Risk Scoring Model
How ShieldAgent computes a 0–100 risk score per agent, what each tier means, and how enforcement decisions are made.
Overview
Every agent monitored by ShieldAgent has a continuous risk score between 0 and 100. The score is computed from security events, compliance gaps, integrity checks, and operational signals. Recent events contribute more to the score than older ones.
The score drives enforcement automatically: a Normal agent runs at full throughput; a Critical agent is blocked until a human releases it.
Risk Tiers
| Tier | Score | Enforcement |
|---|---|---|
| Normal | 0 – 59 | No restrictions. Full throughput. |
| Elevated | 60 – 79 | Reduced request rate. |
| High | 80 – 89 | Significantly rate-limited. Forced into monitoring mode. |
| Critical | 90 – 100 | Only lifecycle methods allowed. Manual release required. |
How Scoring Works
Risk scores combine signals across four categories: security events, compliance violations, integrity checks, and operational patterns. Each category is scored independently. Recent events contribute more than older ones, so a clean period naturally reduces the score without manual intervention.
Score Components
Security Score
Measures active threat signals — injection attempts and data loss events.
Compliance Score
Measures policy violation patterns over recent activity.
Integrity Score
Measures tool supply-chain integrity: schema drift and tool poisoning events.
Operational Score
Measures human-in-the-loop review rate as a behavioural risk signal.
Score Recency
Scores are weighted by recency — recent events contribute more than older ones. A period of clean behaviour naturally lowers the score without manual intervention.