--- name: agent-risk-registry version: 2.0 framework: 智能体管理学 · 模块五 · 框架F32 type: 决策型 description: > 智能体风险登记系统——识别七类新型风险(提示注入/幻觉/数据泄露/多Agent级联/ 供应链/合规/主权),建立HITL/HOTL/HAL三层防御,维护风险注册表。触发词: 风险评估、安全、合规、提示注入、幻觉、数据泄露、风险治理 governance_nerves: [边界与升级, 智能体主权] upstream_frameworks: [F28_SLO运营体系, F31_Agent价值核算] downstream_frameworks: [F29_Agent绩效考核, F27_AgentOps成熟度评估] --- # F32 智能体风险登记系统 ## SKILL定位 **核心命题**:传统安全体系对Agent新型风险几乎无效。提示注入是当前最活跃的攻击面,幻觉是最高频的质量风险,多Agent级联是最难控制的系统性风险。需要全新的风险分类和防御体系。 **七类新型风险**: ``` 1. 提示注入 (Prompt Injection) ← 当前最活跃攻击面 2. 幻觉 (Hallucination) ← 最高频质量风险 3. 数据泄露 (Data Leakage) ← 最高业务影响 4. 多Agent级联 (Cascade Failure) ← 最难控制系统性风险 5. 供应链风险 (Supply Chain) ← 模型/API依赖风险 6. 合规风险 (Compliance) ← 监管不确定性 7. 主权风险 (Sovereignty) ← 数据/模型主权 ``` **三层防御体系**: ``` HITL (Human-In-The-Loop) ← 人类在决策回路中 HOTL (Human-On-The-Loop) ← 人类监控但不介入 HAL (Human-Above-The-Loop) ← 人类设定规则,系统自动执行 ``` --- ## 信息采集(INPUT模板) ```yaml risk_input: # 一、Agent基本信息 agent: name: "" type: "" data_access_level: "" # 数据访问级别(公开/内部/敏感/机密) autonomy_level: "" # 自主级别(低/中/高) human_oversight: "" # 人类监督模式(HITL/HOTL/HAL) external_dependencies: [] # 外部依赖列表 # 二、七类风险评估(每类:概率1-5 × 影响1-5) risk_assessment: prompt_injection: probability: 0 # 1-5 impact: 0 # 1-5 existing_controls: [] # 已有控制措施 residual_risk: 0 # 残余风险 hallucination: probability: 0 impact: 0 existing_controls: [] residual_risk: 0 data_leakage: probability: 0 impact: 0 existing_controls: [] residual_risk: 0 cascade_failure: probability: 0 impact: 0 existing_controls: [] residual_risk: 0 supply_chain: probability: 0 impact: 0 existing_controls: [] residual_risk: 0 compliance: probability: 0 impact: 0 existing_controls: [] residual_risk: 0 sovereignty: probability: 0 impact: 0 existing_controls: [] residual_risk: 0 # 三、当前防御层 defense_layers: hitl: # Human-In-The-Loop enabled: false coverage: 0 # 覆盖的任务比例(%) response_time: 0 # 平均响应时间(分钟) hotl: # Human-On-The-Loop enabled: false monitoring_frequency: "" # 监控频率 alert_threshold: "" # 告警阈值 hal: # Human-Above-The-Loop enabled: false rules_defined: 0 # 已定义的规则数 auto_enforcement: false # 是否自动执行 ``` --- ## 执行分析引擎(S1-S4四步法) ### S1:风险识别与评分(Identify) **任务**:对七类风险进行概率×影响评估,计算风险等级。 **风险评分矩阵**: ```yaml risk_scoring: formula: "风险分 = 概率 × 影响" scoring_scale: probability: 1: "极低(<5%年化概率)" 2: "低(5-15%)" 3: "中(15-30%)" 4: "高(30-50%)" 5: "极高(>50%)" impact: 1: "可忽略(<1万元损失)" 2: "轻微(1-10万元)" 3: "中等(10-50万元)" 4: "严重(50-200万元)" 5: "灾难性(>200万元)" risk_results: prompt_injection: { prob: 4, impact: 4, score: 16, level: "极高" } hallucination: { prob: 5, impact: 3, score: 15, level: "高" } data_leakage: { prob: 2, impact: 5, score: 10, level: "高" } cascade_failure: { prob: 2, impact: 4, score: 8, level: "中" } supply_chain: { prob: 3, impact: 3, score: 9, level: "中" } compliance: { prob: 3, impact: 4, score: 12, level: "高" } sovereignty: { prob: 1, impact: 5, score: 5, level: "中" } risk_ranking: 1: "提示注入(16分)- 最活跃攻击面" 2: "幻觉(15分)- 最高频质量风险" 3: "合规风险(12分)- 监管不确定性" 4: "数据泄露(10分)- 最高业务影响" ``` ### S2:防御层设计(Defend) **任务**:为每类高风险设计三层防御措施(HITL/HOTL/HAL)。 **防御措施模板**: ```yaml defense_design: prompt_injection: hal: - "输入过滤器:检测已知注入模式" - "输出审核器:检查是否泄露系统提示" - "上下文隔离:用户输入与系统指令严格分离" hotl: - "异常检测:监控Agent输出偏离度" - "实时告警:注入尝试触发即时通知" hitl: - "高风险操作强制人类审批" - "定期人工红队测试" hallucination: hal: - "事实核查Agent:交叉验证关键信息" - "置信度过滤:低置信度输出标记为"不确定"" - "知识库锚定:强制引用来源" hotl: - "抽样审核:每日随机抽查5%输出" - "用户反馈追踪:监控"不准确"反馈" hitl: - "关键决策人类复核" - "领域专家定期校准" data_leakage: hal: - "数据分级:按敏感度限制Agent访问" - "输出脱敏:自动检测并遮蔽敏感信息" - "访问控制:最小权限原则" hotl: - "数据流向监控:追踪敏感数据使用" - "异常导出告警" hitl: - "敏感数据操作审批" - "数据使用审计" ``` ### S3:风险注册表维护(Register) **任务**:建立并维护结构化的风险注册表。 **风险注册表模板**: ```yaml risk_registry: agent: "XX客服Agent" last_updated: "2026-04-27" next_review: "2026-05-27" entries: - id: "RISK-001" category: "提示注入" description: "用户通过特殊输入操纵Agent行为" probability: 4 impact: 4 risk_score: 16 current_controls: ["输入过滤器", "上下文隔离"] residual_risk: 8 # 控制后残余风险 owner: "安全团队" status: "监控中" last_incident: "2026-03-15" mitigation_plan: "下季度升级过滤规则" - id: "RISK-002" category: "幻觉" description: "Agent生成虚假但看似可信的信息" probability: 5 impact: 3 risk_score: 15 current_controls: ["事实核查Agent", "置信度过滤"] residual_risk: 6 owner: "质量团队" status: "改善中" last_incident: "2026-04-10" mitigation_plan: "引入知识库锚定" - id: "RISK-003" category: "数据泄露" description: "Agent意外泄露敏感客户信息" probability: 2 impact: 5 risk_score: 10 current_controls: ["数据分级", "输出脱敏"] residual_risk: 4 owner: "数据团队" status: "已控制" last_incident: "无" mitigation_plan: "持续监控" ``` ### S4:治理与升级机制(Govern) **任务**:建立风险触发的治理和升级机制。 **升级矩阵**: ```yaml escalation_matrix: triggers: - condition: "残余风险≥12" action: "立即升级至高管" response_time: "1小时内" - condition: "发生实际安全事件" action: "启动应急响应流程" response_time: "立即" - condition: "残余风险8-11" action: "团队Lead知晓,制定缓解计划" response_time: "24小时内" - condition: "残余风险<8" action: "持续监控,定期审查" response_time: "下次审查周期" governance_review: frequency: "月度" participants: ["安全团队", "业务负责人", "Agent Manager"] agenda: - "审查风险注册表变更" - "评估新出现的风险类型" - "审查安全事件" - "更新防御措施" compliance_checklist: - "是否符合数据保护法规?" - "是否有完整的审计追踪?" - "人类介入机制是否满足监管要求?" - "模型供应商的安全认证是否有效?" ``` **治理神经检查**: - **边界与升级**:风险触发时,人类介入的边界和升级路径是否清晰? - **智能体主权**:Agent的自主权限是否与风险等级匹配? --- ## 输出格式 ```yaml risk_report: agent: "XX客服Agent" report_date: "2026-04-27" risk_summary: total_risks: 7 high_risks: 3 # 提示注入、幻觉、合规 medium_risks: 3 low_risks: 1 overall_risk_level: "高" top_3_risks: - "提示注入(16分)- 残余风险8分,需升级过滤规则" - "幻觉(15分)- 残余风险6分,改善中" - "合规风险(12分)- 残余风险7分,监管不确定性" defense_status: hal: "已部署3层自动防护" hotl: "监控覆盖60%任务" hitl: "高风险操作100%人工审批" action_priorities: - "P0:升级提示注入过滤规则(本月)" - "P1:引入知识库锚定降低幻觉(下月)" - "P2:合规风险评估与应对(本季度)" next_review: "2026-05-27" ``` --- ## 质量自检 - [ ] 七类风险是否全部评估? - [ ] 每类风险是否有概率×影响的量化评分? - [ ] 三层防御(HITL/HOTL/HAL)是否覆盖高风险? - [ ] 风险注册表是否结构化、可追踪? - [ ] 升级机制是否明确、可执行? --- ## 典型误区 1. **"传统安全就够了"**:传统防火墙/WAF对提示注入完全无效 2. **"幻觉是小问题"**:幻觉是最高频的风险,累积影响巨大 3. **"多Agent系统更安全"**:级联失败是多Agent系统特有的系统性风险 4. **"风险评估做一次就行"**:AI风险演化极快,需要月度审查 5. **"有HITL就万无一失"**:人类也有疲劳和盲区,需要多层防御 --- ## 框架衔接 | 方向 | 框架 | 衔接关系 | |------|------|----------| | ↑ 上游 | F28 SLO运营体系 | Error Budget超支可能触发风险升级 | | ↑ 上游 | F31 Agent价值核算 | 风险降低是四类价值之一 | | ↓ 下游 | F29 Agent绩效考核 | 安全事件影响绩效评分 | | → 并行 | F27 AgentOps成熟度评估 | M4跃迁需要风险治理能力 |