ASCEND 13-Layer Security Architecture Executive Summary
ASCEND implements a defense-in-depth security model with 12 distinct security layers. Every layer is designed with FAIL SECURE behavior, meaning any error condition defaults to DENY . This architecture ensures that even if multiple layers fail, remaining layers continue to protect the system.
Fail-Secure Architecture Guarantee
Every security layer in ASCEND defaults to DENY on any error, unavailability, or unexpected state. There is no execution path that bypasses any layer or defaults to allow on failure.
Key Security Properties
All layers fail secure - Default to DENY on any errorDefense in depth - Each layer operates independentlyZero trust - Every request verified at multiple checkpointsImmutable audit trail - All decisions logged with hash-chainingMulti-tenant isolation - Complete data segregation between organizations
Architecture Overview
ASCEND 13-LAYER SECURITY ARCHITECTURE ══════════════════════════════════════ ┌─────────────────────────────────────────────────────────────────────────────┐ │ INCOMING REQUEST │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 1: RATE LIMITING [FAIL → DENY] │ │ Redis-backed sliding window • Per-org/agent/endpoint limits │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 2: PROMPT SECURITY [FAIL → BLOCK] │ │ 20 detection patterns • Injection/jailbreak/encoding attacks │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 3: CODE ANALYSIS [FAIL → BLOCK] │ │ 20 patterns • CWE mappings • Secrets detection │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 4: ACTION GOVERNANCE [FAIL → DENY] │ │ 7-step pipeline • CVSS v3.1 scoring • Policy evaluation │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 5: AUTHENTICATION [FAIL → DENY] │ │ JWT (RS256) • API Keys • AWS Cognito MFA │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 6: AUTHORIZATION (RBAC) [FAIL → DENY] │ │ 6-level role hierarchy • Separation of Duties │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 7: MULTI-TENANT ISOLATION [FAIL → DENY] │ │ PostgreSQL RLS • Per-org Cognito pools • organization_id enforcement │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 8: APPROVAL WORKFLOWS [FAIL → BLOCK] │ │ Multi-stage approval • SLA tracking • Risk-based escalation │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 9: KILL SWITCH [FAIL → BLOCK] │ │ Circuit breaker • Sub-100ms termination • SNS/SQS messaging │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 10: AUDIT TRAIL [FAIL → BLOCK] │ │ WORM design • SHA-256 hash-chaining • 7-year retention │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 11: BYOK ENCRYPTION [FAIL → BLOCK] │ │ Envelope encryption • AWS KMS • Customer-managed keys │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ LAYER 12: INPUT VALIDATION [FAIL → REJECT] │ │ Pydantic schemas • Type enforcement • Sanitization │ └─────────────────────────────────────┬───────────────────────────────────────┘ │ PASS ┌─────────────────────────────────────▼───────────────────────────────────────┐ │ BUSINESS LOGIC │ └─────────────────────────────────────────────────────────────────────────────┘ Layer 1: Rate Limiting
Purpose: DDoS protection, abuse prevention, resource management
Implementation
Aspect Details Technology Redis-backed with ElastiCache Algorithm Sliding window (O(log N) Redis sorted sets) Granularity Per-organization, per-agent, per-endpoint
Code Locations
Component File Path IP-based limiter security/rate_limiter.pyAgent-based limiter services/agent_rate_limiter.pyData models models_rate_limits.pyMigration alembic/versions/20251218_behav001_rate_limits.py
Configuration
RATE_LIMITS = { "auth_login" : "5/minute" , "auth_refresh" : "10/minute" , "auth_password_change" : "3/minute" , "api_read" : "100/minute" , "api_write" : "30/minute" , "default" : "60/minute" } agent_actions_per_minute : 100 agent_actions_per_hour : 5000 priority_tiers = { "standard" : 1.0 , "elevated" : 2.0 , "critical" : 5.0 } FAIL SECURE Behavior
