Day 4 · Lesson 1 — Agent Security & Evaluation

Two Axes of Trust & the 7 Pillars

Security asks if it stayed in bounds. Evaluation asks if what it did was any good.

Days 1–3 built the system. Day 4 asks the question that decides whether you can ship it: can you trust it? Trust splits cleanly into two axes that must both hold, and for you specifically, the security half maps almost pillar-for-pillar onto the VERDICT framework.

Recall first (spacing — from Day 1)

From Day 1: what verifies the non-deterministic parts of an agent's behaviour?

  • Unit tests
  • Evals (rubrics, judges)
  • The compiler

Evals. Day 4 is the deep version of that idea, the full evaluation framework, paired with its twin, security. Together they are the two axes of trust.

The one idea: two axes of trust

In deterministic software, trust is binary. It compiles, tests pass, the token is valid. An agent shatters that: it can hold a valid token and still act with misaligned intent. So trust must be redefined across two distinct axes:1

SECURITY     did the agent stay INSIDE the boundary?     (safe, no malicious action)
EVALUATION   is what happened INSIDE that boundary        (quality, alignment,
             actually worth shipping?                      "did it build what I meant?")

Crucially, they're independent: a vibe-coded agent can pass every security check and still misread your intent, ignore conventions, or silently break a feature. Security proves no harm; evaluation proves value. You need both. This is the governance "readiness map" from Day 1, at the level of a single agent's trust.

The paper names the goal Effective Trust: a continuous metric earned, verified, and dynamically enforced on runtime context, rather than a gate passed once at deployment. Static identity is a poor perimeter; the model is "Context-as-a-Perimeter."1

The security foundation: 7 pillars

Because the model itself might fail or be compromised, security can't live inside the AI. It's an external "safety envelope" across seven disciplines, each owned by a different role:1

#PillarGuards against
1Infrastructure & Networkingcontainer escape, exfiltration — ephemeral sandboxes, egress governance
2Datacontext leaks, poisoned RAG — CMEK/mTLS, least privilege, tenant partitioning
3Modelsemantic attacks — protect system instructions as attested artifacts
4Application & Runtimerogue tool use — LLM firewalls, hooks, Agent Gateways
5Identity & Accessconfused deputy — SPIFFE IDs, ABAC, JIT downscoping
6Observability & SecOpsinvisible failures, drift — Red/Blue/Green triad, circuit breakers
7Governancecompliance, liability — audit trail, attestation, logic reviews

The governance layer: 7 pillars ↔ VERDICT

Governance overlay · Day 4 Lesson 1 — the promised comparison

Two vocabularies, one trust surface

This is the convergence I've flagged since Day 1. Google's 7-pillar model (defence-in-depth, by role) and your VERDICT model (a runtime governance operating model) describe the same trust surface from two angles:

Google pillar≈ VERDICT
1 Infra/Networking (sandbox, egress)R Runtime Control — containment
2 Data (least-priv, tenant partitioning)C Compliance + I scoped access
3 Model (protect instructions)V Validation of inputs
4 App/Runtime (firewall, hooks, gateway)V + R gates & kill
5 IAM (SPIFFE, ABAC, JIT)I Identity
6 Observability/SecOps (drift, breakers)E Evidence + R Runtime Control
7 Governance (audit, attestation, reviews)T + D + C

Not a clean 1:1. Google leads with where controls live (infra→governance); VERDICT leads with what is enforced at runtime. But every VERDICT pillar has a home here, and Google's "Effective Trust" is exactly VERDICT's thesis: trust is continuously earned, not granted once. Your framework and this whitepaper are describing the same L3-Controlled goal.

Through your three lenses

Individual (IC)

Hold both axes for every agent you ship: can it do harm? (security) and did it do the right thing well? (evaluation). Passing one is not passing both.

Team

Assign the pillars, they map to real roles (infra, data, IAM, SecOps). Trust isn't one person's job; the seven owners are how "Effective Trust" gets staffed.

Organisation

Adopt Context-as-a-Perimeter: retire identity-as-a-gate for continuously-earned trust. Whether you call it the 7 pillars or VERDICT, it's the same L3 governance climb.

Check the reflex

Recall, don't re-read.

Security tells you the agent stayed in bounds. Evaluation tells you —

Two independent axes. An agent can be perfectly secure and still misread intent or break a feature. Security = no harm; evaluation = real value.

"Effective Trust" means trust is —

A continuous metric across supply chain, identity, runtime behaviour, and context, rather than a one-time gate. This is VERDICT's "prevents AI from going unchecked," in Google's words.

Google's Pillar 5 (IAM: SPIFFE, ABAC, JIT) corresponds most to which VERDICT pillar?

Identity (I): cryptographic per-agent IDs and just-in-time scoped access are exactly how VERDICT closes the confused-deputy gap from Day 2.

Carry this into the week

Take one production agent and score it on both axes honestly: which of the 7 pillars are actually in place, and do you have any evaluation of whether it does the right thing? Most agents are strong on one axis and blind on the other. That blind spot is your Day-4 backlog.

Go deeper (primary source)

Kartakis, Eidelman, Bakkali & Subasioglu, Vibe Coding Agent Security and Evaluation (Day 4) is the source; the Mandiant AI risk report grounds the threat landscape.


Notes

  1. Kartakis, Eidelman, Bakkali & Subasioglu, Vibe Coding Agent Security and Evaluation (Day 4), "Security: The Evolution to Secure Agentic Development" & "The 7-Pillar Agent Security Architecture" pp.6–11.

Up next → Day 4 · Lesson 2: Securing the Vibe Loop. Pillars 1 & 4 up close: ephemeral sandboxes, the slopsquatting supply-chain attack, egress governance, and the app-logic flaws vibe coding produces by default.

Related: The Governance Layer (VERDICT) · Day 1 L1: the dial · Course home