Skip to content
Sovereign AI Defense · An Open Call · May 2026

“Sovereign AI without Sovereign Defense is just Sovereign Risk.”

Every country is building Sovereign AI.
None are building Sovereign AI Defense.
Until now.

Over the last 18 months, democracies have committed over USD 10Bto build Sovereign AI. None have prepared a defense layer for the autonomous agents they’re building.

This is not an oversight. It is a structural vulnerability. Today, that gap has its first open, operational, community-governed answer — MIT-licensed, 642 behavioral rules, in production at Microsoft AGT and Cisco AI Defense (plus Gen Digital Sage, PR merged), and referenced by MISP and OWASP.

SHIPPING
642
full ATR rule pack in Cisco AI Defense
GARAK RECALL
98.0%
650 in-the-wild · 38.5% on full 3,475
FALSE POSITIVE
0.20%
498 benign samples
GARAK MAPPING
32/32
ATR-side mapping coverage · garak PR #1676 open
01 · THE MOMENT

Why Sovereign AI became a national imperative

AI is no longer a tool. It is the core of next-era national competitiveness — whoever controls AI controls the future of economic, military, diplomatic, and cultural voice. Over the last 18 months, democratic allies have signed over USD 10B in Sovereign AI commitments:

India
Tata + Reliance · Hindi / Marathi LLMs
$ multi-billion
Japan
SoftBank + KDDI · Japanese LLMs · disaster resilience AI
$ multi-billion
United Kingdom
NVIDIA AI infrastructure commitment
£1B (≈ $1.3B)
France
Mistral AI + 18,000 Grace Blackwell
$ multi-billion
Saudi / UAE / Korea
2025 US-Saudi Investment Forum and others
$ multi-billion
Taiwan
Foxconn + TSMC + gov AI supercomputer · Constellation HQ
NT$ 40B+

The driver is sovereignty anxiety — no country wants its critical data and intelligence running in US clouds, nor wants to be shut off or censored by foreign platforms at critical moments.

“Every country needs to own the production of their own intelligence. The first thing I would do is codify the language, the data of your culture into your own large language model.”Jensen Huang · World Governments Summit · Dubai 2024
02 · THE FATAL GAP

Every country now owns its AI. None owns its AI Defense.

These countries have their own models and their own compute. But when those AI systems become agents — autonomous actors, tool users, MCP clients, transaction executors — no widely accepted agent security detection standard exists.

The current reality: sovereign AI customers source their security layer from US-private vendors running proprietary rule sets and black-box models. This reproduces exactly the dependency that Sovereign AI was created to escape. You can own your AI, but still have to rent the knowledge that defends it — that is incomplete sovereignty.

“Conventional cybersecurity approaches do not translate cleanly to autonomous agent deployments.”NIST CAISI · January 2026 · Official acknowledgment of the standards gap
CONCERNED
87%
but only 11% report being prepared · CSA 2026
DEPLOYMENTS
0
Sovereign AI deals include a defense layer
MYTHOS
83.1%
CyberGym reproduction · previous generation ≈ 0%
03 · THE PROPOSAL

ATR — the open standard that fills the missing layer

MIT License · 642 behavioral rules · protocol-agnostic · behavior-based. Derived from real attack corpora, classified to NVIDIA garak / OWASP Agentic / MITRE ATLAS taxonomies. Adoptable by any country, contributable by any organization. No geopolitical risk. No vendor lock-in.

ATR detects behavioral intent, not string signatures. Attackers who rephrase prompts, repackage payloads, or restructure attack chains cannot evade it, because the detection target is the causal structure of the attack. Each attack has to be redesigned — cost rises exponentially.

03B · CARRYING DETECTION IP FORWARD

Twenty years of detection knowledge doesn't disappear — it takes a new form

Every bank, hospital, and semiconductor fab’s security operations center has accumulated detection IP built over years of real combat — Sigma, YARA, Snort, Splunk SPL, Elastic EQL. Behind every rule sits a real incident.

In the AI agent era, SQL injection didn’t disappear — it moved into reasoning chains. Command injection lives in tool calls. SSRF lives in MCP connections. The attack surface changed; the nature of attack didn’t.

ATR ships an open reference CLI, atr migrate, that translates existing detection rules into draft ATR rules — so accumulated detection knowledge carries forward into the AI agent era without rewriting from scratch. Each emitted rule is checked against a benign corpus for false positives; rules that don’t pass are rejected.

