AG-795
Command and Control via ML Service Governance
EU AI Act
NIST AI RMF
ISO 42001
Command and Control via ML Service Governance mandates structural controls to prevent, detect, and respond to adversaries who exploit ML inference services as covert command-and-control (C2) channels within governed agent ecosystems. The core threat is that an adversary embeds C2 instructions within the normal operational flow of an ML inference pipeline — encoding commands in prompts, model inputs, retrieval-augmented generation (RAG) corpus entries, or tool-call parameters — and receives encoded directives through model outputs, structured tool-call responses, or inter-agent messages. Because the inference pipeline is the agent's primary operational pathway, C2 traffic carried through it is indistinguishable from legitimate operational traffic at the network layer, rendering traditional network-based C2 detection ineffective.
This threat class is distinct from prompt injection (addressed by AG-796) and from inference API access control (addressed by AG-794). Prompt injection seeks to alter the agent's behaviour through manipulated instructions; C2 via ML service uses the inference pipeline as a communication channel while the agent may appear to operate normally. The ML service functions as an unwitting relay: the adversary sends instructions through a channel the agent is designed to trust and consume. The agent processes the instructions as part of its normal inference cycle, executes the encoded commands through its tool-call capabilities, and returns results through the same inference channel — all without triggering network-layer anomaly detection because every packet traverses an authorised, expected pathway.
In multi-agent ecosystems the risk compounds. A single compromised agent can use inter-agent inference calls to propagate C2 instructions to other agents in the ecosystem, creating a distributed C2 network that operates entirely within the governed infrastructure. Each compromised agent appears to perform normal inter-agent communication while relaying adversary commands through the inference pipeline. AG-795 closes this gap by requiring output anomaly detection, tool-call destination validation, inference pattern analysis, inference service isolation, and cryptographic binding of inference responses to authorised request chains.
This dimension applies to all AI agent deployments operating under the AGS framework where agents consume ML inference services — whether hosted internally, accessed via third-party API, or provided through federated model-serving infrastructure. Specifically:
Exclusions: Agents operating in fully sandboxed research environments with no access to production data, external networks, or tool-call capabilities are excluded, subject to the condition that any transition to production immediately triggers AG-795 compliance. Agents that consume only pre-computed, static model outputs with no real-time inference capability are excluded from the real-time detection requirements but remain in scope for output integrity validation.
Financial Services. Agents executing financial transactions through tool calls present an immediate monetisation pathway for C2 exploitation. An adversary who establishes C2 through the inference pipeline can direct the agent to execute unauthorised trades, transfer funds, or modify settlement instructions — all through the agent's legitimate tool-call interface. FCA SYSC requirements for systems and controls, and DORA requirements for ICT risk management, mandate detection capabilities proportionate to this threat. Financial-sector deployments must implement transaction-level anomaly detection that correlates inference outputs with tool-call patterns to identify C2-directed financial actions.
Healthcare. Clinical agents with access to patient records and treatment systems represent a high-value C2 target. An adversary who controls a clinical agent through the inference pipeline can exfiltrate patient data by encoding it in outbound inference queries, or can manipulate clinical decision support outputs. The combination of HIPAA breach notification requirements and patient safety implications makes C2 detection in healthcare agent deployments a critical control.
Defence and Critical Infrastructure. Agents operating in defence, energy, or transportation contexts carry the highest C2 risk because adversary objectives extend beyond financial gain to operational disruption and intelligence collection. C2 via ML service is particularly dangerous in these contexts because it bypasses network segmentation controls that these sectors rely on for security assurance.
Public Sector. Government agents making or supporting decisions affecting individual rights must maintain full traceability of the decision chain. C2 via ML service corrupts the decision chain at the inference layer, making it impossible to distinguish between legitimate model outputs and adversary-directed instructions without the controls mandated by this dimension.
The inference pipeline is the most trusted communication channel in an agent's architecture. Agents are designed to receive instructions through their inference service and act on them — that is their core operational model. An adversary who gains the ability to inject C2 instructions into this pipeline exploits the highest-trust channel available, operating inside the agent's decision loop rather than attacking it from outside. This is the digital equivalent of compromising a military command's own radio frequency: every order appears legitimate because it arrives through the authorised channel.
