a2aws2Agentic Workspace Security Standard

Standard

Scope

Working draft

This page renders the current aws2 working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

3.1 Unit Of Assessment

The unit of assessment is a scoped agentic workspace system.

An agentic workspace system is the defined environment in which AI agents can observe context and take actions through tools, applications, files, shells, repositories, documents, communication systems, connectors, or other connected resources on behalf of people or organizations.

The unit of assessment is broader than one model, prompt, skill, or runtime. It is narrower than all AI use in an organization.

An aws2 assessment or mapping must define the specific boundary being considered. Examples:

  • one agent runtime connected to a team's repositories, documents, shell, and communication tools
  • one workstation or workspace profile used for delegated agentic work
  • one production agent workflow with defined tools, approvals, owners, and evidence outputs
  • one skill or connector ecosystem as it operates inside a broader runtime and workspace boundary

3.2 In Scope

The following are in scope when they affect what an agent can see, decide, invoke, change, approve, send, or prove inside a business workspace.

Human delegation and authority:

  • user delegation to agents
  • agent-associated identity and user identity
  • approval and review roles
  • high-impact action authorization

Agent runtime and orchestration:

  • tool invocation
  • action policy enforcement
  • planning and task routing where it affects actions
  • session state and memory tied to action-taking behavior
  • sub-agent or multi-agent delegation
  • emergency stop, cancellation, and rollback hooks where available

Workspace and endpoint resources:

  • local and shared files
  • repositories and development environments
  • shells and code execution environments
  • documents, spreadsheets, knowledge bases, and shared drives
  • desktop apps, browsers, SaaS systems, mail, calendar, chat, and ticketing systems
  • sandboxing, network reachability, filesystem boundaries, and resource isolation where relevant to agent actions

Skills, tools, connectors, and integrations:

  • reusable skills, prompts, plugins, connectors, scripts, and tool definitions
  • source provenance and update paths
  • dependency resolution and source trust
  • permission, capability, and high-impact action declarations
  • remote service calls when they affect workspace behavior or evidence

Identity, secrets, and sensitive data handling:

  • delegated authority
  • credential and token access paths
  • secrets exposure through context, tools, logs, memory, or evidence
  • least-privilege boundaries around resources and actions

Evidence and assurance:

  • inventories
  • manifests and configuration snapshots
  • source, dependency, and provenance records
  • approval receipts and runtime action records
  • validation reports and review artifacts
  • governance decisions, exceptions, and claim-limit records

3.3 Out Of Scope

The following are out of scope for core aws2 requirements unless a specific agentic workspace control depends on them.

Out-of-scope areas:

  • frontier-model training safety as a full domain
  • model pretraining, fine-tuning, dataset governance, or benchmark evaluation unrelated to workspace action risk
  • generic enterprise information security controls with no agent-specific relevance
  • cloud-provider baseline controls unrelated to agent behavior
  • consumer chatbot safety outside business workspace use
  • legal, regulatory, and sector-specific compliance except as mapped inputs
  • public certification operations before governance, validation, and release rules exist

These domains may still appear as dependencies, mapping sources, or inherited responsibilities. They are not the primary control surface of this standard.

3.4 Boundary Test

A component belongs inside the aws2 target boundary when failure or misuse of that component can directly change what an agent sees, decides, invokes, changes, sends, approves, or proves in a business workspace.

If a component affects general organizational security posture but does not directly influence agentic workspace behavior or evidence, it should usually be treated as a mapped dependency rather than a core aws2 control surface.

3.5 Scope Record

Every future aws2 assessment, mapping, or internal review should maintain a scope record that identifies:

  • the assessed agentic workspace system
  • the agent runtime or runtimes in scope
  • human actors, approvers, administrators, and reviewers
  • connected tools, skills, connectors, repositories, applications, and data stores
  • workspace, endpoint, network, and execution boundaries
  • identity and delegated-authority surfaces
  • evidence sources and evidence owners
  • out-of-scope systems and rationale
  • inherited controls and their owners
  • claim limits for any external statement
Previous
Introduction
Next
Terms And Definitions