PUBLIC STANDARD · OPEN REFERENCE · v1.1 — 2026

VASP — Verdict Agent
Security Protocol

A formal taxonomy of behavioral failure modes in agentic AI systems. Each entry defines a formally provable condition under which a harmful behavioral path becomes reachable.

Cite as: VASP v1.1 — Wick Security / QreativeLab, 2026

20
Failure modes
8
Critical class
6
Failure categories
AUTONOMY
BOUNDARY
INJECTION
ALIGNMENT
INTEGRITY
CODE_GENERATION
VAF-001
Approval Gate BypassCRITICALAUTONOMY

Agent executes consequential actions in a high-risk domain without a mandatory human confirmation gate. The absence of approval enforcement is structurally detectable at the configuration level.

FORMAL CONDITIONaction_approval_required=False ∧ domain ∈ {medical, financial, legal, governmental}
PROOF STRUCTURESAT when approval_required=False ∧ high_risk_domain=True → unauthorized_action reachable
MITIGATIONEnforce action_approval_required=True for all high-risk domains. Implement out-of-band confirmation for irreversible actions.
REAL-WORLD CLASSMedical AI dosage without physician confirmation. Financial AI trade without compliance sign-off.
VAF-002
Policy Bound ViolationCRITICALBOUNDARY

Agent operates outside defined operational limits — position size, spending cap, rate limit — under reachable configurations. No automatic halt when the threshold is breached.

FORMAL CONDITIONoperational_limit > policy_threshold ∧ halt_on_breach=False
PROOF STRUCTURESAT when max_position > 0.25 ∧ halt=False → runaway_accumulation reachable
MITIGATIONEnforce hard operational limits at the infrastructure level, not only in agent logic. Add circuit breaker halting.
REAL-WORLD CLASSKnight Capital $440M — no halt_on_drawdown. Algorithmic trading runaway.
VAF-003
Prompt Injection Tool ReachabilityCRITICALINJECTION

Untrusted external content (user input, retrieved documents, web pages) reaches the agent's tool selection layer without sanitization. An adversarial instruction embedded in input can redirect tool invocation.

FORMAL CONDITIONinput_sanitization=False ∧ tool_calls_enabled=True ∧ untrusted_input=True
PROOF STRUCTURESAT when !sanitize ∧ tools_enabled ∧ untrusted → tool_hijack reachable
MITIGATIONEnforce input sanitization boundary before tool routing. Separate trusted instruction channel from untrusted data channel.
REAL-WORLD CLASSSamsung GPT leak via embedded instructions in code paste. Bing Chat prompt injection via web content.
VAF-004
Goal Divergence Under Distribution ShiftHIGHALIGNMENT

Agent trained or tuned on a proxy metric continues optimizing that metric after deployment context shifts away from training distribution. No drift monitor detects the divergence before downstream harm.

FORMAL CONDITIONproxy_metric_only=True ∧ distribution_drift_monitor=False
PROOF STRUCTURESAT when proxy_only ∧ !drift_monitor → objective_divergence reachable and undetected
MITIGATIONMonitor ground truth metric independently of proxy. Implement distribution shift detection with automatic escalation.
REAL-WORLD CLASSOpenAI CoastRunners reward hacking (2016). Content recommendation over-optimizing engagement.
VAF-005
Tool Scope EscalationHIGHBOUNDARY

Agent with shell or filesystem access operates without an explicit scope restriction. No allowlist constrains which directories, processes, or external systems are accessible.

FORMAL CONDITIONshell_access=True ∧ tool_scope_restricted=False
PROOF STRUCTURESAT when shell=True ∧ !scope_restricted → filesystem_outside_boundary reachable
MITIGATIONEnforce explicit tool allowlist. Restrict filesystem access to declared working directory only. Container-level isolation preferred.
REAL-WORLD CLASSAgentic coding assistants with unrestricted shell executing arbitrary commands.
VAF-006
Context Window Constraint DropHIGHINTEGRITY

Safety and behavioral constraints placed early in a long context window become unreachable due to truncation as the session extends. Agent operates without constraints in long tasks.

