Glossary

A failure where the model ingests corrupted, forged, or manipulated context.

Context Poisoning occurs when untrusted external data enters the model's context window without sanitization. Hidden instructions embedded in retrieved documents, web pages, emails, or database records can override the model's intended behavior — causing it to exfiltrate secrets, ignore constraints, or act against user intent. The attack surface grows with every external source the agent is allowed to read.

Integrity or confidentiality failures at the model's input/output boundary.

Model Boundary Compromise describes failures where the interface between the model and the broader system is exploited. This includes system prompt extraction, model inversion, and manipulation of the input/output pipeline in ways that bypass intended constraints. It maps to OWASP LLM supply-chain and information-disclosure categories and is the subtlest of the four AFBs because the attack targets the boundary itself rather than data flowing through it.

A failure where model output becomes unsafe instructions executed by the agent layer.

Instruction Hijack occurs when an attacker — via injected content, adversarial inputs, or chained prompt manipulation — causes the model to produce output that the agent executes as legitimate instructions. Unlike direct prompt injection (which targets the model), Instruction Hijack specifically exploits the trust the agent layer places in model output. The result: the agent acts on attacker-controlled commands while believing they are genuine model decisions.

A failure where the agent attempts or performs an action outside its authorized policy.

Unauthorized Action is the most operationally visible AFB. It occurs when no policy layer exists — or is bypassed — between the model's decision to act and actual execution. An agent with access to file deletion, email sending, or database writes can perform any of those operations if there is no enforcement gate. Wyscan detects AFB04 exposures statically by tracing reachable call paths from tool registrations. Wyatt prevents them at runtime by intercepting every tool call before execution.

A four-field normalization schema for evaluating and recording every agent action.

Introduced in AFB spec v2.0 (March 20, 2026), the Canonical Execution Event defines the minimum information required to evaluate policy and produce an audit record for any agent action: Operation (what is being done), Principal (who or what is requesting it), State Delta (what will change in the world), and Policy Basis (the rule that permits or denies it). Every tool call Wyatt intercepts is normalized into a CEE before policy evaluation occurs.

The space between what a system prompt instructs and what runtime actually enforces.

The Authorization Gap is the fundamental vulnerability underlying AFB04. Every major agent framework ships without a runtime enforcement layer — system prompts describe desired behavior but cannot prevent an agent from executing any tool it has access to. The gap between "the model is told not to delete files" and "the model cannot delete files" is the Authorization Gap. It is not a configuration problem. It is an architectural absence. Wyatt closes it.

The runtime enforcement layer that intercepts every agent tool call before execution.

Wyatt is Plarix's core product: a daemon that sits in the execution path of any AI agent and intercepts tool calls before they reach the underlying system. It evaluates each call against a declarative policy, normalizes it as a Canonical Execution Event, and either allows or denies it — logging every decision for audit. Wyatt is framework-agnostic and integrates with LangChain, CrewAI, custom agents, and MCP without requiring code rewrites. Deny by default. Always.