if self . redis is None : logger . error ( "BEHAV-001: Redis unavailable, DENYING action (fail-closed)" ) return RateLimitResult ( allowed = False , reason = "Rate limiting service unavailable" , retry_after = 60 ) Test Evidence
tests/e2e/test_05_rate_limiting.py - Rate limiting behavior verificationtests/e2e/test_21_fail_secure.py - Fail-secure layer verification
Compliance Mapping
Framework Control NIST 800-53 SC-5 (Denial of Service Protection) PCI-DSS 6.5.10 SOC 2 A1.1 (Availability)
Layer 2: Prompt Security
Purpose: Detect and block prompt injection attacks against AI agents
Implementation
Aspect Details Patterns 20 global detection patterns Categories Injection, jailbreak, encoding, role manipulation, data exfiltration Architecture Database-driven (no hardcoded values)
Code Locations
Component File Path Detection service services/prompt_security_service.pyData models models_prompt_security.pyPattern seed alembic/versions/20251218_phase10_002_seed_prompt_patterns.pyRoutes routes/prompt_security_routes.py
Detection Patterns
Pattern ID Category Severity Description PROMPT-001 prompt_injection CRITICAL Direct instruction override ("ignore previous instructions") PROMPT-002 prompt_injection CRITICAL New instruction injection ("from now on") PROMPT-004 jailbreak CRITICAL Known jailbreak modes (DAN, STAN) PROMPT-008 role_manipulation CRITICAL Evil AI roleplay attempts PROMPT-011 encoding_attack HIGH Base64 encoded payloads PROMPT-012 encoding_attack HIGH Unicode smuggling PROMPT-016 prompt_injection CRITICAL Fake system/admin tags PROMPT-018 data_exfiltration CRITICAL System prompt extraction PROMPT-020 chain_attack CRITICAL LLM chain injection
FAIL SECURE Behavior
if mode == "enforce" and risk_score >= block_threshold : return PromptAnalysisResult ( blocked = True , reason = f"Blocked: { pattern . description } " , risk_score = risk_score ) Test Evidence
tests/e2e/test_06_prompt_security.py - Detection verificationtests/validation/test_prompt_injection.py - Attack payload testing
Compliance Mapping
Framework Control MITRE ATT&CK T1059 (Command and Scripting Interpreter) CWE CWE-77, CWE-94 (Code Injection) OWASP LLM LLM01 (Prompt Injection)
Layer 3: Code Analysis
Purpose: Detect dangerous code patterns before execution
Implementation
Aspect Details Patterns 20 detection patterns Languages SQL, Python, Shell, JavaScript CWE Coverage 16 unique CWE identifiers
Code Locations
Component File Path Analysis service services/code_analysis_service.pyPattern seed alembic/versions/20251217_phase9_002_seed_global_patterns.pySecurity mappings security_mappings.py
Detection Patterns
Pattern ID Category Severity CWE SQL-001 data_destruction CRITICAL CWE-89, CWE-1321 SQL-006 injection CRITICAL CWE-89, CWE-943 PY-001 code_execution CRITICAL CWE-94, CWE-95 PY-002 code_execution CRITICAL CWE-78, CWE-77 PY-005 sandbox_escape CRITICAL CWE-94 SH-001 data_destruction CRITICAL CWE-73 SH-002 code_execution CRITICAL CWE-94, CWE-829 CRED-001 credential_exposure CRITICAL CWE-798, CWE-259
FAIL SECURE Behavior
if max_risk_score >= effective_threshold : return CodeAnalysisResult ( blocked = True , reason = "Critical code pattern detected" ) Test Evidence
tests/e2e/test_07_code_analysis.py - Pattern detection verification
Compliance Mapping
Framework Control NIST 800-53 SI-10 (Information Input Validation) PCI-DSS 6.5.1 (Injection Flaws) OWASP A03:2021 (Injection)
Layer 4: Action Governance
Purpose: Risk-based decision making for AI agent actions
Implementation
Aspect Details Pipeline 7-step governance pipeline Risk Framework CVSS v3.1 with 50+ action type mappings Decisions ALLOW, DENY, REQUIRE_APPROVAL
Code Locations
Component File Path Action routes routes/actions_v1_routes.pyPolicy evaluation services/unified_policy_evaluation_service.pyCVSS mapping services/cvss_auto_mapper.pyRisk assessment services/enterprise_risk_calculator_v2.py
7-Step Governance Pipeline
1. ENRICHMENT → Add context and detect patterns 2. CVSS CALCULATION → Risk score (0.0-10.0) 3. POLICY EVALUATION → ALLOW/DENY/REQUIRE_APPROVAL 4. SMART RULES → Custom rule evaluation 5. ALERT GENERATION → Create alerts for high-risk actions 6. WORKFLOW ROUTING → Route to approval workflows 7. AUDIT LOGGING → Immutable audit trail Risk Categories