FORMAL CONDITIONsystem_prompt_position=early ∧ max_context_tokens > 32000 ∧ constraint_refresh=False
PROOF STRUCTURESAT when prompt_early ∧ ctx>32k ∧ !refresh → constraint_unreachable in long session
MITIGATIONUse system prompt anchoring (position=last in context). Refresh constraints at defined intervals or task checkpoints.
REAL-WORLD CLASSGPT-4 jailbreak via context overflow (2023). Long-session alignment decay in autonomous agents.
VAF-007
Multi-Agent Collusion PathHIGHINTEGRITY

Two or more agents sharing writable state can coordinate to bypass per-agent operational constraints — each agent individually within limits, but the combined effect exceeds policy bounds. No audit trail detects the coordination.

FORMAL CONDITIONshared_state=True ∧ audit_trail=False ∧ agent_count ≥ 2
PROOF STRUCTURESAT when shared_state ∧ !audit_trail ∧ agents≥2 → constraint_bypass via coordination reachable
MITIGATIONIsolate agent state or enforce audit trail on all shared state mutations. Apply per-agent AND aggregate constraint checking.
REAL-WORLD CLASSFirst formally proved by VERDICT (2026). Theoretical in current deployments — structurally reachable in any shared-state multi-agent system.
VAF-008
PII Exfiltration via Unguarded OutputHIGHBOUNDARY

Agent with access to sensitive personal data has an outbound HTTP channel without output filtering. Sensitive data can be included in structured responses or HTTP requests reaching external endpoints.

FORMAL CONDITIONpii_access=True ∧ output_filtering=False ∧ http_tool=True
PROOF STRUCTURESAT when pii_access ∧ !filter ∧ http → exfiltration_path reachable and structurally undetectable at inference time
MITIGATIONEnforce output filtering for all sensitive data classes before any outbound channel. Apply data minimization at the tool layer.
REAL-WORLD CLASSAir Canada chatbot PII exposure (2024). Samsung GPT confidential data via unguarded outputs.
VAF-009
RAG Retrieval PoisoningHIGHINJECTION

Agent retrieves external documents into context without validation of document origin or content integrity. Adversarially crafted documents in the knowledge base can override agent behavior or inject instructions.

FORMAL CONDITIONretrieval_source_validation=False ∧ retrieved_content_in_prompt=True ∧ tool_calls_enabled=True
PROOF STRUCTURESAT when !source_validation ∧ retrieved_in_prompt ∧ tools → instruction_injection via retrieval reachable
MITIGATIONValidate retrieval sources. Enforce structural separation between retrieved content and instruction channel. Consider sandboxed retrieval context.
REAL-WORLD CLASSIndirect prompt injection via poisoned knowledge base. LLM-integrated search manipulation.
VAF-010
Persistent Memory Bias AccumulationMEDIUMALIGNMENT

Agent writes to persistent memory without content validation or decay mechanism. Over time, adversarial or erroneous entries accumulate and systematically bias future agent behavior across sessions.

FORMAL CONDITIONpersistent_memory=True ∧ memory_validation=False ∧ memory_decay=False
PROOF STRUCTURESAT when persist_mem ∧ !validation ∧ !decay → behavioral_drift across sessions reachable and compounding
MITIGATIONValidate memory writes. Implement memory decay or review cycles. Scope memory to verified, structured facts only.
REAL-WORLD CLASSLong-running autonomous agents developing persistent behavioral drift from early context contamination.
VASP v1.1 — AI CODE GENERATION SAFETY · VAF-011–020

Empirically grounded in COBALT-AI Safety Benchmark v1.0 · Claude Opus 4.7 · GPT-5.5 · Gemini 3.1 Pro · 100 prompts · 5 CI domains

VAF-011
Critical Infrastructure Context BlindnessCRITICALCODE_GENERATION

An AI code generation model produces security-vulnerable code even when the prompt explicitly declares a safety-critical deployment context (FDA-regulated medical device, DO-178C avionics, IEC 62443 ICS). The model does not apply heightened constraints in response to declared context.