Traditional C2 detection focuses on network-layer indicators: unusual destination IPs, DNS tunnelling, beaconing patterns, encrypted connections to unknown endpoints. None of these indicators apply when C2 traffic flows through a legitimate ML inference API. The packets travel to an authorised endpoint, use standard HTTPS, follow expected request-response patterns, and carry payloads that are structurally identical to normal inference traffic. A network security operations centre monitoring for traditional C2 indicators will see nothing anomalous. The C2 channel is invisible at every layer except the semantic layer — the content and pattern of the inference requests and responses themselves.
The attack surface is broad. An adversary can inject C2 instructions through multiple vectors: poisoning a RAG corpus with documents containing encoded commands that the agent retrieves and processes during normal operation; compromising a model-serving endpoint to inject instructions into model outputs; exploiting tool-call mechanisms to relay commands through tool responses that feed back into the inference loop; or compromising one agent in a multi-agent system and using inter-agent inference calls to propagate C2 to other agents. Each vector exploits a different part of the inference pipeline, and defence requires controls at every stage.
The consequences of successful C2 establishment scale with the agent's capabilities. An agent with tool-call access to financial systems can execute unauthorised transactions. An agent with access to customer data can exfiltrate it by encoding records in outbound inference queries. An agent in a multi-agent ecosystem can recruit other agents into the C2 network by embedding instructions in inter-agent communications. In each case, the compromised agent continues to perform its legitimate functions — the C2 channel operates alongside normal operations, not instead of them. This dual-use characteristic makes C2 via ML service significantly harder to detect than C2 channels that disrupt normal agent behaviour.
The regulatory environment increasingly requires controls against this threat class. The EU AI Act Article 15 requires robustness against attempts to alter the system's use by exploiting vulnerabilities. NIST AI RMF MANAGE 2.4 requires the ability to deactivate AI systems that demonstrate performance or security anomalies. MITRE ATLAS catalogues AML.T0048 as a documented technique with observed real-world usage. AG-795 translates these requirements into enforceable, testable controls that operate at the semantic layer where this threat manifests.
Basic Implementation — The organisation has documented the C2 via ML service threat in its risk register and has implemented initial controls. Tool-call destinations are restricted to an authorised list, though the list may be broad. Inference request and response logging is operational but anomaly detection may rely on static rules or manual review. RAG corpus content is reviewed before ingestion but integrity validation may not be automated. Detection latency may exceed 500ms. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. The organisation has conducted at least one tabletop exercise exploring C2 via inference pipeline scenarios.
Intermediate Implementation — All Basic capabilities plus: output anomaly detection operates in real-time using statistical models trained on each agent's operational baseline. Tool-call destination validation enforces a strict allow-list with per-action parameter schema validation. Inference request-response pattern analysis detects beaconing, anomalous entropy, and correlated multi-agent patterns. Cryptographic binding of responses to request chains is operational. RAG corpus integrity validation is automated with content signing. Containment triggers within 500ms for high-confidence detections. All MUST requirements are implemented with documented evidence. Tamper-evident audit trails cover all inference interactions. The organisation conducts at least annual adversarial testing targeting this threat class.
Advanced Implementation — All Intermediate capabilities plus: behavioural baselining continuously profiles every agent's inference consumption patterns with automated deviation alerting. Multi-agent C2 propagation detection correlates inference patterns across the full agent population to identify coordinated C2 activity. Honeypot inference endpoints provide early warning of adversary reconnaissance. Red-team exercises targeting C2 via ML service are conducted quarterly with results informing detection model updates. Cross-organisational threat intelligence sharing provides indicators of C2 techniques observed in peer environments. The organisation can demonstrate to regulators that no known C2 technique from the MITRE ATLAS catalogue bypasses the deployed detection and containment controls. Post-quantum cryptographic binding is implemented for response attestation, aligned with AG-786.
Semantic-layer anomaly detection independent of agent runtime. Deploy inference output analysis as a dedicated service in a separate security domain from the agent runtime. The analysis service inspects every inference response before it reaches the agent, scoring it against the agent's operational baseline for structural anomalies, encoded content patterns, and instruction-like content. The agent cannot influence the analysis service's scoring decisions. This architecture ensures that a compromised agent cannot disable or manipulate the detection that monitors it.
