Primer

Principles

Helmwart's mitigation catalogue isn't a flat list. Three foundational security principles organise it: defence-in-depth, zero-trust, and least-privilege. Every mitigation in the catalogue is an application of at least one of these. The principles are older than agentic AI; the agentic application is what makes them hard, and what this primer is about.

The three principles

principle 1 · DiD DEFENCE-IN-DEPTH

Many layers, no single chokepoint

"the deliberate layering of multiple safeguards so that the failure of any single safeguard does not compromise the system" (NIST SP 800-160 v1r1 §3.3)

Helmwart maps this to: the cluster of mitigations that defends the same threat at different layers. For T1 Memory Poisoning alone, four independent controls apply: memory content validation at the write boundary, vector-store ACLs at retrieval, memory anomaly detection at runtime, and output provenance at attribution. Any one of them can fail and the others still catch the attack.

principle 2 · ZT ZERO-TRUST

No implicit trust between layers

"no implicit trust is granted to assets or user accounts based solely on their physical or network location" (NIST SP 800-207 §2)

Helmwart maps this to: the cluster that gives every agent identity a cryptographic anchor and verifies every action at run time. That cluster includes SPIFFE workload identity for the cryptographic principal, short-lived agent tokens for the credential layer, message signing for per-message auth, policy-bound autonomy for run-time decisions, and RBAC + ABAC for the underlying access-control model. Every agent acts under a verifiable identity; nothing is trusted because of where it lives in the network.

principle 3 · LP LEAST-PRIVILEGE

Each actor has just enough to do its job

"the principle that a security architecture is designed so that each entity is granted the minimum system resources and authorisations the entity needs to perform its function" (NIST SP 800-53 Rev 5 AC-6; see also OWASP AI Exchange #LEAST MODEL PRIVILEGE)

Helmwart maps this to: the cluster that bounds what each agent can do, even with valid credentials. The controls here are tool scope restrictions for capability bounds, just-in-time tool grants issued only when needed, time-bound privilege elevation for the elevated-window expiry, and at the identity layer again RBAC + ABAC and short-lived tokens. The blast radius of any compromise stays bounded.

Why these three, together

Each principle is necessary; none is sufficient on its own. The composition matters:

DiD without ZT degrades to redundancy on top of a wide-open default. If layers trust each other implicitly, a single layer's compromise pivots straight through. Many layers, all behind the same shared assumption, is still one effective layer.
ZT without least-privilege degrades to fine-grained policy with wide-blast-radius actors. Every action is authenticated and authorised, but to a principal that holds enterprise-wide write. The policy decisions get correct answers to a question the architecture never should have asked.
Least-privilege without DiD degrades to brittle single-control chokepoints. The scope is tight, the policy is correct, the one gate that enforces it is the entire defence. When that gate misfires (and it will, eventually), nothing catches it.
DiD + ZT + LP: many layers, no implicit trust between them, each actor scoped tightly. The catalogue's strongest threat clusters all look like this.

How Helmwart surfaces these

The principles don't render as graph badges. They render as the shape of the recommendation when you read the rest of the site:

Every threat detail page recommends mitigations from multiple layers. That's DiD by construction.
Every mitigation page lists "Pair with" cross-references that name the principle being composed: identity (ZT) + scope (LP) + monitoring (DiD).
The Lethal Trifecta primer is the canonical worked example of DiD failing because one of three legs lost its layer.
The six OWASP Mitigation Playbooks P1–P6 each have Proactive / Reactive / Detective phases. DiD is baked into the playbook structure.

First three things to do per principle

Defence-in-depth: for every high-severity threat in your topology, count the independent layers that defend it. Where only one control exists, add an appropriate second enforcement or detection layer.
Zero-trust: for agents crossing trust boundaries or handling privileged actions, use workload identity (SPIFFE), short-lived credentials (short-lived tokens), and authenticated inter-agent messages (message signing).
Least-privilege: scope every tool to its task class (tool scope); grant access just-in-time (JIT tool grants); expire elevations on a clock (time-bound privilege).

Canvas reference

The Helmwart canvas detects Zero Trust violations and Defence-in-Depth gaps on your diagram automatically. Switch to the Principles lens in the top bar to see ZT and DiD badges on each node.

How the engine defines and detects ZT & DiD →

Sources: NIST SP 800-160 v1r1 (DiD §3.3), NIST SP 800-207 (zero-trust architecture), NIST SP 800-53 Rev 5 (AC-6 least-privilege), OWASP AI Exchange: General Controls (#LEAST MODEL PRIVILEGE).