Observability and Attack Detection
Per-turn detection is necessary but insufficient. The attacks that actually compromise production agents — the multi-step injection (B2) and the zero-click HITL bypass chain (Microsoft Taxonomy) — are invisible to any system that inspects each turn independently. Each step looks benign; the compound intent is malicious. The unit of malicious intent is the session, not the turn. Detection must move to the session.
Per-turn detection is necessary but insufficient. The two highest-impact attack classes — the multi-step injection (B2) and the zero-click HITL bypass chain (Microsoft Taxonomy v2.0) — distribute malicious intent across individually-benign steps so that no single turn is malicious in isolation. A perfect per-turn detector passes every step. The unit of malicious intent is the session, not the turn; detection must raise its scope to the session. Per-turn stays (it catches the long tail of single-shot attacks); session-level is what makes chains detectable.
The zero-click HITL bypass chain is the Microsoft Taxonomy's critical finding, and it defeats per-step approval by construction. A single external input triggers a multi-step chain in which EVERY step passes its human approval gate (each step is individually defensible) yet the compound intent is malicious. The human is not bypassed in any single step — they are COMPOSED across steps. Per-step approval is the control being defeated. The defense requires a session-level model of intent (to evaluate the chain, not the step) AND batching (to make the compound intent visible to the human at approval time).
Session-level intent tracking is the detection counterpart to B2's session-level defense, and it must be built deterministic-backbone + constrained-LLM. A deterministic skeleton (updated only from trusted sources — user turns, system prompt) carries the resource scope and egress policy and is immune to indirect injection; a constrained LLM layer proposes semantic updates bounded to ≤0.2 of the drift score so it cannot single-handedly flip a decision. The three-outcome gate (ALLOW / REQUIRE_FRESH_APPROVAL / HARD_BLOCK) hard-blocks high-drift actions from untrusted sources — the move that catches the zero-click chain at its exfiltration step. Provenance is required at capture time: which input caused this action.
Approval freshness defends the human approver against the escalation-fatigue attack (DD-20 IronCurtain), and three controls must compose. Rate limits bound the volume attack (surplus auto-blocked, not auto-approved); batching makes the chain visible at approval time (the direct counter to per-step composition); freshness windows defeat approval harvesting and harvest-and-replay. None alone is sufficient. Anomaly detection on the action stream (frequency, tool distribution, parameters, sequences) catches the novel attack you did not write a rule for, and consumes B7's sidecar signals correlated on timestamp.