Cryptographic request-response binding with nonce chaining. Issue a unique cryptographic nonce for each inference request from the governance infrastructure (not from the agent). The inference service signs the response with the nonce, and the governance infrastructure validates the binding before releasing the response to the agent. For multi-turn inference sequences, chain the nonces so that each response attestation includes the hash of the previous nonce, creating a tamper-evident sequence that detects response injection or reordering.
Tool-call interception gateway with context validation. Route all tool calls through a dedicated gateway that validates not only the destination and parameters against the authorised registry, but also the inferential context that produced the tool call. The gateway verifies that the inference response that triggered the tool call is consistent with the agent's current task context, flagging tool calls that appear contextually disconnected from the agent's operational state — a hallmark of C2-directed action.
RAG corpus integrity monitoring with content signing. Implement cryptographic signing of all RAG corpus entries at ingestion time. Before any corpus entry is consumed by the inference pipeline, verify its signature against the authorised content registry. Monitor for unsigned or re-signed entries that may indicate corpus poisoning. Implement semantic analysis of newly ingested corpus entries to detect instruction-like content or encoded command patterns before they enter the retrieval index.
Multi-agent correlation engine for distributed C2 detection. Deploy a correlation engine that analyses inference patterns across the full agent population, identifying synchronised request timing, similar anomalous response patterns across unrelated agents, and inter-agent communication sequences that suggest C2 relay chains. The correlation engine operates on metadata and anomaly scores, not on raw inference content, to maintain privacy boundaries while detecting ecosystem-level C2 activity.
Network-layer-only C2 detection. Monitoring network traffic for C2 indicators without semantic-layer analysis. C2 via ML service traverses legitimate, authorised network paths and is invisible to network-layer detection. Organisations that rely solely on network security monitoring have a false sense of security against this threat class.
Static allow-lists without contextual validation. Maintaining a tool-call destination allow-list but not validating whether the tool call is contextually appropriate given the agent's current inference state. A compromised agent calling an authorised endpoint with adversary-directed parameters will pass static allow-list checks. Contextual validation is required to detect C2-directed tool calls to otherwise legitimate destinations.
Agent-side detection logic. Implementing C2 detection within the agent's own runtime. A compromised agent that is receiving C2 instructions through its inference pipeline can suppress or manipulate detection logic running in its own process. Detection must operate in a separate security domain with no agent-accessible control surface.
Inference response caching without re-validation. Caching inference responses and serving them to agents without re-validating the cryptographic binding or re-running anomaly detection. Cached responses can be poisoned by an adversary who gains access to the cache, establishing a persistent C2 channel that bypasses real-time detection.
Trusting inter-agent inference calls without per-call authentication. Assuming that inter-agent inference calls within the same deployment are trustworthy because both agents are deployed by the same organisation. A single compromised agent using authenticated inter-agent channels to propagate C2 instructions will bypass any detection that trusts intra-deployment traffic by default.
TC1: Encoded C2 Instruction Detection in Inference Output
TC2: Tool-Call Destination Validation
TC3: Beaconing Pattern Detection
TC4: Cryptographic Response Binding Verification
TC5: RAG Corpus Poisoning Detection
TC6: Data Exfiltration via Inference Pipeline
TC7: Multi-Agent C2 Propagation Detection
TC8: Containment Latency Under Load
| Evidence ID | Description | Retention Period |
|---|---|---|
| AG795-E01 | Inference request and response audit logs with anomaly scores | 7 years |
| AG795-E02 | Tool-call validation logs including blocked calls and block reasons | 7 years |
| AG795-E03 | Beaconing and pattern analysis detection reports | 5 years |
| AG795-E04 | Cryptographic response binding verification logs | 7 years |
| AG795-E05 | RAG corpus integrity validation records and quarantine logs | 5 years |
| AG795-E06 | Data exfiltration detection and containment event logs | 7 years |
| AG795-E07 | Multi-agent correlation analysis reports | 5 years |
| AG795-E08 | Adversarial red-team exercise reports targeting C2 via ML service | 5 years |
| AG795-E09 | Containment latency monitoring data (daily p50/p95/p99 snapshots) | 1 year |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No controls exist to detect or prevent C2 via ML service. Inference requests and responses flow between agents and ML services without semantic-layer monitoring. Tool calls triggered by inference outputs are not validated against an authorised destination registry. The agent ecosystem is fully vulnerable to C2 establishment through the inference pipeline. |
