T To Play Claw Browse tools
Back to Signals
arXiv · analysis signal

Agent-BOM: Graph-Based Auditing for LLM Agent Security

Towards Security-Auditable LLM Agents: A Unified Graph Representation

Signal thesis

Agent-BOM provides the first unified, queryable audit graph for LLM agents, transforming fragmented execution traces into structured paths for security analysis.

Why it matters

As AI agents become autonomous and multi-agent ecosystems proliferate, traditional security auditing methods (SBOMs, logs) fail to capture cognitive-state evolution, memory contamination, and cascading risks. Agent-BOM offers a practical, standardized approach to make agent behavior auditable and accountable—critical for enterprise adoption and regulatory compliance.

Original source

https://arxiv.org/abs/2605.06812v1

Key takeaways

Read this first.

  1. Agent-BOM separates static capability bases (models, tools, memory) from dynamic runtime states (goals, reasoning, actions) via semantic edges and security attributes.
  2. The graph-query paradigm enables path-level risk assessment, mapping directly to OWASP Agentic Top 10 threats.
  3. Real-world attack reconstructions include cross-session memory poisoning, tool misuse, supply-chain hijacking, and privilege abuse across multi-agent systems.
Ecosystem impact

Where this changes the map.

For Researchers

Provides a formal framework for studying agent security, enabling systematic analysis of attack surfaces and defense mechanisms in LLM-based systems.

For Developers

Offers a blueprint for building auditable agent systems with built-in security tracing, making it easier to detect and debug malicious or unintended agent behaviors.

For Users

Increases trust in AI agent tools by enabling transparent, queryable audit trails—essential for compliance, incident response, and safety assurance.

Full English translation

Translated text.

Summary

LLM-based agentic systems are rapidly evolving to perform complex autonomous tasks through dynamic tool invocation, stateful memory management, and multi-agent collaboration. However, this semantics-driven execution paradigm creates a severe semantic gap between low-level physical events and high-level execution intent, making post-hoc security auditing fundamentally difficult. Existing representation mechanisms, including static SBOMs and runtime logs, provide only fragmented evidence and fail to capture cognitive-state evolution, capability bindings, persistent memory contamination, and cascading risk propagation across interacting agents.

To bridge this gap, the authors propose Agent-BOM, a unified structural representation for agent security auditing. Agent-BOM models an agentic system as a hierarchical attributed directed graph that separates static capability bases (models, tools, long-term memory) from dynamic runtime semantic states (goals, reasoning trajectories, actions). These layers are connected through semantic edges and security attributes, transforming fragmented execution traces into queryable audit paths. Building on Agent-BOM, the authors develop a graph-query-based paradigm for path-level risk assessment and instantiate it with the OWASP Agentic Top 10.

Key Contributions

  • Agent-BOM Graph Model: A hierarchical attributed directed graph that separates static capabilities from dynamic runtime states, connected via semantic edges and security attributes.
  • Path-Level Risk Assessment: A graph-query paradigm that maps execution paths to OWASP Agentic Top 10 threats, enabling systematic security auditing.
  • OpenClaw Plugin Implementation: A working auditing plugin that constructs Agent-BOM from live agent executions in the OpenClaw environment.
  • Attack Chain Reconstruction: Demonstrated ability to reconstruct stealthy attack chains including cross-session memory poisoning, tool misuse, capability supply-chain hijacking, unexpected code execution, multi-agent ecosystem hijacking, and privilege/trust abuse.

Implications

For Researchers

Agent-BOM provides a formal, unified framework for studying agent security that has been lacking in the field. Researchers can now systematically analyze attack surfaces, compare defense mechanisms, and develop graph-based detection algorithms. The alignment with OWASP Agentic Top 10 provides a common taxonomy for security research, enabling reproducible benchmarks and comparative studies across different agent architectures.

For Developers

Developers building agent frameworks and tools can adopt Agent-BOM as a standard auditing layer. The graph-based representation makes it straightforward to implement security tracing, debug unexpected agent behaviors, and generate compliance reports. The OpenClaw plugin demonstrates a practical path to integration, suggesting that similar plugins could be built for LangChain, AutoGPT, and other popular frameworks.

For Users

For end users of AI agent tools, Agent-BOM represents a significant step toward trustworthy autonomous systems. The ability to query and audit agent behavior post-hoc means that organizations can deploy agents with greater confidence, knowing that security incidents can be investigated and root causes identified. This is particularly critical for enterprise deployments where regulatory compliance and incident response are mandatory.

References

What to watch next

Follow-up signals.

  • Integration of Agent-BOM into popular agent frameworks (LangChain, AutoGPT) as a standard auditing plugin.
  • Development of automated graph-based attack detection and real-time alerting systems for agent ecosystems.
Source and permission

Trace the origin.

Original title
Towards Security-Auditable LLM Agents: A Unified Graph Representation
Source
arXiv
Author
Chaofan Li
Original date
2026-05-07
Permission
open_license
Published
2026-05-26
Source URL
https://arxiv.org/abs/2605.06812v1