Towards Security-Auditable LLM Agents: A Unified Graph Representation
Authors: Chaofan Li, Lyuye Zhang, Jintao Zhai et al.
Summary
The authors propose Agent-BOM, a unified graph representation for auditing LLM-based agentic systems that separates static capability bases (models, tools, long-term memory) from dynamic runtime semantic states (goals, reasoning, actions). This bridges the semantic gap between low-level execution logs and high-level agent intent, enabling path-level security auditing—they demonstrate it can reconstruct stealthy attack chains like cross-session memory poisoning and multi-agent hijacking that traditional logging misses.
Main takeaways:
- Agentic systems create a "semantic gap": low-level logs don't capture cognitive state evolution, capability bindings, or cascading risks across interacting agents.
- Agent-BOM models the system as a hierarchical directed graph with static layers (capabilities) and dynamic layers (runtime states) connected by semantic edges and security attributes.
- Transforms fragmented execution traces into queryable audit paths for graph-based risk assessment.
- Implemented as a plugin in the OpenClaw environment; evaluation on real attack scenarios shows it can trace cross-session memory poisoning, supply-chain hijacking, and privilege abuse.
- Enables reconstruction of attack chains that span multiple sessions and agents, which isolated logs cannot reveal.
Relevance
Potentially relevant to my work on conditional behavior and persona state. The separation of static capabilities from dynamic runtime states parallels my distinction between base model capabilities and installed personas/behaviors. Their framework for tracking state evolution across contexts might inform how I think about persona persistence and leakage across different prompting contexts—though they focus on security auditing rather than behavioral characterization.
Abstract
arXiv:2605.06812v1 Announce Type: new Abstract: LLM-based agentic systems are rapidly evolving to perform complex autonomous tasks through dynamic tool invocation, stateful memory management, and multi-agent collaboration. However, this semantics-driven execution paradigm creates a severe semantic gap between low-level physical events and high-level execution intent, making post-hoc security auditing fundamentally difficult. Existing representation mechanisms, including static SBOMs and runtime logs, provide only fragmented evidence and fail to capture cognitive-state evolution, capability bindings, persistent memory contamination, and cascading risk propagation across interacting agents. To bridge this gap, we propose Agent-BOM, a unified structural representation for agent security auditing. Agent-BOM models an agentic system as a hierarchical attributed directed graph that separates static capability bases, such as models, tools, and long-term memory, from dynamic runtime semantic states, such as goals, reasoning trajectories, and actions. These layers are connected through semantic edges and security attributes, transforming fragmented execution traces into queryable audit paths. Building on Agent-BOM, we develop a graph-query-based paradigm for path-level risk assessment and instantiate it with the OWASP Agentic Top 10. We further implement an auditing plugin in the OpenClaw environment to construct Agent-BOM from live executions. Evaluation on representative real-world agentic attack scenarios shows that Agent-BOM can reconstruct stealthy attack chains, including cross-session memory poisoning and tool misuse, capability supply-chain hijacking and unexpected code execution, multi-agent ecosystem hijacking, and privilege and trust abuse. These results demonstrate that Agent-BOM provides a unified and auditable foundation for root-cause analysis and security adjudication in complex agentic ecosystems.