Risk Scoring Model

How ShieldAgent computes a 0–100 risk score per agent, what each tier means, and how enforcement decisions are made.

Overview

Every agent monitored by ShieldAgent has a continuous risk score between 0 and 100. The score is computed from security events, compliance gaps, integrity checks, and operational signals. Recent events contribute more to the score than older ones.

The score drives enforcement automatically: a Normal agent runs at full throughput; a Critical agent is blocked until a human releases it.

Risk Tiers

Tier	Score	Enforcement
Normal	0 – 59	No restrictions. Full throughput.
Elevated	60 – 79	Reduced request rate.
High	80 – 89	Significantly rate-limited. Forced into monitoring mode.
Critical	90 – 100	Only lifecycle methods allowed. Manual release required.

How Scoring Works

Risk scores combine signals across four categories: security events, compliance violations, integrity checks, and operational patterns. Each category is scored independently. Recent events contribute more than older ones, so a clean period naturally reduces the score without manual intervention.

What Drives the Score

Threat Signals

Detections like prompt injection attempts and data loss events raise the score. More severe threats have a greater impact.

Policy Violations

Repeated policy denials indicate an agent operating outside its intended boundaries.

Tool Integrity

Tool drift and supply-chain changes signal that the tools an agent relies on may have been tampered with.

Operational Patterns

Frequent human-in-the-loop triggers suggest an agent may be misconfigured or testing its boundaries.

Automatic Recovery

Risk scores naturally decrease over time as an agent operates cleanly. Recent events carry more weight than older ones, so a period of normal behavior brings the score back down without manual intervention.

Viewing Risk Scores in the Dashboard

The dashboard is the primary way to monitor and act on agent risk:

1Go to the Overview page — the top section shows agents sorted by risk tier with color-coded badges.
2Click any agent to open its detail page. The Risk tab shows the current score, tier, trend graph, and contributing events.
3For Critical-tier agents (score ≥ 90), a Release button appears — click it to restore normal operation for 24 hours while you investigate.
4Use the Agent Radar (topology view) with the Risk lens to see all agents color-coded by tier at a glance.

SDK & Dashboard

List all agents' risk scores—Dashboard: Overview page — agents sorted by risk tier. SDK: client.risk.list()

Single agent score + trends—Dashboard: Agents → [agent] → Risk tab. SDK: client.agents.getRisk(agentId)

Time-series scores—Dashboard: Agents → [agent] → Risk tab → Trend graph. SDK: client.agents.getRiskHistory(agentId)

Trigger manual recalculation—Dashboard: Agents → [agent] → Risk tab → Recalculate. SDK: client.agents.calculateRisk(agentId)

Release a Critical agent (24h)—Dashboard: Agents → [agent] → Risk tab → Release. SDK: client.agents.releaseRisk(agentId)