Agentic AI Security Gaps in ISO/IEC 27090
ISO/IEC 27090 (FDIS, February 2026) defines the threat taxonomy for AI model security. Agentic AI execution sequences — autonomous systems that commit to ordered multi-step actions with real-world effect — fall outside its scope. Four threat categories are unaddressed. This brief documents each gap and the production mechanism that addresses it.
1. ISO/IEC 27090 Scope
27090's threat taxonomy covers: adversarial evasion, data and model poisoning, model theft and extraction, membership inference, model inversion, prompt injection, and output injection. Scope is deliberate, malicious attacks on AI models and training data. Agentic AI execution sequences are not within scope — the standard predates their production deployment. Four gaps result.
2. Identified Gaps for Agentic AI Systems
Gap 1 — Replay Attacks on Agent Execution Sequences
27090 classifies prompt injection as a single-request threat. It has no threat category for sequence replay — submission of a prior step's valid payload to manipulate an agent's stateful execution context. A fresh nonce does not protect against this; step position in an ordered sequence is the missing invariant. Neither vector appears in 27090's taxonomy.
Per-sequence Durable Object maintains nonce set and step counter. Nonce reuse → REPLAY_NONCE regardless of step position. Step submitted out of counter order → SEQUENCE_VIOLATION. Timestamp window: |ts_ms − server_now| ≤ 300,000 ms enforced independently → STALE_TIMESTAMP. Three orthogonal barriers; all must be defeated simultaneously.
Gap 2 — Pre-Execution Cryptographic Receipt Architecture
27090 Clause 7 references audit logging as a mitigation control with no format, timing, or integrity requirement. A DENY event in an agent gate leaves no forensic record under 27090 — nothing distinguishes "gate ran and refused" from "gate was not called." Pre-execution receipts are absent from the control set.
HMAC-SHA256 signed receipt written to immutable R2 storage before action executes — on every decision including DENY and HALT. pack_id = SHA-256(canonicalJson(decision)). Seven enumerated denial codes carried on DENY receipts. Formal schema: agenticrail.nz/spec/receipt-schema.json (JSON Schema Draft 2020-12, published 2026-05-17).
Gap 3 — Tamper-Evident Sequence Integrity
27090 addresses integrity of training data and model assets. It specifies no chain-linkage requirement for enforcement records across a multi-step sequence. A modified receipt at step N passes single-receipt HMAC verification — only cross-receipt linkage reveals the tampering. Sequence-level integrity is unaddressed.
prev_receipt_id on every receipt = pack_id (SHA-256) of the preceding receipt. Modifying any receipt changes its hash, breaking the reference in every subsequent receipt. Self-verifying; no trusted third party required.
Gap 4 — Permanent Sequence Sealing
27090 specifies no control for permanent closure of an agent execution sequence. A completed sequence without a sealing mechanism is vulnerable to credential-compromise-then-inject: valid credentials obtained post-completion allow retrospective step submission. The threat is absent from the standard.
settle step retires sequence_id in the Durable Object. All subsequent submissions return SEALED_SEQUENCE. No unsealing path exists by design. sealed: true HMAC-signed into the final receipt.
3. Gap Summary
| Gap | 27090 Coverage | AgenticRail Mechanism | Denial Code |
|---|---|---|---|
| Sequence replay | Not addressed | Nonce uniqueness + timestamp freshness | REPLAY_NONCE / STALE_TIMESTAMP |
| Pre-execution receipt | Not addressed | HMAC-signed receipt before execution | pack_id + signature |
| Chain integrity | Not addressed | prev_receipt_id SHA-256 chain | Hash break on tamper |
| Sequence sealing | Not addressed | Irreversible settle step | SEALED_SEQUENCE |
4. Production Evidence
Production since February 2026:
| Metric | Value |
|---|---|
| Enforcement decisions | 1,000,000+ |
| Sequence violations missed | 0 |
| Receipt signing algorithm | HMAC-SHA256 (hmac-sha256); Ed25519 implemented, pending key provisioning |
| Receipt key ID | k1_2026-02-22_01 |
| Live verification | report.agenticrail.nz/report — enter demo-loan-mpamzf82, no login required |
| Formal receipt schema | agenticrail.nz/spec/receipt-schema.json — JSON Schema Draft 2020-12 |
| Deployment | Cloudflare Workers + Durable Objects + R2 + KV |