Security Research 209 Security Tests for AI Agent Systems: What We Built and Why We open-sourced a security testing framework for multi-agent AI systems. It covers 4 wire protocols, the complete OWASP Agentic Top 10, NIST AI 800-2 alignment, and 20+ enterprise platforms. Here is what it tests, how it works, and why the “verification layer” is the piece most governance frameworks are missing. 12 min read March 23, 2026 The Problem: Governance Without Verification You can define a governance framework. You can write constitutional constraints. You can publish a preprint describing 12 interlocking mechanisms. But without a way to verify that the governance works under adversarial conditions, you have a policy document, not a defense. This is the gap between governance and verification. The White House tells organizations to deploy AI. NIST provides a risk management framework. The EU AI Act requires human oversight and incident reporting. But none of them provide a tool that answers the question: “If an adversary targeted our agent system right now, would our governance hold?” We built one. It is open-source, it is on PyPI, and it runs 209 tests across the four protocols that AI agents actually use in production. What the Framework Tests Four Wire Protocols AI agents in enterprise environments communicate through specific protocols. Each has distinct security properties and attack surfaces: Protocol Purpose Test Coverage Key Risk MCP (Model Context Protocol) Tool invocation — how agents call external tools and APIs Authentication, injection, data leakage, tool abuse Agents invoking tools they should not have access to A2A (Agent-to-Agent) Inter-agent communication — how agents coordinate Message integrity, impersonation, privilege escalation One agent manipulating another through crafted messages L402 (Lightning) Bitcoin-based agent payments — microtransactions Payment flow integrity, double-spend, authorization Agents spending without proper economic gate evaluation x402 (USDC/Stablecoin) Fiat-equivalent agent payments Transaction limits, approval flows, compliance Agents exceeding spending authority in fiat-equivalent value Most AI security tools test the model (prompt injection, jailbreaking). This framework tests the agent system — the protocols, integrations, and decision paths that determine what agents actually do in production. Complete OWASP ASI Top 10 Coverage Every test maps to a specific OWASP Agentic Security Initiatives (ASI) category: ASI Category What It Covers Tests ASI01 Excessive Agency Authority escalation, scope creep, unauthorized actions ASI02 Insecure Output Handling Response sanitization, injection propagation ASI03 Supply Chain Vulnerabilities Dependency integrity, tool provenance ASI04 Insufficient Logging Audit trail completeness, tamper detection ASI05 Inadequate Sandboxing Isolation verification, escape detection ASI06 Prompt Injection Direct and indirect injection across protocols ASI07 Improper Access Control Permission boundaries, tier enforcement ASI08 Insecure Storage Credential exposure, secret management ASI09 Insufficient Error Handling Failure mode analysis, information leakage on error ASI10 Insecure Communication Transport security, message integrity 20+ Enterprise Platform Adapters AI agents in enterprise environments connect to real business systems. The framework includes adapters for testing agent interactions with: ERP: SAP, Oracle, Workday CRM: Salesforce, HubSpot ITSM: ServiceNow, Jira Cloud: AWS, Azure, GCP Communication: Slack, Teams, Email Finance: Stripe, QuickBooks And more — each with platform-specific test cases covering authentication, data access, and action authorization This matters because enterprise AI security is not abstract. It is an agent with SAP credentials making a purchase order. It is an agent with Salesforce access modifying a customer record. Platform-specific testing catches vulnerabilities that generic security scans miss. Agent Autonomy Risk Score The framework produces an Agent Autonomy Risk Score (0–100) that answers a specific question: “Is it safe for this agent to execute unsupervised?” The score aggregates results across all test modules, weighted by severity. A high score means the agent system has demonstrated security properties consistent with autonomous operation. A low score means human oversight is required on every consequential action — which, per BCG’s “AI brain fry” research, creates 33% more decision fatigue for the humans doing the oversight. The Verification Loop Define governance (CSG preprint). Implement governance (production system). Verify governance (this framework). Without verification, governance is an assumption. With verification, governance is evidence. How It Works The framework is designed for minimal friction: pip install agent-security-harness agent-security-harness --target https://your-agent-endpoint.com --protocol mcp Core design decisions: Python standard library only for core modules. No heavy de...