Towards Security-Auditable LLM Agents: A Unified Graph Representation

2026-05-11 · Source: cs.AI updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Agent-BOM is a proposed unified structural representation designed to enhance security auditing for LLM-based agentic systems, which often struggle with a semantic gap between low-level events and high-level execution intent. This gap makes post-hoc security auditing difficult, as existing mechanisms like SBOMs and runtime logs offer fragmented evidence and fail to capture critical aspects such as cognitive-state evolution, capability bindings, memory contamination, and cascading risk. Agent-BOM models an agentic system as a hierarchical attributed directed graph, distinguishing between static capability bases (models, tools, long-term memory) and dynamic runtime semantic states (goals, reasoning trajectories, actions). These layers are interconnected via semantic edges and security attributes, transforming execution traces into queryable audit paths. The system facilitates graph-query-based risk assessment, instantiated with the OWASP Agentic Top 10, and has been implemented as an auditing plugin within the OpenClaw environment. Evaluations against real-world agentic attack scenarios, including cross-session memory poisoning and multi-agent ecosystem hijacking, demonstrate Agent-BOM's ability to reconstruct stealthy attack chains.

Key takeaway

For security architects and engineering leaders deploying LLM-based agentic systems, understanding Agent-BOM is crucial for establishing robust auditing capabilities. Your teams should consider integrating such a unified graph representation to overcome the semantic gap in current security tools, enabling more effective root-cause analysis and proactive identification of complex attack vectors like memory poisoning or tool misuse. This approach enhances the auditable foundation for securing intricate agentic ecosystems.

Key insights

Agent-BOM provides a unified graph representation for auditing LLM agents, bridging the semantic gap in security analysis.

Principles

• Separate static capabilities from dynamic states.
• Model agent systems as hierarchical attributed graphs.
• Transform traces into queryable audit paths.

Method

Agent-BOM constructs a hierarchical attributed directed graph from agent executions, separating static and dynamic components. It then uses graph queries for path-level risk assessment, aligning with frameworks like OWASP Agentic Top 10.

In practice

• Reconstruct stealthy attack chains.
• Identify cross-session memory poisoning.
• Detect capability supply-chain hijacking.

Topics

• LLM Agents
• Security Auditing
• Agent-BOM
• Graph Representation
• OWASP Agentic Top 10

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, AI Architect

Related on AIssential

• SafeClawBench: Separating Semantic, Audit-Evidence, and Sandbox Harm in Tool-Using LLM Agents — Tool-using LLM agent security requires distinguishing semantic compliance from observable, executable harm.
• Integrating Graphs, Large Language Models, and Agents: Reasoning and Retrieval — Integrating graphs with LLMs enhances reasoning, retrieval, and decision-making by combining structured knowledge with semantic understanding.
• Bridging the Gap: Enhancing Credit Scoring with Agentic AI — Agentic AI enhances traditional credit scoring by integrating LLMs for contextual data interpretation and auditable decision-making.
• Beyond LLMs: Why Scalable Enterprise AI Adoption Depends on Agent Logic — Agent logic, using software primitives, is critical for scalable, cost-effective enterprise AI by guiding LLMs in complex workflows.
• Agentic CLEAR: Automating Multi-Level Evaluation of LLM Agents — Agentic CLEAR automates multi-level evaluation for LLM agents, providing dynamic, data-driven insights into their behavior.
• Trustworthy Agent Network: Trust in Agent Networks Must Be Baked In, Not Bolted On — Trust in LLM-based agent networks must be architected into the system's core design, not retrofitted.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.