A four-tier classification for cyber assistance from frontier models, aligned with emerging cross-framework thinking on capability thresholds.

The contested Tier 2 / Tier 3 boundary is named explicitly, not assumed away.

A practical threat model for tool-using AI agents. Eleven threats mapped to the OWASP Agentic and LLM Top 10, a threat-to-control matrix, and a pre-deployment checklist.

Agent security is the security of seams, not boxes. The compromise lives where the model, the browser, and the cloud token meet.

A default-deny grant table mapping agent tool classes to risks, required controls, and enforcement points. Cross-walked to OWASP Top 10 for Agentic Applications 2026.

The controls-side companion to the taxonomy: it says where each control actually lives, not just to use least privilege.

A five-lane model for how a safety router should explain a reroute to a benign user without handing the trigger to an attacker.

Disclosure granularity should track inverse oracle risk.

A labeled prompt set and tooling that tests how models handle cyber requests across the taxonomy, with an LLM-as-judge scorer and a human-comparison harness.

Pilot: the judge matched the human on every verdict — and abstained on the 4 most severe.