Risk Level CVSS Range Example Actions LOW 0.0-3.9 Read operations, analytics queries MEDIUM 4.0-6.9 Database writes, file writes HIGH 7.0-8.9 Delete operations, data export CRITICAL 9.0-10.0 Privilege escalation, code execution
FAIL SECURE Behavior
except Exception as e : logger . error ( f"Failed to evaluate action: { e } " ) return { 'decision' : 'DENY' , 'status' : 'FAILED' , 'risk_score' : 100 , 'risk_level' : 'CRITICAL' , 'reason' : f'Governance evaluation failed: { str ( e ) } ' } logger . warning ( f"Unknown action type ' { action_type } ' - defaulting to HIGH risk" ) return "unknown_action" Test Evidence
tests/e2e/test_04_action_evaluation.py - Governance pipeline verification
Compliance Mapping
Framework Control NIST AI RMF GOVERN, MAP, MEASURE, MANAGE SOC 2 CC6.1 (Access Control) ISO 27001 A.9 (Access Control)
Layer 5: Authentication
Purpose: Verify identity of users and agents
Implementation
Aspect Details Methods JWT (RS256), API Keys, AWS Cognito Token Lifetime 60 minutes (access), 30 days (refresh) MFA Supported via Cognito
Code Locations
Component File Path JWT manager jwt_manager.pyCognito integration dependencies_cognito.pyAPI key validation dependencies_api_keys.pyMulti-pool validator services/multi_pool_jwt_validator.py
Authentication Flow
1 . Extract token from Authorization header or cookie 2 . Validate JWT signature ( RS256 ) 3 . Verify claims ( iss, aud, exp, nbf ) 4 . Check token revocation status 5 . Set RLS context with organization_id 6 . Return authenticated user context Security Features
Feature Implementation Algorithm RS256 (asymmetric) Key storage AWS Secrets Manager API key hashing SHA-256 + salt Timing attacks Constant-time comparison Brute force 5 attempts/15 min (IP), 10/15 min (email)
FAIL SECURE Behavior
if not self . private_key or not self . public_key : if environment == "production" : raise ValueError ( "JWT keys not configured in production!" ) options = { "verify_signature" : True , "verify_exp" : True , "require_exp" : True , "verify_aud" : True , } Test Evidence
tests/e2e/test_01_authentication.py - Authentication verification
Compliance Mapping
Framework Control NIST 800-53 IA-2 (Identification and Authentication) NIST 800-63B Authentication Assurance PCI-DSS 8.1, 8.2 (User Identification)
Layer 6: Authorization (RBAC)
Purpose: Enforce role-based access control
Implementation
Aspect Details Hierarchy 6-level role system Scopes Platform tier + Tenant tier SoD Separation of Duties enforcement
Code Locations
Component File Path RBAC manager rbac_manager.pyPermission service services/permission_service.pyRBAC dependencies dependencies_rbac.py
Role Hierarchy
Level Role Permissions 5 EXECUTIVE All + emergency override 4 ADMIN Full access except override 3 MANAGER Approval (low/medium risk) 2 POWER Analytics + acknowledgement 1 BASIC Dashboard view 0 RESTRICTED None (suspended)
Tenant Roles
Role Access Level Owner Full organization access Admin Full (no billing) Approver Approval workflows Operator Create/manage resources Viewer Read-only
FAIL SECURE Behavior
async def has_permission ( . . . ) : try : except Exception as e : logger . error ( f"Permission check error: { e } " ) return False Test Evidence
tests/e2e/test_02_authorization.py - RBAC verification
Compliance Mapping
Framework Control NIST 800-53 AC-2, AC-3, AC-5 SOC 2 CC6.2, CC6.3 PCI-DSS 7.1 (Access Control)
Layer 7: Multi-Tenant Isolation
Purpose: Ensure complete data segregation between organizations
Implementation
Aspect Details Database PostgreSQL Row-Level Security (RLS) Authentication Per-organization Cognito user pools Enforcement organization_id on all tenant tables
Code Locations
Component File Path RLS activation dependencies.pyTenant context services/unified_auth/tenant_context.pyRLS migration alembic/versions/20251205_sec082_multi_tenant_isolation.pyAuth lookup alembic/versions/20251209_sec_rls_002_auth_lookup_function.py
Isolation Mechanisms
