Runtime-Derived Least Privilege for AI Agents: From Observed Behavior to Enforcement

It’s 2:47 AM. The SOC analyst’s screen lights up with a Layer 2 alert: payment-agent exercising outside observed scope. She knows what to do — open the platform team’s IAM policy file and figure out what to revoke. The file enumerates declared roles. It says nothing about what the agent has actually been doing for the past three weeks. Her detection layer captured the deviation. Her enforcement layer can’t consume what the detection layer captured. So she pages the platform team and waits. The gap she’s hitting isn’t a tooling problem — it’s an artifact problem. Detection and enforcement need to share the same specification, and in most production programs they don’t.

The runtime-derived behavioral envelope plays two roles inside the attack detection framework. 

Read forward, it’s the Layer 2 baseline that fires Surface 3 deviation alerts — the per-Deployment profile of every tool call, network destination, syscall, identity use, and file access the agent actually performs in production.

Read backward, it’s the Layer 5 containment specification that defines what gets revoked, scoped, or severed at each of the four surfaces. Same artifact. Two readings. One specification.

This piece walks the dual role. It lands as a four-row surface-specific containment table — the operational artifact a security team takes into the next agent-security planning meeting.

The Envelope Read Forward: Layer 2 Detection Baseline

Read forward, the envelope answers one question: is the agent’s current behavior inside or outside its observed operational range. CIEM-style declared-minus-used produces a static posture finding; the envelope produces a behavior specification that fires on deviation. Different inputs, different outputs.

The artifact is built per Deployment, not per pod. AI workload pods are ephemeral; they don’t live long enough for any one pod to observe the agent under varied load, edge-case prompts, and routine deployments. Building the baseline at the Deployment level means the profile survives pod restarts, horizontal scaling, and rolling updates. ARMO’s Application Profile DNA is the implementation — a single behavioral envelope per Deployment that captures tool-call patterns, network destinations, syscall sequences, identity usage, and file access as one unit. Envelope deviation is the runtime signal behind what ARMO has framed as intent drift in AI agent runtime behavior — patterns that break the envelope’s shape rather than individual events that look anomalous in isolation.

The envelope converges over two to four weeks of observation, depending on operational variety. Production agents handling varied user requests across load conditions need the longer window to absorb edge cases and legitimate variation. Run alerting before convergence and every legitimate edge case fires; run with too short a window and the baseline misses operational variety it should have absorbed. During convergence the envelope operates in visibility-only mode — the same pattern the observe-to-enforce methodology applies to general Kubernetes workloads.

Once converged, the envelope reads forward in continuous time. Every tool call, identity use, and network destination either falls inside the envelope or doesn’t. When something falls outside, the deviation becomes a Layer 2 alert — and the alert carries the envelope parameter that triggered it. The parameter matters. Containment will need it.

The Envelope Read Backward: Layer 5 Containment Specification

Read backward, the envelope answers a different question: when behavior crosses outside the observed range, what specifically gets revoked, scoped, or severed — and at what granularity. Every dimension the envelope captured during convergence is a dimension along which containment can be parameterized, which produces a four-row table.

The surface-specific containment table is the operational artifact. Four rows, one per detection surface. Each row carries the containment action, the envelope parameter that drives it, the granularity, the control plane it executes against, and the failure mode when containment runs without envelope parameterization.

Surface 1 — Input & Reasoning. Containment: context filtering and index isolation. Envelope parameter: RAG access pattern plus source provenance. Granularity: per-source, per-index. Control plane: the RAG pipeline’s retrieval and ingestion layer — vector store API for in-cluster deployments, managed service API for Bedrock Knowledge Bases or Vertex AI Agent Builder. Run this containment without the envelope and you quarantine the whole store — every unrelated agent reading from that index goes down with the compromised one.

Surface 2 — Tool Invocation. Containment: tool-scope revocation. Envelope parameter: tool-call sequence pattern — which tools the agent invokes, in what combinations, at what frequency. Granularity: per-tool, per-agent. Control plane: framework SDK or MCP server policy — LangChain tool allowlists, CrewAI agent tool bindings, MCP server-side scope enforcement. Without envelope parameterization, containment defaults to broad tool-catalog removal, which breaks the agent’s legitimate work and creates pressure to roll back the containment before the investigation completes. ARMO’s analysis of rogue agent tool misuse walks the scope, sequence, and rate categories the envelope tracks.

