How does Corporate Agents address the OWASP Agentic AI Top 10?

Every risk in the OWASP Agentic AI Top 10 is mapped to a specific technical control: goal hijacking is mitigated by semantic intent classifiers, tool misuse by execution ring sandboxing, identity abuse by DID-based trust scoring, and all 10 categories are covered with automated evidence collection.

What audit trail does Corporate Agents capture for AI agent decisions?

Every agent execution is captured with 12 data points including timestamp, input, context accessed, full reasoning trace, output, confidence score, model version, token usage, human approval status, outcome tracking, policy evaluation results, and execution ring level. Built on OpenTelemetry and exportable to any SIEM.

Compliance & Governance

Governed by frameworks. Verified by audit trails.

Q: Does Corporate Agents comply with the Australian Privacy Act 2026 amendments?

Yes. Automated decision-making disclosure is built into every deployment that touches personal data. Agents log what personal information is used, what decisions are made by computer programs, and where AI significantly influences outcomes — meeting the December 2026 mandatory disclosure requirements.

OWASP Agentic AI Top 10 mapped. Privacy Act compliant. Every agent decision logged with full reasoning traces. Compliance is engineered into every agent we build — not retrofitted after deployment.

Discuss your requirements View security controls

Frameworks & Standards

What we comply with.

Not a summary of what regulations exist — a mapping of what we actually do about them. Every framework listed here has specific controls implemented and evidence collected.

OWASP Agentic AI Top 10

Every risk mapped to a specific technical control

From 10 December 2026, Privacy Act amendments require any entity using automated decision-making that significantly affects individuals to disclose what personal information is used, what decisions are made by computer programs, and where computer assistance significantly influences outcomes.

This is built into every agent deployment that touches personal data — not an optional add-on.

Execution Architecture

Sandboxed privilege rings.

Agents operate in isolated execution rings inspired by CPU privilege levels. No agent can escalate its own permissions. Every ring has independent policy rules, resource limits, and audit requirements.

User-Facing Output

Tool Execution

Core Orchestration

verified_user

Ring 2

User-Facing Output

Response generation, document creation

Ring 1

Tool Execution

API calls, database queries, file operations

Ring 0

Core Orchestration

Agent planning, memory access, prompt assembly

Agents cannot escalate from a lower-privilege ring to a higher one. Each ring has independent policy rules, resource limits, and audit requirements.

Agent Safety & Human Oversight

Contained. Controllable. Killable.

Agents operate in sandboxed execution rings inspired by CPU privilege levels. No agent can escalate its own permissions. Every agent has a kill switch. Every high-stakes decision requires human approval.

emergency_home

Kill Switches

Immediate agent termination at any layer. Kill switches are configured per-agent during the build phase and tested before every production deployment.

speed

Circuit Breakers

Automatic throttling when error budgets are exhausted. SLO enforcement prevents degraded agents from continuing to operate. Automatic rollback on policy violation.

undo

Saga Rollback

Multi-step agent operations use saga orchestration. If any step violates a policy rule, the entire operation rolls back automatically — no partial state.

policy

Runtime Policy Engine

Every agent action — tool calls, data access, API requests, output generation — passes through the policy engine before execution. Policies defined in YAML, evaluated in under 0.1ms.

AI Governance Principles

Principles with teeth.

Not aspirational statements — concrete commitments enforced at runtime. Every principle below has a corresponding technical control, not just a policy document.

visibility

Transparency

Every user-facing agent interaction includes a clear disclosure that they are interacting with AI. Handoffs to humans are clearly communicated. AI-generated recommendations are labelled as such.

analytics

Explainability

Reasoning traces captured for every decision. Confidence scores on outputs. "Why this recommendation" explanations available for medium and high-stakes decisions.

balance

Bias Mitigation

Structured approach across four phases: bias review during design, diverse test scenarios during testing, output auditing during pilot, and ongoing fairness metrics tracking in production.

forum

Contestability

Every agent decision affecting an individual includes a pathway to request human review. The client defines who handles contested decisions. Full decision audit trails are available for review.

model_training

Model Governance

Pinned model versions — never "latest". Scheduled drift evaluation suites. Multi-model strategy documented per agent. Prompt versions tracked alongside model versions in every audit record.

Audit & Traceability

Decision traces, not just logs.

Standard application logs are not sufficient for AI compliance. We capture cognitive decision traces — the full reasoning chain, not just the inputs and outputs. Every intermediate step, tool call, and decision point is recorded.

Captured per agent execution

01Timestamp and execution ID

02Input — what triggered the decision

03Context — what data the agent accessed

04Reasoning trace — steps taken, tools called

05Output — the decision or recommendation

06Confidence score

07Model version and prompt version used

08Token usage and latency metrics

09Whether a human reviewed or approved it

10Outcome — if trackable

11Policy evaluation result — which runtime rules fired, pass or fail

12Execution ring level at time of action

Built on OpenTelemetry. Exportable to your SIEM or observability platform — Splunk, Datadog, Azure Monitor, and Google Cloud Logging supported out of the box.

These traces directly satisfy Privacy Act automated decision-making disclosure requirements and provide the evidence base for APRA model risk governance.

Data Handling

Your data stays yours.

We never own client data. We never train on client data. Every byte stays in your cloud account, in your region, under your control.

check_circleClient owns all data — always. We have developer access only, never ownership or persistent access.

check_circleNo training on client data. Cloud provider APIs (Vertex AI, Bedrock, Azure OpenAI) do not use customer data for model training by default.

check_circleAustralian cloud regions by default — GCP australia-southeast1, AWS ap-southeast-2, Azure Australia East.

check_circleData classified in 5 levels: Public, Internal, Confidential, PII/Personal, Privileged — each with specific handling requirements.

check_circleMinimum permissions per task. Service account roles only. All access auditable.

check_circleRetention policies defined per engagement. Client-controlled deletion. No data persists after engagement ends without explicit agreement.

For full technical security controls — encryption, network isolation, authentication, and infrastructure architecture — view our security page.

Compliance Onboarding

Before we write a line of code.

Every engagement starts with a structured compliance checkpoint. We map your regulatory obligations, classify your data, and configure governance controls — so your compliance team has confidence before development begins.

Compliance Onboarding Checklist

Run for every engagement. No exceptions.

01Industry sector and applicable regulators

02Data classification — personal, health, financial, privileged

03Data residency requirements

04Automated decision-making disclosure obligations

05Human oversight requirements for agent decisions

06Third-party vendor compliance (CPS 230 for APRA-regulated)

07Record retention and incident notification obligations

08TGA medical device classification assessment

09Professional liability considerations (legal sector)

10OWASP Agentic AI Top 10 risk assessment and runtime policy mapping

Need our security pack?

Architecture diagrams, compliance documentation, and security questionnaire responses — available on request.

Request security pack

Compliance shouldn't slow you down.

Walk through your regulatory requirements with our team. We'll map what applies and build it in from day one.

Schedule Consultation About Our Approach