The authors propose Agent-BOM, a unified graph representation for auditing LLM-based agentic systems that separates static capability bases (models, tools, long-term memory) from dynamic runtime semantic states (goals, reasoning, actions). This bridges the semantic gap between low-level execution logs and high-level agent intent, enabling path-level security auditing—they demonstrate it can reconstruct stealthy attack chains like cross-session memory poisoning and multi-agent hijacking that traditional logging misses.
Main takeaways:
- Agentic systems create a "semantic gap": low-level logs don't capture cognitive state evolution, capability bindings, or cascading risks across interacting agents.
- Agent-BOM models the system as a hierarchical directed graph with static layers (capabilities) and dynamic layers (runtime states) connected by semantic edges and security attributes.
- Transforms fragmented execution traces into queryable audit paths for graph-based risk assessment.
- Implemented as a plugin in the OpenClaw environment; evaluation on real attack scenarios shows it can trace cross-session memory poisoning, supply-chain hijacking, and privilege abuse.
- Enables reconstruction of attack chains that span multiple sessions and agents, which isolated logs cannot reveal.