| 1 | Basic | Tool-call destinations are restricted to an authorised list. Inference request and response logging is operational. RAG corpus content is reviewed before ingestion. Detection relies on static rules or periodic manual review. Containment is manual. Coverage may not extend to all in-scope deployments. The organisation has documented the threat but has not implemented real-time semantic-layer detection. |
| 2 | Infrastructure-layer enforcement | Output anomaly detection operates in real-time in a separate security domain from the agent runtime. Tool-call destination validation enforces a strict allow-list with parameter schema and contextual validation. Inference pattern analysis detects beaconing, anomalous entropy, and multi-agent correlation indicators. Cryptographic response binding prevents response substitution. RAG corpus integrity is validated with content signing. Containment triggers within 500ms. Tamper-evident audit trails cover all inference interactions. Data exfiltration monitoring is operational on outbound inference requests. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities verified through independent red-team exercises targeting C2 via ML service using techniques from the MITRE ATLAS AML.T0048 catalogue. Testing covers all five encoding techniques in TC1, response substitution attacks, RAG corpus poisoning, data exfiltration, and multi-agent C2 propagation. Evasion resistance demonstrated across multiple novel attack variants. Behavioural baselining and multi-agent correlation engine operational. Test results documented and available for regulatory review. |
Scenario A -- RAG Corpus Poisoning Enables Covert C2 in Financial Trading Agent
A financial services firm deploys an AI agent to support equity trading decisions. The agent consumes a RAG corpus of analyst reports, market data, and internal research notes to generate trade recommendations, which it executes through tool calls to the firm's order management system. An adversary gains write access to the firm's research note ingestion pipeline through a compromised third-party data vendor. Over three weeks, the adversary introduces 47 research notes that appear to be legitimate analyst commentary but contain steganographically encoded trading instructions. The encoded instructions direct the agent to execute a series of small trades that collectively establish a large short position in a specific equity. The agent processes the poisoned corpus entries during normal RAG retrieval, interprets the encoded instructions as part of its analytical reasoning, and executes the directed trades through its authorised tool-call interface. Each individual trade falls within the agent's authorised trading parameters. The firm's risk systems monitor position limits at the portfolio level but do not analyse inference-to-trade causal chains. The short position accumulates over 9 trading days until a junior risk analyst notices the concentration during a manual portfolio review.
What went wrong: No RAG corpus integrity validation — research notes from external vendors were ingested without content signing or semantic analysis for instruction-like patterns. No inference output anomaly detection — the agent's trade recommendations were not analysed for correlation with specific corpus entries. No tool-call contextual validation — each trade was individually authorised, but the pattern of trades was C2-directed. The C2 channel operated for 9 trading days because detection relied on human review of portfolio-level metrics rather than semantic-layer analysis of the inference pipeline.
Consequence: GBP 12.4 million in accumulated short position exposure. FCA investigation into market manipulation. The firm cannot demonstrate to regulators that its agent governance controls were adequate because the entire trade sequence was executed through authorised channels with no detection of the C2 mechanism. Estimated remediation cost GBP 3.8 million including forensic investigation, position unwinding, regulatory engagement, and systems redesign.
Scenario B -- Compromised Agent Uses Inference API as Data Exfiltration Channel
A healthcare network deploys clinical decision support agents across 14 hospitals. Each agent has access to patient records through the electronic health record (EHR) system and consumes a hosted inference API for clinical reasoning. An attacker compromises one hospital's clinical agent through a supply chain vulnerability in a third-party plugin. The compromised agent continues to provide clinical decision support normally but, in the background, encodes patient records — names, diagnoses, treatment plans, and insurance identifiers — into its outbound inference requests. The encoding distributes patient data across the padding fields, temperature parameters, and system prompt metadata of standard inference API calls. The attacker operates a man-in-the-middle proxy between the compromised agent and the inference endpoint, extracting the encoded patient data from the inference requests before forwarding them to the legitimate API. The inference API processes the requests normally and returns valid clinical outputs, so the agent's operational behaviour appears unchanged. The exfiltration continues for 31 days, extracting 23,400 patient records, before the hospital's data loss prevention (DLP) system flags an anomalous pattern in metadata field sizes during a scheduled audit.
