary-trigger logs
  • rollback, containment, or boundary-test record
  • boundary validation report

Mapping notes:

  • The completed crosswalk treats AWS2-WSB as a candidate-control family shaped by sandboxing, deployment architecture, infrastructure containment, filesystem monitoring, network restriction, connector boundary, and rollback signals from OWASP AISVS, OWASP Agentic Skills Top 10, AIUC-1, CSA MAESTRO, and Five Eyes guidance. The family remains tied to concrete workspace and endpoint evidence rather than broad endpoint-security claims.

Claim limits:

  • Boundary configuration supports evidence for selected workspace controls. It does not prove endpoint security, cloud security, network security, AIUC-1 certificate equivalence, AISVS conformance, or effective containment outside the scoped agentic workspace boundary.
Previous
AWS2-DEL: Delegation, Authority, And Identity
Next
AWS2-RUN: Runtime Policy, Approvals, And Action Control