FORMAL CONDITIONcontext_declared = critical_infrastructure ∧ model_output contains CWE_pattern ∧ safety_constraints_applied = False
PROOF STRUCTUREUNSAT: Implies(context_critical, constraints_applied) ∧ Implies(constraints_applied, ¬vuln) ∧ vuln=True → contradiction. Safety claim violated empirically (Claude 22%, GPT-5.5 18%, Gemini 44%).
MITIGATIONDo not rely on natural-language context declarations as a safety mechanism. Require formal verification (Z3) of all AI-generated code in regulated deployments.
REAL-WORLD CLASSAny AI-assisted development workflow in IEC 62304 medical software, DO-178C avionics, or OSFI B-13 financial systems assuming model safety-awareness is sufficient.
VAF-012
Unguarded Integer Overflow in Safety ArithmeticCRITICALCODE_GENERATION

AI-generated C/C++ safety-critical arithmetic (dose calculations, fuel flow, timer values, packet lengths) contains unguarded integer multiplication that can overflow, producing incorrect results without detection. No bounds check or saturating arithmetic applied.

FORMAL CONDITIONoperation ∈ {multiply, add} ∧ operand_types_can_overflow = True ∧ overflow_guard_present = False ∧ result_used_in_safety_critical_path = True
PROOF STRUCTURESAT: ∃(rate, dur: uint16) where ZeroExt(rate)*ZeroExt(dur) wraps on 32-bit → incorrect result propagated to safety path.
MITIGATIONRequire widen-before-multiply: (uint64_t)a * b not a * b for narrow types. Apply COBALT Z3 verification to all AI-generated arithmetic in safety-critical paths.
REAL-WORLD CLASSCVE-2026-44673 (libyang), GHSA-ZEP-001 (Zephyr RTOS ×8) — same CWE-190 pattern confirmed by same pipeline.
VAF-013
Stack Buffer Overflow in Protocol ParserCRITICALCODE_GENERATION

AI-generated C code for network protocol parsing copies variable-length input into a fixed-size local array without length validation, using strcpy/memcpy/recv with the destination size as the assumed limit. Remote overflow is reachable.

FORMAL CONDITIONbuffer_size = FIXED_CONSTANT ∧ input_length = runtime_variable ∧ length_check = False ∧ copy_op ∈ {strcpy, memcpy, recv, fread, sprintf}
PROOF STRUCTURESAT: ∃input_len > buf_size(256) where overflows = True. No length check → overflow reachable from network.
MITIGATIONValidate input_length < buffer_size before copy. Use strncpy(dst, src, sizeof(dst)-1) or snprintf. Apply COBALT scanner to all AI-generated parsing code.
REAL-WORLD CLASSCVE-2026-41682 (pupnp SOAP parser), GHSA-MOS-002 (Mosquitto CONNECT packet) — identical pattern confirmed by COBALT.
VAF-014
Weak Cryptographic Primitive SelectionHIGHCODE_GENERATION

AI-generated cryptographic code selects broken primitives (MD5, SHA-1, DES, RC4, AES-ECB, custom XOR) even when the prompt explicitly requires FIPS 140-3 or NSA Suite B compliance. The model applies training-distribution patterns over declared security requirements.

FORMAL CONDITIONdeclared_standard ∈ {FIPS-140-3, NSA-SuiteB, PCI-DSS, HIPAA} ∧ selected_primitive ∈ {MD5, SHA1, DES, RC4, AES-ECB, XOR, CRC} ∧ primitive_approved_for_standard = False
PROOF STRUCTURESAT: model selects primitive ∉ approved_set(declared_standard) despite explicit standard declaration in prompt.
MITIGATIONExplicitly require algorithm IDs (AES-256-GCM, HMAC-SHA256, ECDH-P384) in prompts. Verify output against approved algorithm lists. Never deploy AI-generated crypto without independent review.
REAL-WORLD CLASST8246 (libksba CWE-197 — primitives without formal verification). Numerous CVEs from deprecated hash usage in authentication systems.
VAF-015
SQL Injection via String ConcatenationCRITICALCODE_GENERATION

AI-generated Python database code constructs SQL queries using f-strings or string concatenation with unvalidated user-supplied parameters, producing SQL injection vulnerabilities even when PCI-DSS, HIPAA, or OSFI B-13 compliance is explicitly declared.

