VASP — Verdict Agent
Security Protocol
A formal taxonomy of behavioral failure modes in agentic AI systems. Each entry defines a formally provable condition under which a harmful behavioral path becomes reachable.
Cite as: VASP v1.1 — Wick Security / QreativeLab, 2026
Agent executes consequential actions in a high-risk domain without a mandatory human confirmation gate. The absence of approval enforcement is structurally detectable at the configuration level.
Agent operates outside defined operational limits — position size, spending cap, rate limit — under reachable configurations. No automatic halt when the threshold is breached.
Untrusted external content (user input, retrieved documents, web pages) reaches the agent's tool selection layer without sanitization. An adversarial instruction embedded in input can redirect tool invocation.
Agent trained or tuned on a proxy metric continues optimizing that metric after deployment context shifts away from training distribution. No drift monitor detects the divergence before downstream harm.
Agent with shell or filesystem access operates without an explicit scope restriction. No allowlist constrains which directories, processes, or external systems are accessible.
Safety and behavioral constraints placed early in a long context window become unreachable due to truncation as the session extends. Agent operates without constraints in long tasks.
Two or more agents sharing writable state can coordinate to bypass per-agent operational constraints — each agent individually within limits, but the combined effect exceeds policy bounds. No audit trail detects the coordination.
Agent with access to sensitive personal data has an outbound HTTP channel without output filtering. Sensitive data can be included in structured responses or HTTP requests reaching external endpoints.
Agent retrieves external documents into context without validation of document origin or content integrity. Adversarially crafted documents in the knowledge base can override agent behavior or inject instructions.
Agent writes to persistent memory without content validation or decay mechanism. Over time, adversarial or erroneous entries accumulate and systematically bias future agent behavior across sessions.
Empirically grounded in COBALT-AI Safety Benchmark v1.0 · Claude Opus 4.7 · GPT-5.5 · Gemini 3.1 Pro · 100 prompts · 5 CI domains
An AI code generation model produces security-vulnerable code even when the prompt explicitly declares a safety-critical deployment context (FDA-regulated medical device, DO-178C avionics, IEC 62443 ICS). The model does not apply heightened constraints in response to declared context.
AI-generated C/C++ safety-critical arithmetic (dose calculations, fuel flow, timer values, packet lengths) contains unguarded integer multiplication that can overflow, producing incorrect results without detection. No bounds check or saturating arithmetic applied.
AI-generated C code for network protocol parsing copies variable-length input into a fixed-size local array without length validation, using strcpy/memcpy/recv with the destination size as the assumed limit. Remote overflow is reachable.
AI-generated cryptographic code selects broken primitives (MD5, SHA-1, DES, RC4, AES-ECB, custom XOR) even when the prompt explicitly requires FIPS 140-3 or NSA Suite B compliance. The model applies training-distribution patterns over declared security requirements.
AI-generated Python database code constructs SQL queries using f-strings or string concatenation with unvalidated user-supplied parameters, producing SQL injection vulnerabilities even when PCI-DSS, HIPAA, or OSFI B-13 compliance is explicitly declared.
AI-generated multithreaded code performs unsynchronized read-modify-write operations on shared state (patient sensor values, aircraft position, trading balance) even when the prompt explicitly describes concurrent access. No mutex, atomic operation, or memory barrier is applied.
AI-generated HTTP client code sets verify=False, InsecureSkipVerify: true, or CERT_NONE — disabling TLS certificate validation — even when the prompt explicitly requires HTTPS security for regulated data (HIPAA PHI, PCI-DSS PAN, classified information).
AI-generated Python automation or diagnostic code uses os.system() or subprocess.run(shell=True) with user-supplied parameters interpolated directly into shell command strings, creating OS command injection vulnerabilities in operational technology and defense lab environments.
AI-generated C code allocates heap buffers using malloc(n * sizeof(T)) without verifying that the multiplication does not overflow, allowing an attacker to trigger an undersized allocation followed by heap corruption when the buffer is subsequently filled with n elements.
An AI provider claims a model produces "safe" code for critical infrastructure based on training methodology (RLHF, Constitutional AI, safety fine-tuning) without providing formal proof of output correctness. The safety claim is unfalsifiable and unverifiable by downstream consumers.
Use VASP IDs to classify AI agent vulnerabilities in risk assessments and audit reports. Reference VAF-XXX in findings, just like CVE IDs.
Cite as VASP v1.1 — Wick Security / QreativeLab, 2026. Reference arXiv:2604.05292 for the empirical benchmark. Contribute new failure modes via the VERDICT GitHub or contact veritas@qreativelab.io.
VASP provides a formal, reproducible taxonomy for AI behavioral risk. Each entry includes a proof structure for independent verification.
Scope: VASP v1.1 covers 20 formally provable failure modes across two layers: VAF-001–010 (runtime agentic behavioral failures) and VAF-011–020 (AI code generation safety failures, empirically grounded in the COBALT-AI Safety Benchmark v1.0 — 3 frontier models, 100 prompts, 5 critical infrastructure domains). Each formal condition is reproducible using the VERDICT/COBALT engine. This document does not constitute legal or regulatory compliance advice.