ctaio.dev
Ask AI Subscribe free

AI Security / Autonomous Systems Security

AI Security · Playbook

Autonomous Systems Security

A CISO Playbook for Agentic and Defense-Adjacent AI

Palmer Luckey sat with TBPN on 2025-10-21 for a three-and-a-half hour conversation about Anduril, autonomy doctrine, and the platforms his company builds (Lattice OS, Ghost, Sentry). He returned to the same themes on the Axios Show in March 2026. The defense world has been building the security architecture for autonomous systems for the better part of a decade because the cost of getting it wrong is unsurvivable. Enterprise CISOs are now building the same architecture at lower stakes for agentic AI deployments and most of them do not know that the defense playbook is the playbook they are building toward. This page is the translation.

Autonomous Systems Security: CISO Playbook for Agentic AI

30-SECOND EXECUTIVE TAKEAWAY

  • The architecture is the same; the stakes are different. Mission boundary, identity and provenance, sensor integrity, action authorization, observability and override. Five layers, one playbook, two operating contexts.
  • Most enterprise agentic deployments skip layers 2 and 4. Attestation and default-deny action authorization are the two layers an enterprise CISO can ship next quarter that close 60 to 80 percent of the realistic threat surface.
  • Override has to be drilled. A kill path that has only been tabletop-tested is not a kill path. The defense world learned this expensively; the enterprise world is about to.

What the defense world figured out first

Autonomous and human-on-the-loop systems in defense have been shipping in operational quantity since roughly the late 2010s. The category includes platforms like the Anduril Ghost (autonomous aircraft), Sentry (fixed surveillance towers), Shield AI’s V-BAT and Hivemind, Skydio’s autonomy stack, and the broader portfolio of programs that fall under DoD autonomy doctrine. The security architecture that emerged across these programs has a recognizable shape because the failure modes are catastrophic. A platform with a tampered weight file or a comms stack that accepts unauthenticated commands is not a bug; it is a casualty event.

Luckey’s TBPN appearance on 2025-10-21 is one of the most accessible public articulations of the doctrine. The Anduril position, summarized: build platforms that are dumb enough to be auditable and connect them to a fused-state command layer (Lattice OS) that does the cognitive work and the authorization gating. The platforms attest their own state; the command layer enforces the mission boundary; humans remain on the loop for irreversible action. The pattern repeats across every credible defense-grade autonomy program because no other pattern has survived contact with the real adversary.

Enterprise agentic AI deployments in 2026 are a less consequential version of the same architectural problem. The agent has a mission, the agent has tools, the tools have permissions, the inputs may be adversarial, and the action consequences are real even when they are not lethal. The playbook below maps the five layers of the defense architecture onto the enterprise context.

FIVE LAYERS

The architecture, in order

Each layer is necessary; none is sufficient. The discipline is to ship them in the order shown, because earlier layers are prerequisites for the integrity of the later ones. A default-deny action authorization scheme is meaningless if the identity layer is compromised, and the identity layer is meaningless without attestation.

L1

Mission boundary

A written, machine-readable definition of what the system is authorized to decide on its own and what it must defer to a human. The boundary is the policy artifact the rest of the stack enforces.

What it looks like in practice: Author the boundary per mission class. Review at the same cadence as any other policy artifact. Encode it in the system, not in training data.

L2

Identity and provenance

Every action is signed by the system identity. Every model, weight set, firmware, and dependency is attested at load time. Without this layer, supply-chain attacks land silently.

What it looks like in practice: Hardware roots of trust where stakes justify it. SBOM and model-BOM for everything else. Reject any artifact whose attestation does not verify, even at deployment cost.

L3

Sensor and input integrity

All inputs, including from peer autonomous systems, are treated as untrusted. The threat model includes adversarial sensor spoofing, prompt injection through documents or images, and compromised peer-system messages.

What it looks like in practice: Input validation against schemas. Anomaly detection on sensor streams. Mutual authentication between peer systems. No implicit trust on a fused state.

L4

Action authorization

Default-deny on every capability. Each action class requires explicit authorization, with the authorization scope tied to the mission boundary. Irreversible actions require a higher tier of authorization than reversible ones.

What it looks like in practice: Capability-based permissions. Per-action audit. Two-person authorization on the most consequential actions. Human-on-the-loop or human-in-the-loop policies per mission class.