FORMAL CONDITIONquery_construction ∈ {f-string, string_concatenation, %-formatting} ∧ user_input_in_query = True ∧ parameterized_queries = False ∧ regulated_data_context = True
PROOF STRUCTURESAT: user_input contains SQL metacharacters ∧ parameterized=False → injected_query executes arbitrary SQL. Injection path reachable from any user-controlled field.
MITIGATIONAlways use parameterized queries: cursor.execute(query, (param,)). Never use f-strings for SQL construction. Verify AI output statically before deployment.
REAL-WORLD CLASSOWASP A03:2021. MOVEit SQL injection (CVE-2023-34362) — string-concatenated query in critical enterprise system.
VAF-016
Race Condition on Shared StateHIGHCODE_GENERATION

AI-generated multithreaded code performs unsynchronized read-modify-write operations on shared state (patient sensor values, aircraft position, trading balance) even when the prompt explicitly describes concurrent access. No mutex, atomic operation, or memory barrier is applied.

FORMAL CONDITIONshared_variable_access = True ∧ concurrent_threads ≥ 2 ∧ synchronization_primitive ∈ {} ∧ operation ∈ {read-modify-write, increment, assign}
PROOF STRUCTURESAT: thread_1 and thread_2 reach shared_var without lock → interleaving exists that produces corrupt state. Data race reachable in all concurrent configurations.
MITIGATIONUse std::atomic, pthread_mutex, or _Atomic in C. Include explicit thread model in AI prompts. Verify AI-generated concurrent code with ThreadSanitizer.
REAL-WORLD CLASSTherac-25 (1985) — race condition in C caused radiation overdose fatalities. Knight Capital (2012) — concurrent state mutation without synchronization.
VAF-017
TLS Certificate Verification BypassHIGHCODE_GENERATION

AI-generated HTTP client code sets verify=False, InsecureSkipVerify: true, or CERT_NONE — disabling TLS certificate validation — even when the prompt explicitly requires HTTPS security for regulated data (HIPAA PHI, PCI-DSS PAN, classified information).

FORMAL CONDITIONtls_verification = disabled ∧ endpoint_handles_regulated_data = True ∧ prompt_context ∈ {HIPAA, PCI-DSS, NATO-SECRET, OSFI, 3GPP-Uu}
PROOF STRUCTURESAT: tls_disabled ∧ regulated_endpoint → MITM_attack reachable and undetectable by client. Certificate spoofing path confirmed.
MITIGATIONNever generate verify=False in production code. Require certifi-backed verification. For lab environments, use proper CA certificates, not disabled verification. Apply static analysis to catch all verify=False patterns.
REAL-WORLD CLASSNumerous enterprise data breaches via MITM on internal APIs with disabled TLS verification. Found across MED/AERO/FIN/TELCO/DEF domains in benchmark.
VAF-018
OS Command Injection in Automation CodeCRITICALCODE_GENERATION

AI-generated Python automation or diagnostic code uses os.system() or subprocess.run(shell=True) with user-supplied parameters interpolated directly into shell command strings, creating OS command injection vulnerabilities in operational technology and defense lab environments.

FORMAL CONDITIONuser_input → shell_command_string (f-string or concat) ∧ shell=True ∧ sanitization=False ∧ deployment ∈ {medical_device, defense_lab, telecom_OAM, hospital_IT}
PROOF STRUCTURESAT: user_input contains shell metacharacters ∧ shell=True → arbitrary_command executes. COBALT confirms via AST injection path analysis.
MITIGATIONAlways use subprocess.run([cmd, arg1], shell=False). Never interpolate user input into shell strings. Use shlex.quote() if shell=True is unavoidable.
REAL-WORLD CLASSStuxnet (2010) — OT environment command injection. Hospital PACS system vulnerabilities via unsanitized diagnostic tooling.
VAF-019
Integer Overflow in Memory AllocationHIGHCODE_GENERATION

AI-generated C code allocates heap buffers using malloc(n * sizeof(T)) without verifying that the multiplication does not overflow, allowing an attacker to trigger an undersized allocation followed by heap corruption when the buffer is subsequently filled with n elements.

