Agentegrity is the AI agent security framework developed by Cogensec for measuring the structural integrity of autonomous AI agents. It scores agent integrity across four dimensions — Adversarial Resistance (AR), Behavioral Consistency (BC), Recovery Integrity (RI), and Cross-domain Portability (CP) — to quantify how safely an agent behaves under adversarial and out-of-distribution conditions.
Agentegrity is an AI agent security framework developed by Cogensec that measures the structural integrity of autonomous AI agents. It quantifies agent integrity across four dimensions: Adversarial Resistance (AR), Behavioral Consistency (BC), Recovery Integrity (RI), and Cross-domain Portability (CP).
An AI agent security framework is a structured methodology for measuring, verifying, and improving the security posture of autonomous AI agents. Agentegrity is the first framework to score agents on endogenous (built-in) integrity rather than relying solely on external guardrails.
Agent integrity is measured using the Agentegrity score: a weighted composite of Adversarial Resistance (40%), Behavioral Consistency (25%), Recovery Integrity (15%), and Cross-domain Portability (20%). Each dimension is evaluated through standardized red-team tests and behavioral probes.
Endogenous security means safety and integrity properties live inside the agent itself — in its training, weights, and decision policies — rather than being bolted on as external filters or guardrails. Agentegrity is the discipline of building structurally sound agents from the inside out.
Guardrails are external filters that wrap an AI system at runtime. Agentegrity measures and improves the agent's own structural integrity so it remains safe even when guardrails fail, are bypassed, or are removed entirely. The two approaches are complementary: guardrails are reactive, Agentegrity is foundational.
Agentegrity was developed by the Cogensec Security Research Lab as a public framework for measuring and certifying the integrity of autonomous AI agents across digital and physical domains.
Agentegrity (agent + integrity) is an open framework, discipline, and reference implementation for measuring and verifying the structural integrity of autonomous AI agents. Created by Cogensec and released under Apache 2.0, it instruments an existing agent loop with four cooperating evaluation layers (adversarial, cortical, governance, recovery) and emits a tamper-evident, hash-chained record of every reasoning step.
Four integrity dimensions — Adversarial Resistance (AR), Behavioral Consistency (BC), Recovery Integrity (RI), Cross-Domain Portability (CP) — produce composite scores that map to four certification tiers: Certified, Conditional, Probationary, Non-Compliant.
Agentegrity (agent + integrity) is an open framework and discipline for measuring the structural integrity of autonomous AI agents. Created by Cogensec and released under Apache 2.0, it instruments an existing agent loop with four cooperating evaluation layers — adversarial, cortical, governance, recovery — and emits a tamper-evident, hash-chained record of every reasoning step.
Guardrails are exogenous: they sit outside the agent and try to filter inputs and outputs. Agentegrity is endogenous: it measures the agent's own structural integrity — whether it stays inside its declared profile, resists adversarial inputs, recovers cleanly, and remains consistent across domains. The two are complementary; Agentegrity does not replace guardrails.
Agentegrity ships first-party adapters for Anthropic Claude Agent SDK, LangChain / LangGraph, OpenAI Agents SDK, CrewAI, Google ADK, and the Vercel AI SDK. Each adapter translates framework-native events into Agentegrity's canonical event stream; the four evaluation layers downstream are shared.
Adversarial (detects prompt injection, jailbreaks, sociolinguistic intent drift, exfiltration framings in incoming inputs), Cortical (scores whether the agent's output stays inside its declared AgentProfile), Governance (applies operator policy and baseline deviation rules), and Recovery (handles checkpoint rollback, session termination, operator handoff).
Adversarial Resistance (AR), Behavioral Consistency (BC), Recovery Integrity (RI), and Cross-Domain Portability (CP). Composite scores across these dimensions produce certification tiers: Certified, Conditional, Probationary, Non-Compliant.
Every evaluation produces a record whose prev_hash field equals sha256 of the previous record. The chain is verifiable end-to-end at session close, providing non-repudiation of what the agent did and what each layer concluded. Records can be optionally signed using Ed25519 + JWS via the crypto extra.
Measure-only is the default: layers score and record events but never block tool calls. Setting enforce=True (Python) or enforce: true (TypeScript) on the adapter upgrades detected violations to active refusals. Most production deployments measure first, calibrate baselines, then enforce.
Yes. The full framework, specification, and reference adapters live at https://github.com/Cogensec/agentegrity-framework under the Apache 2.0 license. Cogensec maintains the project and ships an optional commercial agentegrity-pro receiver for enterprise deployments.
