AG-790
Multi-Source Weighted Threat Composite Scoring
EU AI Act
SOX
FCA
ISO 27001
Multi-Source Weighted Threat Composite Scoring governs the computation of aggregate threat scores from multiple independent detection sources. In any sufficiently complex autonomous agent deployment, threat assessment relies not on a single detector but on an ensemble of detection mechanisms: anomaly detectors, behavioural monitors, rate limiters, integrity verifiers, external threat intelligence feeds, and federated peer signals. Each source provides a partial view of the threat landscape with its own confidence level, latency characteristics, and false-positive rate. AG-790 defines how these partial views are combined into a single composite score that feeds into the escalation function (AG-784).
The composite scoring function applies configurable weights to each detection source, reflecting its reliability, relevance, and timeliness. A source with a proven track record of accurate detection and low false-positive rates receives a higher weight than a newly deployed or historically unreliable source. Weights are not static; they can be adjusted based on empirical performance data, source health status, and the current threat context. During a known phishing campaign, for example, the weight assigned to email security detectors may be temporarily increased while the weight of network anomaly detectors remains unchanged.
The output of the composite scoring function is a normalised threat score (0.0 to 1.0) accompanied by a confidence interval and a source attribution vector indicating which sources contributed to the score and by how much. This rich output enables the escalation function to make nuanced decisions: a high composite score driven primarily by a single high-confidence source may warrant immediate escalation, while the same score driven by many low-confidence sources may warrant investigation before escalation. The composite score transforms raw detection signals into actionable threat intelligence that the governance framework can consume.
This protocol applies to all systems that aggregate detection outputs for threat assessment within the Agent Governing framework. Specifically:
Single-source threat assessment is inherently fragile. A detector may be evaded, may experience degraded performance, or may generate false positives that desensitise operators. Composite scoring provides defence-in-depth at the assessment layer: even if one source is evaded or compromised, the remaining sources can still drive the composite score above the escalation threshold. Conversely, composite scoring reduces false positives by requiring corroboration across multiple sources before generating a high-confidence threat assessment.
Concrete Failure Scenario: A financial trading agent is monitored by three detection sources: a transaction pattern analyser, a network behaviour monitor, and a credential anomaly detector. An adversary has reverse-engineered the transaction pattern analyser's detection logic and structures their attack to evade it. Without composite scoring, the governance layer relies solely on the evaded detector and fails to escalate. With AG-790, the network behaviour monitor detects unusual API call patterns (weighted 0.35) and the credential anomaly detector flags a suspicious token refresh sequence (weighted 0.30). The composite score exceeds the Level 3 escalation threshold despite the transaction analyser reporting nominal conditions (weighted 0.35 but contributing 0.0 to the score). The system escalates to Level 3, triggering enhanced monitoring and preventing the adversary from executing their planned market manipulation. Without composite scoring, the attack succeeds, resulting in GBP 12 million in improper trades and a subsequent FCA investigation.
The EU AI Act (Article 9(2)(b)) requires that risk management include the estimation of risks using appropriate methods. SOX Section 404 mandates that internal controls provide reasonable assurance through multiple assessment mechanisms. The FCA's SYSC 6.1.2 requires risk management to be supported by adequate and effective information systems. AG-790 operationalises these requirements by ensuring threat assessment is multi-sourced, weighted, and empirically calibrated.
At the Basic level, the system accepts inputs from multiple detection sources and computes a weighted average. Weights are statically configured and rarely updated. Source attribution is available but may not include individual contribution breakdowns. Unhealthy source detection is manual or based on simple heartbeat checks. Temporal decay is not implemented; stale inputs may influence the composite score. Computation logs exist but may lack intermediate calculation details.
At the Intermediate level, automated health monitoring detects unresponsive or degraded sources and adjusts the composite calculation dynamically. Temporal decay is implemented with configurable thresholds. Source attribution includes detailed per-source contribution breakdowns. Weight changes are governed by AG-007 with tamper-evident logging. Rolling performance baselines track false-positive rates and correlation with confirmed incidents. The composite score is published within the 200ms latency requirement. Full computation logs with intermediate calculations are maintained for audit.
At the Advanced level, dynamic weight adjustment informed by machine learning models is operational, subject to human approval. The composite scoring engine has been validated through independent adversarial testing, including source evasion scenarios, source poisoning attacks (where an adversary feeds false data to a detection source), and temporal manipulation attempts. Cross-validation with federated peer composite scores (via AG-788) is supported. The system can demonstrate, through historical analysis, that composite scoring reduces false-positive rates by a measurable margin compared to single-source assessment, and this evidence is maintained for regulatory review.
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No composite scoring exists. Threat assessment relies on a single detection source or on manual aggregation by operators, creating blind spots and inconsistent risk assessment. |
| 1 | Basic | Multiple sources feed into a weighted average, but weights are static, source health is not monitored automatically, temporal decay is absent, and computation logs lack intermediate detail. The system provides marginal improvement over single-source assessment. |
| 2 | Infrastructure-layer enforcement | Dynamic source health monitoring, temporal decay, detailed source attribution, sub-200ms publication latency, governed weight management, rolling performance baselines, and full computation logging are all operational. The composite score reliably informs escalation decisions. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are validated by independent adversarial testing, including source evasion, source poisoning, and temporal manipulation scenarios. ML-informed weight adjustment is operational with human oversight. Measurable false-positive reduction is demonstrated and documented. |
Scenario: One detection source is assigned a weight of 0.70 out of 1.0, while two other sources share the remaining 0.30. The dominant source is evaded by an adversary. Despite the two remaining sources both reporting high-severity indicators, the composite score remains below the escalation threshold because the dominant source's 0.70 weight contributes 0.0 to the score.