What went wrong: No outbound inference request monitoring for data exfiltration patterns. The DLP system operated on a scheduled audit cycle rather than in real-time. Inference request metadata fields were not validated against expected schemas. The agent's network traffic was considered trusted because it was directed to an authorised inference endpoint. No behavioural baselining — the compromised agent's inference request patterns deviated significantly from its historical baseline but no system was monitoring for deviation.
Consequence: HIPAA breach notification for 23,400 patients across 14 hospitals. HHS OCR investigation. Class action litigation. Estimated notification, forensic investigation, and remediation cost USD 14.7 million. The healthcare network's cyber insurance policy excludes AI-specific attack vectors, leaving the full cost uninsured.
Scenario C -- Multi-Agent C2 Propagation in Autonomous Supply Chain Platform
A multinational logistics company operates a supply chain optimisation platform comprising 42 specialised agents: demand forecasting, inventory management, route optimisation, customs declaration, supplier communication, and warehouse coordination agents across 8 countries. An adversary compromises the supplier communication agent through a malicious tool-call response from a compromised supplier API endpoint. The compromised supplier communication agent begins embedding encoded C2 instructions in its inter-agent inference calls to the inventory management and route optimisation agents. The encoded instructions are embedded in the natural-language reasoning traces that agents share during collaborative decision-making — a legitimate feature of the multi-agent architecture. Within 48 hours, the adversary controls three agents. The compromised inventory management agent begins generating artificially inflated demand forecasts, causing the route optimisation agent (now also compromised) to redirect shipments to adversary-controlled warehouses. The customs declaration agent, receiving apparently legitimate shipment data from the compromised route optimisation agent, files accurate declarations for the redirected shipments. The fraud is discovered when a warehouse manager at a legitimate facility reports a 40% drop in inbound shipments that the system shows as delivered.
What went wrong: No multi-agent C2 correlation detection — each inter-agent inference call was individually authenticated (per AG-781) but the content of inference calls was not analysed for encoded instructions. Inter-agent reasoning trace sharing was a trusted channel with no semantic-layer monitoring. No behavioural baselining of inter-agent communication patterns — the shift in communication frequency and content between the compromised agents was detectable but unmonitored. Tool-call responses from external supplier APIs were not sanitised before being processed by the agent.
Consequence: EUR 8.3 million in diverted shipments across 3 countries. Customs fraud investigations in 4 jurisdictions. Complete platform shutdown for 14 days during forensic analysis. 23 enterprise customers invoke force majeure clauses. Supply chain trust framework requires full re-certification. Estimated total impact EUR 31 million including direct losses, regulatory penalties, customer compensation, and platform reconstruction.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Full agent ecosystem — every agent consuming ML inference services and every system accessible through agent tool calls |
Consequence chain: Successful C2 establishment through the inference pipeline gives the adversary control over the agent's tool-call capabilities at the speed of the agent's execution cycle. The blast radius encompasses every system the agent can reach through its authorised tool-call interface, every dataset the agent can access through its operational permissions, and — in multi-agent ecosystems — every downstream agent that trusts communications from the compromised agent. Because the C2 channel operates through the agent's primary operational pathway, the adversary inherits the agent's full authorisation scope. Detection through behavioural monitoring may take days or weeks because the agent continues to perform its legitimate functions alongside C2-directed actions. The asymmetry between exploitation speed (milliseconds) and detection speed (days) creates a window during which the adversary can achieve strategic objectives before any human intervention occurs.
