LAMINA

7+1 Layered Architecture Model for Securing Agentic AI

LAMINA structures the security capabilities for agentic AI into enforcement-first layers — seven technical layers plus a foundational governance layer — so identity, policy, interaction, data, and runtime each have a place where control is enforced outside the agent. Aligned to the OWASP Agentic Top 10 / MCP guidance and CSA's IAM for Agentic AI. Built for security architects, platform and IAM teams, and CTOs designing the AI control plane.

Moving from a single GenAI app to autonomous agents multiplies the actors and the actions. One agent becomes many identities, calling many tools, touching many data stores. PALIM's lesson still holds — security cannot live inside the model — but now it has to hold across a whole control plane.

That's why LAMINA is enforcement-first and layered on purpose: assume any single control fails — prompt injection is always feasible — and make the next layer contain the damage.

Foundation

  • Layer 0 — Governance & Accountability. Organizational ownership, lifecycle governance, and compliance — what must be true before production.

Seven technical layers

  • Layer 1 — Identity, Trust & Delegation. Who or what an agent is allowed to act as.
  • Layer 2 — Policy Engine / Intent Gate. Deterministic policy decisions — translating organizational intents into rules that downstream layers enforce.
  • Layer 3 — Interaction & Protocol Security. Controlled, inspectable interaction paths — where policy decisions are enforced between agents, tools, and models.
  • Layer 4 — Context, Memory & Data Controls. What information agents can access, retain, and propagate — enforced at the data layer.
  • Layer 5 — Runtime Containment. How far an agent can go when something goes wrong — enforced by the runtime itself.
  • Layer 6 — Assurance & Continuous Testing. Whether agent behavior remains acceptable over time.
  • Layer 7 — Observability, Posture & Response. What is happening — and how the organization responds.

How decision and enforcement split across layers. Layer 2 is where policy is decided — deterministically, before any action runs. The decision is then enforced at the points where the agent actually touches something: at interaction boundaries (Layer 3), at the data layer (Layer 4), and at runtime (Layer 5). Layer 7 carries the operational tail — revoking credentials, killing an agent, restoring baseline — when enforcement fails or behavior drifts. This split is deliberate: a single all-in-one policy layer cannot enforce decisions at every place an agent touches the world.

Apply LAMINA by placing each security capability in the layer that enforces it, then checking that the layer below still contains the damage when the layer above fails. Map your threats with the OWASP Agentic Top 10 and MAESTRO, and assign each layer an owner — identity to IAM, choke points to gateway teams, runtime to the execution platform. The test mirrors PALIM: if a control depends on the agent choosing to honor it, it belongs one layer down, enforced deterministically.

Further reading:

  • Deep dive article (work in progress)

PALIM secures one GenAI application. LAMINA structures the enforcement layers for a full agentic control plane — where PALIM's principles scale across many agents, tools, and data stores. → Explore PALIM.