This work addresses a critical vulnerability in the existing agentic AI governance framework SAGA, which relies on a centralized trusted provider that, if compromised, can lead to identity invalidation, privacy breaches, or bypassed access controls. The paper presents the first systematic characterization of such provider-side attacks and proposes four enhanced architectures: SAGA-BFT based on Byzantine fault tolerance, SAGA-MON featuring server-side monitoring, SAGA-AUD employing client-side auditing, and SAGA-HYB, a hybrid design integrating these approaches. These solutions incorporate lightweight monitoring and auditing mechanisms that effectively mitigate most attacks with minimal performance overhead, enabling flexible trade-offs between security and efficiency. Experimental results demonstrate their efficacy, showing that SAGA-MON and SAGA-AUD incur negligible overhead, while SAGA-HYB supports diverse deployment scenarios.

Agentic AI governance is a critical component of agentic AI infrastructure ensuring that agents follow their owner's communication and interaction policies, and providing protection against attacks from malicious agents. The state-of-the-art solution, SAGA, assumes a logically centralized point of trust, the Provider, which serves as a repository for user and agent information and actively enforces policies. While SAGA provides protection against malicious agents, it remains vulnerable to a malicious Provider that deviates from the protocol, undermining the security of the identity and access control infrastructure. Deployment on both private and public clouds, each susceptible to insider threats, further increases the risk of Provider compromise. In this work, we analyze the attacks that can be mounted from a compromised Provider, taking into account the different system components and realistic deployments. We identify and execute several concrete attacks with devastating effects: undermining agent attributability, extracting private data, or bypassing access control. We then present three types of solutions for securing the Provider that offer different trade-offs between security and performance. We first present SAGA-BFT, a fully byzantine-resilient architecture that provides the strongest protection, but incurs significant performance degradation, due to the high-cost of byzantine resilient protocols. We then propose SAGA-MON and SAGA-AUD, two novel solutions that leverage lightweight server-side monitoring or client-side auditing to provide protection against most classes of attacks with minimal overhead. Finally, we propose SAGA-HYB, a hybrid architecture that combines byzantine-resilience with monitoring and auditing to trade-off security for performance. We evaluate all the architectures and compare them with SAGA. We discuss which solution is best and under what conditions.