DEV Community

Cover image for The Design Layer and Your Security Stack: A Practical Integration Guide
duncan n. ndegwa
duncan n. ndegwa

Posted on

The Design Layer and Your Security Stack: A Practical Integration Guide

The governance layer is well-built. The detection layer is well-funded. The design layer is the upstream question neither answers — and it is complementary to both.


The Stack, In Sequence

Every AI agent security architecture in 2026 has the same components. The underlying structure is consistent across vendor categories.

Discovery and visibility tools find what credentials and identities exist. Orchid Security's Identity Gap 2026 Snapshot — drawn from 1,000+ real enterprise deployments — found that 57% of enterprise identity is invisible and unmanaged. You cannot govern what you cannot see.

Governance and authorization tools define what agents are permitted to do with the credentials they hold. Eric Yehle framed the shift precisely in his June 2026 newsletters: the governance question has moved from "does this identity have access?" to "should this specific action execute right now, under this context, for this user, through this tool, against this data?"

Detection and monitoring tools — OWASP's 400+ Agent Threat Rules, Microsoft RAMPART, Salt Security Salt Code, CrowdStrike, SIEM platforms — tell you what the agent is doing and whether it deviates from what it should.

Response tools tell you what to do after something goes wrong.

Transport protocols — MCP, A2A, ARD — handle discovery, description, and channel authentication. The ARD spec, published June 17, is explicit: "ARD sits entirely before invocation."

And then there is the design layer: the question that sits upstream of every tool above. What does the credential look like before it enters the agent's execution context? Does a real, long-lived, full-scope credential need to exist there at all?


Why These Are Sequential, Not Competing

Every tool in layers 1 through 5 operates on a credential that already exists and is already real.

Discovery finds the real credential. Governance defines what the holder is authorized to do. Detection monitors what they actually do. Response acts when the real credential is misused. Transport secures the channel.

None of these layers ask the prior question. They all assume the credential exists. That assumption is structurally correct for how credentials work today — and it is structurally the reason the same attack pattern repeats across every layer.

Six months of intelligence from December 2025 to June 2026 produced the same root cause in every major incident. Moltbook: real Supabase API key in client-side JavaScript. LiteLLM: real developer credentials exfiltrated in 40 minutes. PocketOS: real Railway CLI token found by an agent never assigned to look for it. ServiceNow: real credentials in unauthenticated API responses. Fortinet: 74,000 real VPN credentials. Mastra: real maintainer credentials in a dormant account.

The credential was real. Every time. Every layer.

The design layer changes what those tools are protecting.


What Each Layer Gains

For discovery tools: the design layer creates a new inventory surface — the audit trail between what the agent holds and what it resolves to at execution. Discovery now has more to map, not less.

For governance and IAM platforms: 1Password named the direction in their April 2026 Unified Access roadmap — scoped credentials issued to agent workloads at runtime. The governance platform still manages authorization. The design layer changes what the agent holds when authorization fires.

For detection tools: the design layer does not reduce detection signal. It changes what a successful anomaly means. When RAMPART detects a prompt injection succeeded, the design layer determines what the injection had access to. Detection accuracy stays the same. Blast radius changes.

For zero trust architectures: never trust the execution context to protect a real credential — do not place one there. Always verify at the execution boundary. Scope the credential to the task. The design layer is the credential implementation of zero trust principles.


The Identiverse 2026 Evidence

Five independent analyst publications arrived in the week after Identiverse 2026. They named the same gap.

Forrester (June 25): "Defining, keeping track of, and abating these risks does not yet have a mature product solution." Also: "Delegation to a uniquely identified agent, and not impersonation, is the recommended design pattern."

GitGuardian (June 24): "Static, long-lived credentials are the attack surface that agents inherit and amplify. Rotation programs only defer the root cause."

The Cyber Hut (June 24): "The narrative around Agentic AI governance is still fragmented, with each player emphasizing their own piece of the puzzle."

Chris Hood, who attended in person: "Identiverse Has 100 Vendors Solving Agent Identity at the Wrong Layer."

The governance and visibility layers are being built well. The design layer was not on the agenda.


The Four Incident Patterns, Mapped

Here is the practical mapping across the four major patterns from the past six months.

A real credential in an exposed context — ServiceNow, Moltbook, PocketOS — is reached by an attacker or an agent not assigned to find it. Detection fires after the credential is used. Governance restricts what it can do. Design changes what is present when the context is reached.

A dormant credential not revoked when its purpose ended — Klue, Mastra, Fortinet — is found and used months later. Rotation replaces real credentials on a schedule. GitGuardian found 64% of credentials leaked in 2022 were still active in January 2026. Design means the dormant identifier resolves to nothing useful outside the original authorized context.

A supply chain compromise — LiteLLM, Mastra, JetBrains — reaches credentials in the build pipeline or developer environment. Detection catches anomalous behavior after the backdoor is live. Design means the extracted identifier has bounded scope at the execution boundary.

Prompt injection — CVE-2025-32711, OWASP's confirmed number-one unresolved risk — uses the credential the agent holds to execute the attacker's instruction. Detection tries to recognize the injection before the agent acts. Design means the credential invoked by the injection is scoped to the current task.


For the full five-step integration guide — how to apply the design layer at each point of your governance and detection stack, from discovery through audit trail — and the DevFortress service layer that operates at this upstream position: devfortress.net/blog/design-layer-integration-guide


Textbook: DevFortress Master Edition — devfortress.gumroad.com/l/master-edition
Platform: devfortress.net
SDK: npm install devfortress-sdk
Newsletter: devfortress.substack.com
GitHub open-core: github.com/duncan982/devfortress-core

DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973

Top comments (0)