# Open reference CLI (MIT)
atr migrate --source snort --input ./rules.snort --output ./atr-out
04 · ECOSYSTEM

Already shipping across the major democratic security stacks

Cisco AI Defense
Shipping
PR #99 merged · Full ATR rule pack shipping in skill-scanner (2026-04-22)
Microsoft
PR Merged
agent-governance-toolkit · PR #1277 · 287 rules at time of PR + weekly auto-sync of ATR upstream releases
NVIDIA garak
Integrating
PR #1676 · Full ATR rule pack · Two review rounds passed, awaiting maintainer final review
Gen Digital Sage
Merged
PR #33 merged (2026-05-11) · Full ATR rule pack in the Sage risk-scoring layer under the Norton/Avast/LifeLock parent
IBM
Open PR
mcp-context-forge · ATR plugin for IBM MCP runtime
OWASP
Under Review
LLM Top 10 official project PR · standards-track reference

0 → 642 rules · 2 in production (Microsoft, Cisco) plus Gen Digital Sage (merged) · peer-standard references · 20+ adopters in ADOPTERS.md · MIT licensed · DOI 10.5281/zenodo.19178002

05 · COMMUNITY-GOVERNED

An open standard, governed by its contributors

ATR is not a single lab’s or vendor’s deliverable. Every rule passes through a public, auditable pipeline: pull request → automated safety gate → community review → merge → npm publish. Governance rules are codified in GOVERNANCE.md; every rule carries provenance metadata; any contributor can challenge, correct, or extend the taxonomy.

If this proposal resonates with your organization, there are three levels of participation:

  • Contribute rules: translate AI agent attack samples you've observed into ATR YAML rule PRs
  • Contribute probes: define new attack classes so rule generation can be systematically mapped
  • Contribute validation: test FP/Recall against real attack corpora, surface detection gaps

Open governance is itself a structural requirement for Sovereign AI Defense — attacks are not defined by a single lab, and defense should not be defined by a single vendor.

06 · FIRST REFERENCE

What a first national reference deployment requires

No country will own this standard; the first adopter simply deploys it first — like the first bank to run Linux, or the first government to adopt OpenSSL. These are the conditions that make a democracy a strong candidate to be the first reference deployment.

CONDITION 01
A dense, real nation-state attack environment
Healthcare, telecom, semiconductor supply chains, and government systems are confirmed targets — real attack pressure that validates behavioral rules in production, not only in a lab.
CONDITION 02
Proximity to AI compute and ecosystem
Closeness to large AI infrastructure investment and supply chains, so Sovereign AI and its defense layer can land together inside the same ecosystem.
CONDITION 03
A mature open-governance culture
A democracy with proven experience running open standards × government collaboration is best placed to connect a community-governed standard into the public sector.
CONDITION 04
A short decision chain
A short distance from technical community to executive agencies — a proposal can launch in months rather than years.
07 · OPEN CALL

Who we're looking for

ATR is MIT-licensed. This proposal has no exclusivity. If you believe the Sovereign AI era needs a corresponding open Defense standard, we invite the following groups to make contact:

  • Governments · public sector · national cybersecurity agenciesAny jurisdiction willing to adopt ATR as an AI agent security reference framework, or to provide anonymized attack samples for rule development.
  • Enterprise security teams · CISOsFinance, telecom, healthcare, critical infrastructure — teams that want to deploy ATR into their agent runtime before Mythos-class threats arrive.
  • Research institutions · academic labsGroups working on AI agent attacks, red-teaming, or threat intelligence who want to use ATR as a benchmark or contribute rules.
  • Open-source communities · standards bodiesOpenSSF, OWASP, MITRE, CSA, Linux Foundation, ROOST — any partner willing to help integrate ATR into the existing security standards ecosystem.
  • Security vendors · tool buildersTeams willing to integrate ATR rules into existing products (SIEM, SOC, agent runtime, MCP gateways).
  • Journalists · analysts · policy researchersIf you're reporting on or researching Sovereign AI, agent security, or global AI governance, this proposal is open to citation, scrutiny, and challenge.
SHARE

Help this gap become visible

The distribution of this manifesto directly shortens the timeline to adoption. A share is a vote that this layer should exist.

Share on XShare on LinkedInForward by Email
Adam Lin
ATR Initiator
[email protected]
MIT License · Open Standard
agentthreatrule.org
642 Rules · NIST AI RMF mappings · Spec 3.0.0-alpha.1 (Working Draft)