L5

Observability and override

Full action and decision logs. Override paths that have been tested in drill, not assumed. Kill switches that actually disconnect the platform, with reset paths that do not allow silent re-arm.

What it looks like in practice: Out-of-band telemetry. Independent kill channel. Quarterly drills with the actual override path, not a tabletop. Forensic preservation built into the platform from day one.

The translation: defense to enterprise

The mapping below is what makes the playbook portable. The vocabulary changes; the architecture does not. A CISO running an agentic AI program in financial services or healthcare in 2026 has a different threat model from a defense integrator, but the layers and the disciplines are the same. The translation is the part that most enterprise security teams have not yet absorbed because the defense vocabulary feels foreign and the enterprise vocabulary feels insufficient.

Defense contextEnterprise translation
Mission boundary per platform class (loiter-only vs engagement-authorized) Agent mission boundary per workflow (read-only vs write-back vs autonomous-action)
Platform attestation (firmware, weights, comms) Model and tool attestation (which weights, which version, which signed tool definitions)
Sensor spoofing (radar, electro-optical, RF) Prompt injection (documents, retrieved content, peer-agent messages)
Engagement authorization (rules of engagement, human-in-the-loop on lethal action) Tool authorization (default-deny on tool invocation, human approval on irreversible actions)
Override and kill channel (out-of-band command) Agent session kill (immediate revocation of capability, forced context teardown)
Drill: simulated engagement under degraded comms Tabletop and live: simulated prompt injection, simulated agent compromise, recovery test

Where the OWASP LLM Top 10 stops and this playbook starts

The OWASP LLM Top 10 covers most of what a single-model, single-prompt LLM application has to defend against. Once the system is autonomous, has a tool surface, and operates with reduced human oversight, the Top 10 is still relevant but not sufficient. The gaps are at layers 1, 2, and 4 of the architecture above. Mission boundary is not an OWASP concern; it is a policy artifact upstream of the engineering checklist. Platform and model attestation goes beyond LLM03 (supply chain) into hardware roots of trust and signed tool definitions. Action authorization beyond LLM06 (excessive agency) becomes a capability-based permissions model with tiered authorization on irreversible actions.

The cross-link here is to the rest of the AI security cluster: the LLM security guide covers the OWASP Top 10 baseline, the agentic AI security guide covers the agent-specific extension, and this page covers the autonomous and defense-adjacent extension on top of both.

The six-step CISO playbook

The playbook below is what a CISO can ship in one quarter against an existing agentic AI deployment. It assumes the deployment exists and is in production or near-production; the order is the order of decreasing payoff per dollar of effort. Steps 2 and 3 close the largest realistic threat surface and are the ones most enterprise teams have not done.

  1. Inventory every autonomous or agentic AI deployment in the organization, with the mission boundary, tools, and authorization tier for each.
  2. For each deployment, name the action classes and write the default-deny posture for the consequential ones explicitly.
  3. Establish model and tool attestation for the deployment. Reject artifacts that do not verify.
  4. Add prompt injection and sensor-equivalent attacks to the red-team playbook. Test peer-agent compromise scenarios.
  5. Verify the override and kill path in drill. Tabletop is not sufficient for any deployment with write-back authorization.
  6. Tie the autonomous-systems risk register to the broader AI risk register. Review at quarterly cadence.

The talent question, briefly

Securing autonomous AI systems requires a combination of skills that is not common at any single vendor or integrator: ML systems engineering, applied cryptography, security architecture, and the operational discipline that comes from having to run something that cannot fail. The compensation reflects the rarity. The salary side of the same conversation, broken down by mission profile, sits at the AI engineer salary by mission guide on the sibling site, with defense and autonomy as one of the named missions.

For an enterprise CISO the practical implication is that the talent pool for this work is small and concentrated, and the build path is expensive. The build-vs-buy decision on the security layer of an autonomous AI program is one of the most consequential in the program, and it is not obvious in either direction.