Surface 3 — Identity & Action. Containment: IAM revocation scoped to the specific role binding outside envelope. Envelope parameter: observed identity usage — which permissions the agent has actually exercised, against which resources, at what rate. Granularity: per-role-binding, per-agent. Control plane: cloud IAM — IRSA on EKS, Workload Identity Federation on GKE, federated credentials on AKS. Strip the envelope out and IAM revocation defaults to removing the whole role, which takes the agent down across every function it had — including the functions that weren’t compromised.

Surface 4 — Cross-Agent Coordination. Containment: orchestrator edge severing. Envelope parameter: delegation pattern between agent pairs — which agents route work to which, through which framework mechanism, carrying what payload shape. Granularity: per-edge, per-graph. Control plane: orchestrator framework state — LangGraph state transitions, CrewAI Crew object, AutoGen GroupChatManager. Without envelope parameterization, the action that’s available is whole-graph pause, and the cost is every workflow that touches the compromised agent — most of which are fine.

The pattern across all four rows is identical. The same envelope drives the action. Precision comes from envelope parameterization, not from policy complexity. A team operating without the envelope as a containment specification can still execute containment — but the action they execute defaults to the broadest available shutdown at every surface, which is the operational reason containment lags or rolls back during incident response.

The kernel-level enforcement layer consumes the envelope as the containment spec. The work behind per-agent guardrails covers how the same envelope drives the broader enforcement profile per agent.

Most Programs Run Two Artifacts Where One Should Live

The failure pattern in one sentence: detection team owns the envelope inside the observability stack, platform team owns the policy file inside the IaC repo, and the two artifacts sync through tickets and screenshots. At 2 AM the platform engineer reads the envelope finding in one tool and applies a policy change in another, through the platform’s normal change workflow. The handoff isn’t a discipline problem — the engineer is doing exactly what the architecture asks them to do. The architecture asks them to translate, and the translation step is where the action either over-shoots the scope of the alert or under-shoots it. Both fail the same way.

The operational fix isn’t a new tool; it’s a different relationship between the envelope and the enforcement layer. The envelope needs to be addressable as a single specification rather than maintained in two synced files. Three properties matter.

First, control-plane addressability. The envelope sits in the platform’s control plane — queryable by detection, queryable by enforcement, versioned, with read-time access patterns both layers can consume. Not a static artifact dumped into the observability stack and re-exported elsewhere.

Second, Layer 2 read pattern. Detection subscribes to envelope-deviation events. When behavior crosses outside the envelope, the alert fires with the envelope parameter that triggered it attached — the specific tool sequence, the specific identity use, the specific delegation edge. The alert carries containment-actionable context, not a textual description of the deviation.

Third, Layer 5 read pattern. Enforcement queries the envelope at containment time. The query asks: for this agent, against this surface, what’s the current observed scope — and what’s the smallest containment action that puts behavior back inside it. The action executes against the right control plane per surface; the envelope’s parameter determines the granularity.

That’s the shift the framework needs. Same data structure, two readings, one specification — and Layer 5 no longer waits for Layer 2 to be re-typed into a policy file.

A Payment Agent Exercises Out-of-Envelope Permission: What the Five Layers Do

A payment agent reads a customer support email through RAG retrieval. The email contains an indirect prompt injection — a category ARMO has analyzed in depth as an 8-stage attack chain — instructing the agent to initiate a wire transfer to a partner account the agent has never previously transacted with. The agent decides to act. From the moment the agent reads the email to the moment containment executes, five layers do specific work.

Layer 1 — Runtime telemetry. The syscall sequence around the wire-transfer IAM call gets captured at the kernel layer via eBPF. The originating prompt context — the email, the retrieved RAG content, the tool-call decision the agent made — gets captured at the application layer via framework SDK hooks. Both signals land in the telemetry stream with timestamps and entity tags.

Layer 2 — Envelope deviation. The identity-usage parameter on the payment agent’s envelope includes the agent’s normal scope: existing partner accounts, transaction sizes within historical ranges, time-of-day patterns within business hours. The wire transfer attempt sits outside the envelope on the partner-account dimension. The deviation fires as an alert. The alert carries the specific dimension that broke — partner-account scope on the identity-usage axis — not a textual summary of what looked wrong.

