How do I define trust boundaries and a data-flow diagram for a tool-using AI agent?

Defining trust boundaries and data-flow diagrams for a tool-using AI agent involves identifying the scope of systems, data, and identities affected by the agent, and mapping how data and capabilities flow through its operations. This process is critical for understanding and mitigating risks associated with AI agents, especially given their ability to operate across multiple applications and potentially propagate damage rapidly.

To define trust boundaries and data-flow diagrams for a tool-using AI agent, consider the following controls:

• Inventory and Context Mapping Maintain a current inventory of all AI/agent systems, including models, agents, tools, and data flows [5, NIST-MAP-1.5]. Document the intended purpose, deployment setting, and operating context of each AI system [5, NIST-MAP-1.1]. This includes identifying potential positive and negative impacts, data sensitivity, and regulated data exposure [5, NIST-MAP-5.1].
• Identity and Access Governance Every agent must have a clear identity defining its representation, delegated authority, and permitted scope of action. Track all identity relationships, including service accounts, API tokens, or inherited credentials, and detect when an agent's effective permissions exceed its intended scope. Continuously inventory agents across frameworks and platforms, mapping their tool and data access relationships, and surfacing over-permissioned agents as their access changes.
• Tool Mediation and Capability Control Ensure that every tool an agent can invoke is trustworthy, that the agent understands the tool's function, and that tool execution is monitored and constrained. This involves maintaining a trusted registry of tools, validating tool schemas, detecting changes in tool risk profiles, and preventing tool impersonation. Authority should be conveyed through unforgeable tokens that specify exactly what actions are permitted, ensuring that an agent cannot gain authority it did not start with.
• Context Governance Treat context (prompts, memory, retrieved knowledge) as a governed dependency, tracking its origin, validating its integrity, and embedding policy constraints into the context the agent reasons from. This proactive mitigation shapes agent behavior before unsafe actions occur.
• Behavioral Baselining and Anomaly Detection Establish a baseline of normal tool call patterns, data access scopes, and outbound traffic volumes for agents. Monitor agents over time to detect statistically significant deviations, which could indicate legitimate new instructions or prompt injection. Prioritize investigation for agents that combine access to private data, exposure to untrusted content, and the ability to communicate externally.
• Auditability and Logging Implement mechanisms to log decisions and trace AI behavior, providing a forensically complete, immutable audit trail of every AI agent action [1, 5, NIST-MEASURE-2.8]. This "AI Agent Flight Recorder" should map every API call, data movement, and identity event to the sensitive data touched and downstream systems affected, allowing for reconstruction of agent actions.