Python: pip install agentegrity (with optional extras like [crypto], [embedding], [adversarial_llm]). TypeScript: npm install @agentegrity/client plus the adapter for your framework, for example @agentegrity/langchain or @agentegrity/openai-agents. See the Quickstart at https://agentegrity.cogensec.com/docs/quickstart.
Agentegrity was created by Cogensec, an AI security and research company and member of the NVIDIA Inception Program. The founding research paper, "Agentegrity: A Framework for Measuring Structural Integrity of Autonomous AI Agents Across Digital and Physical Domains" by Tarique Smith, is published at https://cogensec.com/research/agentegrity-framework.
Security that lives inside the agent — not around it. Measure, verify, and guarantee the integrity of AI systems across every domain.
Why structural integrity must live inside the agent — not around it.
Agentegrity is a measurement and verification library — not a guardrail. Drop it into your existing stack with zero config.
pip install "agentegrity[claude]"from claude_agent_sdk import ClaudeSDKClient, ClaudeAgentOptions
from agentegrity.claude import hooks, report
async with ClaudeSDKClient(options=ClaudeAgentOptions(hooks=hooks())) as sdk:
await sdk.query("Summarize the latest LLM safety papers")
print(report())Runs locally. Never phones home to Cogensec or anyone else.
Produces evidence and signed attestations. Your governance policy decides what to do with them.
11 official adapters across Python and TypeScript. Custom adapters via the SessionExporter interface.
Three architectural layers that make security an endogenous property of the agent, not an external dependency.
Continuous red-team testing embedded directly into the agent's reasoning pipeline, detecting prompt injection and manipulation in real time.
Learn moreDeep behavioral anchors that maintain agent identity and value alignment across context shifts, tool use, and multi-turn conversations.
Learn moreStructural compliance verification and recovery mechanisms that operate without external monitoring dependencies.
Learn moreGuardrails, input/output filters, and boundary monitoring. Observes API patterns, enforces rate limits, and filters content at the perimeter.
Cortical models and embedded defenses. Monitors the agent's own reasoning, detecting drift and corruption at the source.
Certain attack classes — particularly those exploiting internal reasoning — are invisible to boundary-only monitoring. Endogenous defenses are the necessary complement.
Every autonomous agent operates in a continuous Perception → Decision → Action cycle. The framework maps where attacks enter and where defenses must operate.
Sensor input, API responses. Entry point for injection and poisoning.
Reasoning and planning. Target of memory corruption and value drift.
Tool calls, physical actuation. Source of cross-stage feedback attacks.
The most dangerous class: an adversary poisons tool outputs (Action) which feed back into Perception, corrupting subsequent Decision cycles. These are invisible to exogenous monitors.
Resilience against prompt injection, jailbreaks, and manipulation attempts.
Stability of agent behavior across diverse contexts and adversarial conditions.
Speed and completeness of return to baseline after perturbation.
Security property retention when agents move between digital and physical domains.
Adversarial resistance carries the highest weight — but all dimensions matter. Weights are configurable per deployment context.
A=0.35·AR+0.25·BC+0.20·RI+0.20·CP
Default weights. Physical AI deployments may increase CP weight.
Agent demonstrates robust endogenous defenses across all four dimensions. Suitable for high-stakes autonomous deployment.
Strong endogenous security with minor gaps. Minimal exogenous monitoring recommended.
Adequate baseline security. Exogenous guardrails should supplement endogenous defenses.
Significant security gaps. Heavy guardrail dependency required for safe operation.
Critically weak endogenous properties. Not recommended for autonomous operation.
No meaningful endogenous security. Entirely reliant on external defenses.
Agentegrity extends beyond digital agents. When AI drives robotic systems, autonomous vehicles, or drones, three novel threat classes emerge.
Adversarial prompts that cross the digital-physical boundary, causing embodied agents to take harmful real-world actions through manipulated reasoning.
Direct manipulation of an agent's physical actuators — motors, grippers, valves — bypassing its decision-making pipeline entirely.
Exploiting the gap between simulated training environments and real-world deployment to inject vulnerabilities during model transfer.
When agents collaborate, a single compromise can cascade. System-level Agentegrity measures containment and trust boundary preservation.
Fraction of agents uncompromised when one is breached. Higher CR = better containment.
Whether trust degrades gracefully — or collapses entirely — when agents are compromised.
Read the founding manifesto or explore the full research framework behind the Agentegrity Score.