Building a 15-Layer AI Agent Security Stack

How AiEGIS governs AI agents in real-time with sub-2ms enforcement

The Problem

Every major security vendor launched an AI agent product in April 2026. CrowdStrike, Microsoft, Palo Alto, Cisco, Exabeam — all announced agent security capabilities at RSAC. But there's a pattern: they all detect. None of them enforce.

Detection tells you an agent did something wrong. Enforcement prevents it from happening. When an enterprise AI agent in early 2026 posted wrong technical advice and exposed company data for two hours, every identity check passed. The agent had valid credentials and proper permissions. What was missing? Action-level governance — something that checks what an agent does, not just who it is.

The Architecture: 3 Stages, 15 Layers

AiEGIS uses a 3-stage pipeline:

Stage 1: Gate (Identity + Compliance)

L1: Agent Identity — JWT tags with expiry, not long-lived API keys
L3: EU AI Act Compliance — risk classification per Regulation 2024/1689

If the agent isn't registered or doesn't meet compliance thresholds, it stops here.

Stage 2: Analyze (Parallel Security Checks)

L4: Agent Police — action-level permission enforcement
L6: Input Sanitizer — 117 injection-specific detection patterns (out of 133+ total patterns across all layers)
L7: Output Validator — response filtering
L10: Data Protection — PII detection including Irish PPS numbers
L12: Behavioral Intelligence — anomaly scoring against agent baseline

These layers run on every action the agent takes. Clean actions pass in under 2ms.

Stage 3: Correlate (Cross-Layer Intelligence)

L14: Confidence Scoring — aggregated trust score
L15: Correlation Engine — the layer no competitor has

Layer 15: The Correlation Engine

L15 is where AiEGIS becomes fundamentally different. Instead of evaluating each layer independently, L15 takes all 14 layer outputs and finds patterns that no single layer could detect.

8 Detection Rules:

Multi-Signal Escalation — A borderline injection (L6) combined with anomalous behavior (L12) from a new agent (L1) escalates to BLOCK. Each signal alone might be innocent. Together, they're an attack.
Temporal Burst Detection — 3+ borderline requests in 60 seconds from the same agent = probing attack. Human analysts notice this in log review. L15 catches it in real-time.
Cross-Agent Coordination — Agent A probes while Agent B extracts. L15 correlates across agents to detect coordinated attacks that look innocent when viewed per-agent.
Behavioral Drift — An agent that was 95% clean shifts to 70% blocked. L15 detects the drift and flags the agent as potentially compromised.
Evasion Detection — Alternating clean and malicious requests = testing our defenses. L15 recognizes the pattern.
Privilege Escalation Chains — Permission violation (L4) combined with escalation attempt (L6) = multi-layer attack.
Kill Chain Detection — 6 attack chains modeled after NVIDIA AI Kill Chain and OWASP Agentic Top 10. L15 recognizes early steps of data exfiltration, privilege escalation, tool abuse, persistence attacks, prompt injection escalation, and cross-agent coordination — and flags them BEFORE the exploit phase.
Cascading Failure Detection — 3+ agents blocked simultaneously = possible coordinated attack or system compromise. Closes OWASP ASI08.

Kill Chains: Predictive Security

Traditional security reacts to attacks. Kill chain detection predicts them.

Every attack follows a pattern: reconnaissance, enumeration, exploitation, exfiltration. L15 models 6 attack chains and detects them at the reconnaissance stage — before the agent reaches the exploitation step.

Example: An agent lists files in /etc (reconnaissance), then reads credentials (enumeration). A traditional firewall sees two file reads. L15 sees the beginning of a data exfiltration chain and escalates the risk score before the agent can extract or exfiltrate anything.

Performance

The entire 15-layer pipeline runs in under 2ms. L15's correlation adds 0.07ms to clean requests and under 2ms for complex multi-rule evaluations. At scale, this means governing 500+ agent actions per second on a single VPS.

What Makes This Different

Capability	AiEGIS	Competitors
Runtime Enforcement	Production	Preview or Detection-only
Cross-Layer Correlation	8 rules, 6 kill chains	None
Kill Chain Detection	Predictive	Reactive
Agent Identity	Vendor-neutral JWT	Entra/Okta-locked
EU AI Act Compliance	Full mapping	None
Self-hosted	Yes	SaaS-only

Every competitor announced agent security in April 2026. None announced agent governance. The distinction matters: security detects threats, governance prevents them.

Try It

The full 15-layer system is live at aiegis.ie/scan. Register an agent at /register, scan an action, see governance in real-time. 417 tests passing across 25 modules (verify: /opt/aegis/venv/bin/python tests/run_all_tests.py). 133+ patterns. Sub-2ms enforcement.