Impact: HIGH. The composite scoring mechanism, intended to provide defence-in-depth, is undermined by over-reliance on a single source. The adversary effectively needs to evade only one detector.
Mitigation: R7 recommends rolling performance baselines that would detect the dominant source's failure to detect confirmed incidents. Weight governance (R5) should include periodic review of weight distributions to prevent excessive single-source dominance. Implement a minimum contribution threshold that triggers an alert when any single source's weight exceeds a configurable percentage (e.g., 50%).
Scenario: A detection source reports a high-severity anomaly and then becomes unresponsive due to a software crash. The composite scoring engine continues to include the stale high-severity input in every computation because temporal decay is not implemented. The threat level remains elevated for hours based on a single stale reading, triggering unnecessary operational restrictions.
Impact: MEDIUM. Governance resources are consumed maintaining an elevated posture based on outdated information. Operators may develop alert fatigue and begin overriding threat levels manually, creating security risks.
Mitigation: R8 mandates temporal decay with configurable thresholds. R6 mandates detection of unresponsive sources. Together, these requirements ensure that stale inputs are discounted and unhealthy sources are excluded from the composite calculation.
Scenario: An adversary gains access to a detection source's output feed and injects a continuous stream of low-severity false indicators. Over time, the source's rolling performance baseline shows increasing false-positive rates, causing the system to reduce its weight. When the adversary later launches a genuine attack, the compromised source correctly detects it but its low weight means the detection has minimal impact on the composite score.
Impact: HIGH. The adversary manipulates the composite scoring system by deliberately degrading a source's credibility before launching the actual attack. This is a sophisticated, long-term attack against the threat assessment infrastructure itself.
Mitigation: Treat sudden changes in a source's false-positive rate as a potential indicator of source compromise, triggering a security review rather than automatic weight reduction. R9's ML-informed adjustment should include anomaly detection on the source performance metrics themselves.
Scenario: During a complex multi-vector attack, all detection sources simultaneously report high-severity indicators. The composite scoring engine, designed for typical loads of 10-20 inputs per second, receives 500 inputs per second. Computation latency increases from 50ms to 3 seconds, delaying escalation by critical seconds during an active attack.
Impact: HIGH. The escalation function does not receive timely composite scores, resulting in delayed threat level transitions and a window of vulnerability during the most critical phase of an attack.
Mitigation: Implement input buffering with micro-batch computation (aggregate inputs over 50ms windows and compute once). Pre-allocate computational resources for peak loads. Implement a circuit-breaker that publishes a maximum-severity composite score if computation latency exceeds the 200ms threshold, defaulting to a safe (escalated) state.
| Requirement | EU AI Act | SOX | FCA SYSC | ISO/IEC |
|---|---|---|---|---|
| R1: Multi-source composite | Art. 9(2)(b) — Risk estimation | Sec. 404 | SYSC 6.1.2 | ISO/IEC 27001:2022 A.5.7 |
| R2: Normalised score output | Art. 9(2)(b) — Risk estimation | -- | SYSC 6.1.2 | ISO/IEC 27005:2022 Cl. 8.2 |
| R3: Source attribution | Art. 13 — Transparency | Sec. 302 | SYSC 6.1.2 | ISO/IEC 27001:2022 A.8.15 |
| R4: 200ms publication latency | Art. 9(4)(b) — Mitigation | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.24 |
| R5: Weight governance | Art. 9(7) — Review/update | Sec. 404 | SYSC 6.1.2 | ISO/IEC 27001:2022 A.5.1 |
| R6: Source health monitoring | Art. 15 — Robustness | Sec. 404 | SYSC 6.1.2 | ISO/IEC 27001:2022 A.8.16 |
| R10: Computation logging | Art. 12 — Record-keeping | Sec. 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.15 |
| Protocol | Relationship |
|---|---|
| AG-784 (Adaptive Threat Level Escalation) | Consumer: Composite scores are a primary input to the escalation function. |
| AG-785 (Threat Level Auto-Decay and Stabilisation) | Integration: Declining composite scores inform decay eligibility assessment. |
| AG-786 (Cryptographic Governance State Sealing) | Indirect: Composite scores contribute to escalation that triggers sealing at Level 5. |
| AG-787 (Governance Seal Integrity Verification) | Indirect: Seal verification may be triggered by composite score anomalies. |
| AG-788 (Federated Threat Level Propagation) | Input: Federated peer threat levels are a detection source for composite scoring. |
| AG-789 (HMAC-Signed Threat Broadcast Authentication) | Security: Federated inputs to composite scoring must be authenticated. |
| AG-791 (Pipeline-Integrated Threat Event Ingestion) | Input: Pipeline events are the primary detection source inputs to composite scoring. |
| AG-003 (Adversarial Coordination Detection) | Source: Adversarial coordination detectors feed into composite scoring. |
| AG-004 (Action Rate Governance) | Source: Rate violation detectors feed into composite scoring. |
| AG-006 (Tamper-Evident Record Integrity) | Audit: All composite computations are logged in tamper-evident records. |
| AG-007 (Governance Configuration Control) | Control: Weight configuration changes are governed by AG-007. |
| AG-019 (Mandatory Human Oversight Enforcement) | Control: ML-informed weight adjustments require human approval. |
Document generated under Patent 7 governance framework. Classification: INTERNAL. Review cycle: Quarterly.