Autonomous Systems Security: Frequently Asked Questions

How do you secure autonomous AI systems?
Five layers, in order. Mission boundary (what the system is allowed to decide on its own, what it must defer). Identity and provenance (every action signed, every model and weight attested). Sensor and input integrity (treat all inputs, including from peer systems, as untrusted). Action authorization (default-deny on irreversible actions, signed permissions per capability). Observability and override (full action logs, kill paths verified in drill, not assumed). The Anduril Lattice OS model is one production example of how this stack is composed for defense workloads, and the same shape applies in enterprise contexts at lower stakes.
What are the risks of autonomous AI?
Three categories matter for security. First, prompt and sensor injection: adversarial inputs that override mission intent. Second, excessive agency: the system can take actions whose blast radius exceeds the cost of failure. Third, attestation and supply chain: the model weights, the firmware, or the comms stack on the platform may have been tampered with before deployment. The first two are the OWASP LLM Top 10 lineage; the third is what defense-grade thinking adds that enterprise threat models usually omit.
What is Lattice OS?
Lattice is Anduril’s software platform for autonomous and human-on-the-loop systems. Palmer Luckey has described it across multiple public appearances, including his full TBPN interview on 2025-10-21, as the layer that ingests sensor data, fuses it, and assigns tasks to autonomous platforms (Ghost, Sentry, Anvil, others). For an enterprise CISO the relevant feature is the architectural pattern: a fused-state command layer with attested platforms underneath, action authorization gated through human-on-the-loop or fully autonomous policies per mission class. That pattern generalizes; the specific implementation is regulated.
What are Ghost and Sentry in the Anduril stack?
Ghost is Anduril’s autonomous aircraft family (originally Ghost 4, with later variants); Sentry is the fixed surveillance tower line with onboard AI for detection and classification. Both are platforms in the Lattice OS sense: they expose capabilities upward to the command layer and consume mission authorization downward. For the playbook on this page they matter as named, public reference points for what attested-platform autonomy looks like in practice.
What company is leading in AI security?
There is no single leader; the layer matters. For model-supply-chain attestation, ProtectAI and HiddenLayer are common enterprise picks. For LLM gateways and prompt injection defense, Lakera, Robust Intelligence (acquired by Cisco), and PromptArmor cover most of the market. For autonomous and defense-adjacent systems, the platform layer is dominated by integrators (Anduril, Shield AI, Palantir) rather than pure security vendors. Pick by problem, not by brand.
How is AI used in security and defense?
In defense, AI shows up at the sensor layer (target recognition, signal classification), the fusion layer (state estimation across platforms), the planning layer (route, task, and engagement planning), and the action layer (autonomous or semi-autonomous platform behavior). In enterprise security the equivalents are detection, correlation, response orchestration, and autonomous remediation. The threat models are different in stakes but similar in architectural shape, which is why the defense playbook generalizes upward into enterprise practice.
What is the NIST AI RMF playbook?
NIST AI RMF (Risk Management Framework) and its companion playbook describe a Govern-Map-Measure-Manage cycle for AI systems. The Generative AI Profile (NIST AI 600-1) extends it to GenAI. For autonomous and agentic systems the framework is necessary but not sufficient; it does not say much about platform attestation, mission boundary authorization, or the human-on-the-loop pattern. Pair the AI RMF with DoD-style autonomy doctrine for full coverage in defense-adjacent contexts.
Who are the Big 4 AI agents?
The phrase is informal and the membership shifts. As of 2026 the consumer and enterprise agent platforms most commonly grouped together are OpenAI (Operator, ChatGPT agents), Anthropic (Claude with Computer Use and Skills), Google (Project Astra, Gemini agents), and one of Microsoft Copilot agents, Salesforce Agentforce, or an Anduril-class defense agent platform depending on the framing. The security architecture below applies to all of them in different ways.
·
Thomas Prommer
Thomas Prommer Technology Executive — CTO/CIO/CTAIO

These salary reports are built on firsthand hiring experience across 20+ years of engineering leadership (adidas, $9B platform, 500+ engineers) and a proprietary network of 200+ executive recruiters and headhunters who share placement data with us directly. As a top-1% expert on institutional investor networks, I've conducted 200+ technical due diligence consultations for PE/VC firms including Blackstone, Bain Capital, and Berenberg — work that requires current, accurate compensation benchmarks across every seniority level. Our team cross-references recruiter data with BLS statistics, job board salary disclosures, and executive compensation surveys to produce ranges you can actually negotiate with.

Profile LinkedIn Newsletter

Continue the AI security cluster

Autonomous and defense-adjacent AI sits on top of the broader stack. The rest of the cluster covers the baseline.

Agentic AI Security LLM Security → AI Security hub