Project 23: Security and Governance Command Plane
Enforce prompt-safety, tool authorization, data protection, and auditability in one policy runtime.
Quick Reference
| Attribute | Value |
|---|---|
| Difficulty | Level 4: Expert |
| Time Estimate | 12-20 hours |
| Language | Python (alt: TypeScript, Go) |
| Prerequisites | Security fundamentals, Projects 6 and 16 |
| Key Topics | prompt injection defense, RBAC, tenant isolation, compliance evidence |
Learning Objectives
- Build defense-in-depth controls for prompt and tool attack paths.
- Enforce role and tenant-aware authorization at tool boundaries.
- Implement data retention and encryption policy hooks.
- Produce immutable audit events for enterprise review.
The Core Question You’re Answering
“How do you make every agent action both safe and provably governed?”
Concepts You Must Understand First
| Concept | Why It Matters | Where to Learn |
|---|---|---|
| Prompt injection classes | Defends model/control boundaries | OWASP LLM Top 10 |
| Tool-level authZ | Limits blast radius | access-control references |
| Data lifecycle controls | Required for enterprise compliance | GDPR and internal policy docs |
| Audit event design | Enables procurement and forensics | SOC control guidance |
Theoretical Foundation
Untrusted Input -> Sanitizer -> Policy Decision -> Tool AuthZ -> Execution Sandbox -> Audit Ledger
Security is an enforcement system, not a prompt style.
Project Specification
What You’ll Build
A command plane that validates input, evaluates policy, authorizes tool calls, and records auditable outcomes.
Functional Requirements
- Prompt and retrieval sanitization
- Tool authorization by role and tenant
- Secret and PII handling controls
- Immutable audit event stream
Non-Functional Requirements
- Low false-negative policy bypass rate
- Explainable deny decisions
- Compliance-ready evidence export
Real World Outcome
$ python p23_security_plane.py --tenant acme --scenario "invoice_export"
[sanitize] suspicious_directive_removed=true
[authz] tool=erp_export decision=DENY reason=missing_scope
[pii] retention_class=confidential encryption=enabled
[audit] event_id=audit_01JQ... persisted=true
Architecture Overview
Policy Engine + Auth Service + Secret Manager + Audit Ledger + Sandbox Executor
Implementation Guide
Phase 1: Policy and Trust Zones
- Define policy model and trust boundaries.
Phase 2: Runtime Enforcement
- Add authZ checks and sandbox wrappers.
Phase 3: Compliance Artifacts
- Emit auditable event schemas and evidence bundles.
Testing Strategy
- Prompt-injection red-team tests
- Unauthorized tool-call tests
- Cross-tenant isolation tests
- Audit replay tests
Common Pitfalls & Debugging
| Pitfall | Symptom | Fix |
|---|---|---|
| Policy after execution | blocked actions still run | move checks pre-dispatch |
| Missing actor identity | weak audits | require actor+tenant in every event |
| Broad roles | privilege creep | enforce least privilege with scopes |
Interview Questions They’ll Ask
- Why is prompt filtering alone insufficient?
- How do you enforce least privilege for tools?
- What must be in an audit event for enterprise trust?
- How do you prevent cross-tenant leakage?
Hints in Layers
- Hint 1: Deny by default.
- Hint 2: Treat tool output as untrusted until validated.
- Hint 3: Version policy decisions.
- Hint 4: Keep forensic replay path simple and complete.
Submission / Completion Criteria
Minimum Completion
- Enforcement path blocks unauthorized actions
Full Completion
- Tenant-aware policy + audit evidence exported
Excellence
- Red-team suite and policy effectiveness scorecard