Layer 3 — Chain assembly. ARMO’s CADR joins the kernel syscall, the application-layer prompt context, the cloud IAM call, and the RAG retrieval event into a single causal chain with timeline and entities. The chain shows the email arrival, the retrieval event, the agent’s reasoning context, the tool-call decision, and the IAM call sequenced in order.

Layer 4 — Triage classification. The chain is read against the three tiers and classified as attack-attempt. The triage layer pages the analyst with the assembled chain attached, not a series of disconnected alerts.

Layer 5 — Envelope-scoped containment. The enforcement layer queries the envelope, reads the specific role binding outside scope on the identity-usage dimension, and revokes that binding through the cloud IAM control plane — not the broader role. The agent’s other functions remain operational. The envelope tags the attempt as an outside-envelope event for the post-incident review.

Conclusion

The detection framework operates end-to-end only when Layer 2 and Layer 5 share a specification. Programs that have detection capability without containment-spec unity are running half the framework — they see the attack but contain it through the broadest available shutdown at every surface, which is operationally indistinguishable from running without detection at all from the agent’s point of view. The legitimate work breaks the same way under both. The SOC still has the alert chain for the post-mortem; the business still loses the agent’s output for the duration of broad containment.

This is the artifact question, not the tool question. A team can buy any detection product on the market and still operate two artifacts. The architectural decision sits underneath the procurement decision — and the procurement decision often doesn’t surface it.

The next step is small. Pick one Surface 3 alert from this week. Pull the envelope’s identity-usage record. Pull the platform team’s policy file. Diff them. The gap is the work. Run that diff against three agents and a pattern usually emerges — the same dimensions appear in the envelope that the policy file doesn’t capture. That pattern is the shape of the next quarter’s enforcement work. ARMO’s platform for cloud-native security for AI workloads was built around this artifact unity — runtime telemetry through eBPF, Deployment-level baselines through Application Profile DNA, cross-surface correlation through CADR, and per-agent enforcement that queries the envelope at containment time.

FAQ

How is runtime-derived least privilege different from just-in-time access?

JIT access scopes permissions at request time against declared policy — the agent asks, the policy decides, the permission is granted for the duration of the request. The envelope scopes against observed behavior — the agent’s actual operational range becomes the boundary. The two are orthogonal and compose well. JIT enforces what the agent is allowed to ask for; the envelope enforces what the agent has actually done. A production program running both gets JIT’s declared-scope discipline and the envelope’s observed-scope precision.

What happens to the envelope when we update the agent’s model or change the tool catalog?

Legitimate change — model updates, tool catalog churn, prompt-template revisions — shifts the agent’s normal behavior. Deployment correlation and pattern continuity discriminators distinguish legitimate evolution from compromise, and the envelope absorbs the legitimate shifts on its next observation cycle. ARMO’s case for defining normal agent behavior with runtime data covers the discriminators in depth. During an active incident, envelope updates freeze and resume after the post-action review.

Can we use the envelope as containment spec without ARMO’s correlation engine?

The telemetry can come from anywhere — eBPF tooling, framework SDKs, audit streams. The dual-role property requires the envelope to be addressable by both Layer 2 detection and Layer 5 enforcement as a single specification. The same observation stream that builds a runtime AI bill of materials builds the envelope — they’re sibling artifacts, and the architectural requirement for both is control-plane addressability rather than a static dump. Most observability tools maintain the envelope as a static analytics artifact — queryable by dashboards, not by enforcement.

What’s the convergence window for production agents?

Two to four weeks is typical, depending on operational variety. Agents handling varied user requests across load conditions need the longer window to absorb edge cases. During convergence the envelope runs in visibility-only mode. After convergence, alerts fire on patterns that break the envelope shape, not on individual actions that look unusual in isolation. That’s what makes the envelope tolerate non-determinism — the boundary is around a shape, not around an enumerated set of allowed actions.

Does this work for managed agent runtimes like Bedrock Agents or Vertex AI Agent Builder?

Surface coverage shifts inside managed runtimes. Surface 3 remains accessible via cloud audit streams — the envelope’s identity-usage dimension continues to work, and Surface 3 containment via IAM revocation runs against the same control plane. Surfaces 1, 2, and 4 are largely opaque inside managed runtimes; the platform doesn’t expose framework-level tool-call telemetry or orchestrator state. Envelope coverage is partial in these environments, not full, and the dual-role property holds only at the surfaces where telemetry is reachable.