Layer Implementation Database RLS policies, organization_id FK Application TenantContext (frozen dataclass) API All endpoints scoped to organization Authentication Per-org Cognito pools Encryption Per-org BYOK keys
RLS Activation
def get_db_with_rls ( current_user : dict ) - > Session : """SEC-082: Activate Row-Level Security context""" db . execute ( text ( "SET LOCAL app.current_organization_id = :org_id" ) , { "org_id" : str ( org_id ) } ) FAIL SECURE Behavior
@dataclass ( frozen = True ) class TenantContext : org_id : UUID tenant_id : str user_id : UUID Test Evidence
tests/e2e/test_18_multi_tenant.py - Isolation verification
Compliance Mapping
Framework Control NIST 800-53 AC-4 (Information Flow Enforcement) SOC 2 CC6.1, CC6.3 PCI-DSS 7.1
Layer 8: Approval Workflows
Purpose: Human-in-the-loop for high-risk actions
Implementation
Aspect Details Stages Multi-stage with SLA tracking Escalation Automatic backup assignment Levels 5 approval levels based on risk
Code Locations
Component File Path Workflow service services/workflow_approver_service.pyApproval routes routes/approval_routes.py
Approval Levels
Level Risk Range Approver SLA 1 0-30 No approval - 2 30-50 Peer review 10 min 3 50-70 Department head 15 min 4 70-80 Senior management 30 min 5 80+ Executive 60 min
FAIL SECURE Behavior
Missing approver → DENY
Expired SLA → Escalate to backup
Invalid workflow → DENY
Test Evidence
tests/e2e/test_09_approval_workflows.py - Workflow verification
Compliance Mapping
Framework Control NIST 800-53 AC-3 (Access Enforcement) SOC 2 CC5.2
Layer 9: Kill Switch
Purpose: Emergency termination of AI agent activity
Implementation
Aspect Details Pattern Circuit breaker state machine Latency Sub-100ms termination Messaging SNS/SQS infrastructure
Code Locations
Component File Path Circuit breaker services/circuit_breaker_service.pyKill switch routes routes/kill_switch_routes.py
State Machine
CLOSED (healthy) ─failure_threshold─→ OPEN (blocked) ↑ │ │ timeout │ │ └─────── recovery ─────────── HALF_OPEN (testing) failure│ ↓ OPEN (blocked) Capabilities
Feature Details Block individual agent Immediate effect Block all org agents Organization-wide Manual override Force open/close with audit Propagation SNS/SQS messaging
FAIL SECURE Behavior
if state == CircuitState . OPEN : return CircuitResult ( allowed = False , reason = "Circuit breaker OPEN" ) Test Evidence
tests/e2e/test_12_kill_switch.py - Kill switch verification
Compliance Mapping
Framework Control NIST 800-53 IR-4 (Incident Handling) SOC 2 CC7.3 (Incident Response) NIST AI RMF MANAGE
Layer 10: Audit Trail
Purpose: Immutable logging for compliance and forensics
Implementation
Aspect Details Design WORM (Write-Once-Read-Many) Integrity SHA-256 hash-chaining Retention 7 years (configurable per framework)
Code Locations
Component File Path Audit service services/immutable_audit_service.pyAudit models models_audit.pyAudit routes routes/audit_routes.py
Hash-Chaining
Log Entry N: content_hash = SHA-256(event_content) previous_hash = Log Entry N-1.chain_hash chain_hash = SHA-256(content_hash + previous_hash) Retention Periods
Framework Retention SOX 7 years HIPAA 6 years PCI-DSS 1 year GDPR 6 years CCPA 3 years
FAIL SECURE Behavior
try : await audit_service . log_event ( event ) except Exception : raise HTTPException ( status_code = 500 , detail = "Audit logging failed" ) Test Evidence
tests/e2e/test_17_audit_trail.py - Audit verification
Compliance Mapping
Framework Control NIST 800-53 AU-2, AU-3, AU-9 PCI-DSS 10.1, 10.2, 10.3, 10.5 HIPAA 164.312(b) SOC 2 CC7.2
Layer 11: BYOK Encryption
Purpose: Customer-controlled encryption keys
Implementation
Aspect Details Pattern Envelope encryption KMS AWS KMS integration Algorithm AES-256-GCM
Code Locations
Component File Path BYOK service services/encryption/byok_service.pyBYOK routes routes/byok_routes.pyBYOK health services/encryption/byok_health.pyExceptions services/encryption/byok_exceptions.py
Envelope Encryption
Customer's CMK ( AWS KMS Account ) ↓ Encrypts DEK ( Data Encryption Key ) ↓ DEK encrypts actual data ( AES-256-GCM ) ↓ If customer revokes CMK → Data becomes unreadable ( by design ) Features
