Skip to content

Audits & framework coverage

M8Shift has been audited threat-by-threat against the major agentic-security frameworks and against external research. The honest headline is unusual: most model-attack surfaces simply do not exist here, because M8Shift has no model of its own — it is a passive, local, single-file coordination relay. Those "no surface here" verdicts are a feature of the design, not a gap.

How to read this page

Each framework below is mapped to M8Shift with a plain verdict: applies, partial, or N/A by design, with a one-line reason. The full, citation-checked audits live in the repository.

Coverage by framework

FrameworkWhat it targetsM8Shift verdict
OWASP Agentic Top 10 (ASI01–10)threats specific to agentic applicationsAudited threat-by-threat. Strong on inter-agent integrity, anti-cascade, human traceability; supply chain is strong for the core but the opt-in v3.40+ installer/adapters (RTK/Headroom) add a real supply-chain surface (downloaded & executed, sha256-pinned); identity & network controls are out of scope by design (local, declarative).
MITRE ATLASadversarial machine learning (model attacks)~90 % N/A. ATLAS is overwhelmingly a model-attack taxonomy (evasion, inversion, poisoning); there is no model, training, or inference API to attack.
NIST AI RMF (AI 100-1 + GenAI Profile 600-1)AI risk management functionsPartial. GOVERN / MAP / MANAGE apply (charter-as-governance, ledger-as-traceability); MEASURE (model metrics, bias measurement, robustness eval) is N/A — no model to measure.
CISA — Secure AI System Developmentsecure-by-design AI lifecycleApplies. Supply-chain hygiene, configuration hardening, continuous monitoring — these intersect M8Shift's two named gaps (SEC-4, SEC-7).
ANSSI-PA-102securing a generative-AI systemPartial. Phase isolation / cloisonnement and access-control axes apply; the model- and training-poisoning recommendations are N/A — no training pipeline.
IBM AI Risk AtlasAI risks incl. bias & fairnessN/A by design. Training-data, inference, and output risks — including every classic bias/fairness risk — are structurally inapplicable: no data to skew, no inference to attack, no output to bias.
arXiv agentic-security researchagentic defensesMixed. Activation/model-drift defenses are correctly N/A; verify-before-commit style ideas map cleanly onto the relay's independent review and read-only validation.

OWASP Agentic Top 10 — coverage matrix

#ThreatM8Shift verdict
ASI01Goal Hijack🟡 Partial — boundary documented & structurally neutralized, not semantically filtered
ASI02Tool Misuse🟢 Good — narrow scope, no network, no billable loop
ASI03Identity & Privilege Abuse🟠 Out of scope by design — declarative cooperative identity
ASI04Supply Chain🟢 core (stdlib-only, no requirements.txt) / 🟡 opt-in installer adapters — RTK release asset + Headroom pip venv are downloaded & executed (sha256/checksum-pinned, argv-only) since v3.40+
ASI05Remote Code Execution🟢 Good — no eval/shell; subprocess = git plus allowlisted RTK/Headroom adapters (argv-only, realpath+sha256-pinned, no shell; v3.40+); SEC-4 fixed & tested

Optional installer / adapters (v3.40+) — audited surfaces

The core relay is stdlib-only, offline, no daemon. The opt-in installer and adapters add real, bounded surfaces, audited separately:

  • Install-time network only under --with-rtk / --with-headroom (release-asset / pip download); the runtime stays offline.
  • RTK/Headroom are downloaded and executed — sha256 / checksum-TOFU pinned over TLS (not an independent signature), argv-only, no shell.
  • Project-local .m8shift/bin adapters require explicit --allow-project-local-adapters (#94); PATH-installed adapters are preferred.
  • Compression artifacts under .m8shift/context/compression/ are best-effort regex-redacted before store (can miss novel secret shapes) — a confidentiality-at-rest surface.

| ASI06 | Memory & Context Poisoning | 🟢 Strong integrity (append-only) / 🟡 content | | ASI07 | Insecure Inter-Agent Comm. | 🟢 Local integrity / 🟠 no crypto — network surface is N/A | | ASI08 | Cascading Failures | 🟢 Anti-cascade by design — one writer at a time | | ASI09 | Human-Agent Trust | 🟢 Strong traceability — immutable, auditable turns | | ASI10 | Rogue Agents | 🟠 Strong detection / prevention out of scope by design |

Controls we deliberately do not add

A passive local relay stays trustworthy partly by refusing controls that would be security theater in its model:

ControlWhy it is rejected
mTLS / PKI / end-to-end channel encryptionNo network → no MITM surface. Adding transport crypto to a local file is theater.
Semantic prompt-injection filtering inside the relayA transport must not rewrite the payload; reliable NL injection filtering is unsolved and adds false positives. The documented boundary + structural neutralization fit the role.
Cryptographic agent identity (signed intent, per-agent tokens)Identity is declarative and cooperative by design; crypto-identity belongs to a different (networked) model.

The condition is stated explicitly: if M8Shift ever became networked, mTLS + message signing + roster attestation would become required. It is local, so they are not.

A note on AI cognitive bias

The frameworks above that target cognitive / statistical bias — IBM's bias & fairness risks, NIST's MEASURE bias metrics — assume a model: training data that can skew, inference that can be probed, output that can be biased. M8Shift has none of these, so those risks are not applicable by construction. (For background on what model bias is, IBM keeps a solid primer: What is AI bias?.)

The honest analogue that does apply to a model-less coordinator is process fairness between agents: does the coordinator favor its own answers, or stay neutral toward a peer's findings? M8Shift's answer is structural and procedural, never cognitive:

Neutrality is enforced by structure, not by debiasing a mind

The reviewer is a different agent on a different turn from the author; the turn journal is append-only, so a finding and the response to it are both permanently on record and cannot be quietly softened. The author never green-lights their own work. The reviewer guidance requires reviewing adversarially by default and not favoring one's own prior output.

This is the only model-bias surface that maps onto M8Shift, and it is addressed as a recorded separation of duties rather than a claim about any agent's internal objectivity. See the reviewer-neutrality guidance for the exact rules agents follow.

The biases the contradiction targets

Separate from model bias, the biases that actually matter for a multi-agent relay are about trust — and they are where M8Shift's contradictory process earns its keep:

  • automation bias — a human deferring to the machine because "it's the AI";
  • overconfidence — a model stating wrong answers as fluently as right ones, so confidence is no signal of correctness;
  • sycophancy — a model agreeing to be agreeable rather than to be correct.

A structured contradiction is the antidote: an independent reviewer required to refute, ideally from a different model family, with the verdict anchored in deterministic tests and a human arbiter.

Not automatic — the contradiction must be real

Two agents that simply agree, especially the same model, form an echo chamber that manufactures false confidence — worse than one, because a human now trusts a "consensus." The advantage is the contradiction being genuine and independent, not the redundancy itself.

Sources

The full, citation-checked audits — every ASI threat, the 16 MITRE ATLAS tactics, the arXiv paper table, and the NIST / CISA / ANSSI / IBM mapping — are maintained in the repository:

Framework references: OWASP GenAI Security Project · MITRE ATLAS · NIST AI Risk Management Framework · CISA AI · ANSSI · IBM AI risk management.

Built with ❤️ and M8Shift · Accessibility · r/m8shift