| Requirement | EU AI Act | NIST AI RMF | ISO 42001 | MITRE ATLAS |
|---|---|---|---|---|
| R1: Output anomaly detection | Art. 9 -- Risk management | MANAGE 2.2 -- Sustain value | Clause 8.2 -- AI risk assessment | AML.T0048 -- C2 via ML service |
| R2: Tool-call destination validation | Art. 9 -- Risk management | GOVERN 1.1 -- Legal requirements | Clause 6.1 -- Risk actions | AML.T0048.001 -- Inference API |
| R3: Inference pattern analysis | Art. 15 -- Robustness | MANAGE 2.2 -- Sustain value | Clause 9.1 -- Monitoring | AML.T0048 -- C2 via ML service |
| R4: Inference service isolation | Art. 9 -- Risk management | GOVERN 1.1 -- Legal requirements | Clause 8.2 -- AI risk assessment | AML.T0048 -- C2 via ML service |
| R5: Cryptographic response binding | Art. 15 -- Robustness | MANAGE 2.2 -- Sustain value | Clause 8.2 -- AI risk assessment | -- |
| R6: Exfiltration detection | Art. 12 -- Record-keeping | MANAGE 2.2 -- Sustain value | Clause 9.1 -- Monitoring | AML.T0048 -- C2 via ML service |
| R7: Automated containment | Art. 9 -- Risk management | MANAGE 2.4 -- Deactivation | Clause 8.2 -- AI risk assessment | -- |
| R8: Tamper-evident audit trail | Art. 12 -- Record-keeping | GOVERN 1.1 -- Legal requirements | Clause 9.1 -- Monitoring | -- |
Article 9 requires providers of high-risk AI systems to establish a risk management system that identifies and mitigates reasonably foreseeable risks. C2 via ML service is a documented, reasonably foreseeable risk for any agent consuming inference services — MITRE ATLAS catalogues it as an observed technique. AG-795 implements the risk mitigation measures for this specific threat class. Article 12 requires record-keeping systems that enable tracing of the AI system's functioning throughout its lifecycle; the tamper-evident audit trail mandated by R8 satisfies this requirement for inference pipeline interactions. Article 15 requires robustness against attempts by unauthorised third parties to alter the system's use by exploiting vulnerabilities; C2 via ML service is precisely such an attempt, and AG-795's controls provide the structural robustness defence.
GOVERN 1.1 requires that legal and regulatory requirements are identified and addressed. AG-795 operationalises the requirement to protect AI systems against adversarial manipulation of the inference pipeline. MANAGE 2.2 requires mechanisms to sustain the value of deployed AI systems; C2 compromise destroys the value proposition of the agent by redirecting its capabilities to adversary objectives. MANAGE 2.4 requires the ability to deactivate AI systems that demonstrate security anomalies; R7's automated containment within 500ms implements this capability for C2 detection events.
AML.T0048 (Command and Control via ML Service) is the primary threat that AG-795 governs. The ATLAS catalogue documents observed techniques including: using inference APIs as communication channels, embedding commands in model queries, and receiving instructions through model outputs. AG-795's requirements map directly to the detection and mitigation of each documented sub-technique, with particular emphasis on the agentic context where tool-call capabilities transform C2 establishment from an information-gathering threat into an action-execution threat.
| Protocol | Relationship |
|---|---|
| AG-770 | Dependency -- Agentic Identity and Credential Lifecycle Governance provides the credential infrastructure that AG-795 uses for cryptographic response binding and inference request authentication |
| AG-781 | Dependency -- Agent Identity Verification Protocol Governance provides per-interaction identity verification for inter-agent inference calls; AG-795 extends this with semantic-layer content analysis of those calls |
| AG-784 | Dependency -- Adaptive Threat Level Escalation provides the escalation framework that AG-795 invokes when C2 indicators are detected, enabling graduated containment response |
| AG-786 | Dependency -- Cryptographic Governance State Sealing provides the cryptographic primitives and tamper-evidence mechanisms that AG-795 uses for response binding and audit trail integrity |
| AG-734 | Complementary -- Semantically Adversarial Compliant Action Detection detects actions that are individually compliant but collectively harmful; AG-795 detects the C2 channel that directs such actions |
| AG-735 | Complementary -- Governance State Reconnaissance Prevention prevents adversaries from mapping detection capabilities; AG-795 detects the C2 channel that would be used after successful reconnaissance |
| AG-789 | Integration -- HMAC-Signed Threat Broadcast Authentication provides authenticated inter-platform threat sharing; C2 indicators detected by AG-795 should be broadcast to federated platforms via AG-789 |
| AG-791 | Integration -- Pipeline-Integrated Threat Event Ingestion provides the event pipeline through which AG-795 detection events are ingested for correlation and response |
| AG-794 | Complementary -- ML Model Inference API Access Governance controls who can access inference services; AG-795 controls what happens within authorised inference channels |
| AG-796 | Complementary -- LLM Prompt Injection (Indirect) Governance addresses instruction manipulation through prompts; AG-795 addresses the distinct threat of using the inference pipeline as a C2 communication channel |