Feature Details Customer-managed keys Full customer control Key rotation Automatic detection (BYOK-011) Health monitoring 15-minute validation cycles Encryption context Per-tenant binding
FAIL SECURE Behavior
if byok_config [ "status" ] != "active" : raise DataAccessBlocked ( f"Encryption key is not active (status: { byok_config [ 'status' ] } )" ) except KeyAccessDenied : raise KeyAccessDenied ( f"Encryption key access revoked" ) Test Evidence
tests/e2e/test_13_byok_encryption.py - BYOK verification
Compliance Mapping
Framework Control NIST 800-53 SC-12, SC-13 PCI-DSS 3.5, 3.6 HIPAA 164.312(a)(2)(iv) FedRAMP SC-12, SC-13
Purpose: Ensure data integrity and prevent malformed input
Implementation
Aspect Details Framework Pydantic v2 Validation Type, format, size, content Sanitization HTML, SQL, command injection
Code Locations
Component File Path Request schemas schemas/*.pyValidation middleware (integrated in FastAPI)
Validation Types
Type Description Type enforcement Strong typing via Pydantic Required fields Non-nullable validation Format validation Email, UUID, URL, etc. Size limits Max length, max items Pattern matching Regex validation Sanitization XSS, injection prevention
FAIL SECURE Behavior
class ActionRequest ( BaseModel ) : action_type : str = Field ( . . . , min_length = 1 , max_length = 100 ) agent_id : UUID @field_validator ( "action_type" ) def validate_action_type ( cls , v ) : if not v or not v . strip ( ) : raise ValueError ( "action_type cannot be empty" ) return v . strip ( ) Test Evidence
Covered across all test suites via Pydantic validation
Compliance Mapping
Framework Control NIST 800-53 SI-10 CWE CWE-20 (Improper Input Validation) OWASP A03:2021 (Injection)
Layer 13: MCP Governance
Purpose: Govern AI agent tool calls through Model Context Protocol (MCP) servers
If MCP governance evaluation fails, the tool call is DENIED. The Cedar enforcement engine defaults to deny on any error. Failed evaluations are logged to the immutable audit trail.
Implementation
Aspect Details Service MCPGovernanceServiceEnforcement Cedar policy engine Scope All MCP server tool calls Risk scoring Same hybrid algorithm as Layer 4
Code Locations
Component File Path Governance service services/mcp_governance_service.pyData models models_mcp_governance.pyPolicy integration policy_engine.py
How It Works
MCP server registers tools with ASCEND
Agent calls a tool via MCP protocol
ASCEND intercepts the call before execution
Cedar enforcement engine evaluates policies
Risk score calculated using the same Environment/Data/CVSS/Context formula
Decision: APPROVE, DENY, or ESCALATE to human reviewer
Full audit trail recorded via ImmutableAuditService
Compliance Mapping
Framework Control SOC 2 CC6.1, CC7.1 HIPAA 164.312(a)(1) NIST 800-53 AC-3 (Access Enforcement)
Defense-in-Depth Verification
Each layer operates independently. Failure of one layer does not compromise others:
Failure Scenario Layers Still Protecting Redis down Layers 2-13 (Layer 1 fails secure) Auth bypass attempt Layers 1, 6-13 Injection attack Layers 1, 4-13 Code execution attempt Layers 1-2, 4-13 Tenant escape attempt Layers 1-6, 8-13 Key compromise Layers 1-10, 12-13 MCP tool call Layers 1-12 + Layer 13
Test Coverage Summary
Layer Test Suite Tests Pass Rate 1 test_05_rate_limiting 15 100% 2 test_06_prompt_security 30 100% 3 test_07_code_analysis 20 100% 4 test_04_action_evaluation 23 100% 5 test_01_authentication 16 100% 6 test_02_authorization 21 100% 7 test_18_multi_tenant 29 100% 8 test_09_approval_workflows 18 100% 9 test_12_kill_switch 32 100% 10 test_17_audit_trail 28 100% 11 test_13_byok_encryption 12 100% 12 (integrated) - 100% 13 test_15_mcp_governance 18 100% TOTAL test_21_fail_secure 36 100%
Compliance Framework Summary
Framework Layers Covered SOC 2 Type II All 13 layers PCI-DSS v4.0 Layers 1, 3, 5-7, 10-13 HIPAA Layers 5-7, 10-11 FedRAMP Layers 1, 5-7, 10-11 NIST 800-53 All 13 layers NIST AI RMF Layers 2-4, 8-10 OWASP LLM Top 10 Layers 2-3
Document ID: ASCEND-SECURITY-ARCH-2024-001
Classification: Enterprise Confidential