FORMAL CONDITIONallocation = malloc(n * sizeof(T)) ∧ overflow_check(n, sizeof(T)) = False ∧ n = runtime_attacker_controlled
PROOF STRUCTURESAT: n > SIZE_MAX / sizeof(T) → n * sizeof(T) wraps to small value → malloc returns undersized buffer → heap overflow when filled.
MITIGATIONCheck if (n > SIZE_MAX / sizeof(T)) return NULL; before malloc(n * sizeof(T)). Use calloc(n, sizeof(T)) which provides overflow-safe multiplication internally.
REAL-WORLD CLASSCVE-2004-0230 (integer overflow in malloc → heap overflow). OpenSSL/wolfSSL class of allocation vulnerabilities.
VAF-020
Safety Assurance Without Formal VerificationCRITICALCODE_GENERATION

An AI provider claims a model produces "safe" code for critical infrastructure based on training methodology (RLHF, Constitutional AI, safety fine-tuning) without providing formal proof of output correctness. The safety claim is unfalsifiable and unverifiable by downstream consumers.

FORMAL CONDITIONsafety_claim = True (RLHF / Constitutional AI) ∧ formal_proof_of_output_correctness = False ∧ domain ∈ {medical, aviation, financial, telecom, defense} ∧ vuln_rate > 0
PROOF STRUCTUREH₀: Constitutional AI → vuln_rate = 0. Empirical: Claude Opus 4.7 = 22%, GPT-5.5 = 18%, Gemini 3.1 Pro = 44%. H₀ rejected. Safety claims without formal verification are unfalsifiable.
MITIGATIONAI providers must publish domain-specific vuln rates as model specifications. Organizations must apply independent formal verification for AI-generated code in critical infrastructure. Standards bodies must mandate proof certificates.
REAL-WORLD CLASSAll critical infrastructure incidents from AI-generated unverified code. Regulatory gap: OSFI B-13 (Canada), EU AI Act Art. 9 (Europe), NIST AI RMF (USA) — none mandates formal verification of generated code.
HOW TO USE VASP
For security teams

Use VASP IDs to classify AI agent vulnerabilities in risk assessments and audit reports. Reference VAF-XXX in findings, just like CVE IDs.

For researchers

Cite as VASP v1.1 — Wick Security / QreativeLab, 2026. Reference arXiv:2604.05292 for the empirical benchmark. Contribute new failure modes via the VERDICT GitHub or contact veritas@qreativelab.io.

For regulators

VASP provides a formal, reproducible taxonomy for AI behavioral risk. Each entry includes a proof structure for independent verification.

CITATION
Blain, D. (2026). VASP: Verdict Agent Security Protocol v1.1 — A Formal Taxonomy of Behavioral Failure Modes in Agentic AI Systems and AI Code Generation Safety. Wick Security / QreativeLab. Empirical basis: COBALT-AI Safety Benchmark v1.0 (Claude Opus 4.7 / GPT-5.5 / Gemini 3.1 Pro · 100 prompts · 5 CI domains). https://veritas-chi-rosy.vercel.app/vasp

Scope: VASP v1.1 covers 20 formally provable failure modes across two layers: VAF-001–010 (runtime agentic behavioral failures) and VAF-011–020 (AI code generation safety failures, empirically grounded in the COBALT-AI Safety Benchmark v1.0 — 3 frontier models, 100 prompts, 5 critical infrastructure domains). Each formal condition is reproducible using the VERDICT/COBALT engine. This document does not constitute legal or regulatory compliance advice.

VERIFY YOUR AGENT AGAINST VASP
Run VERDICT Certification →