Orchestration / Orchestrator
FR EN

Orchestration

Orchestrator

The agent’s brain: it plans, decomposes and chains calls to the model and tools.

Plane
Orchestration
Flow steps
6 · 7
Frameworks
NIST 800-53 · OWASP LLM06 · NIST AI 600-1 · MITRE ATLAS

Technology

Why use it

Coordinate the agent’s reasoning and tool use while keeping control of the execution plan.

Why it matters to security

Concentrates least privilege and least agency: this is where you bound what an agent can chain.

Implementations LangGraphSemantic KernelCrewAIAutoGen

An unbounded autonomous agent is a vulnerability that runs itself.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Explicit, traced execution plan.
    NIST 800-53 AU-2OWASP LLM06:2025
    An observable plan lets you understand and audit what the agent did.
  • Allow-listed tools.
    NIST 800-53 AC-3 · AC-6
    The agent can only call explicitly authorized tools.
  • Iteration and loop limits.
    NIST 800-53 SC-5OWASP LLM10:2025
    A loop cap prevents runaway behavior and uncontrolled consumption.

Enterprise

Enterprise standard
  • Least agency per step (minimal scope).
    NIST 800-53 AC-6OWASP LLM06:2025
    Each step gets only the rights it needs, not those of the whole plan.
  • Data / instruction separation in context.
    NIST 800-53 AC-4OWASP LLM01:2025
    Stops retrieved data from hijacking the agent’s plan.
  • Tool decision delegated to the PDP.
    NIST 800-53 AC-24
    “Can this agent call this tool now” becomes a policy decision.

Advanced

High-assurance / regulated
  • Plans constrained by a dynamic allow-list.
    NIST 800-53 AC-4
    Permitted chains vary with context and risk.
  • Behavior-drift detection.
    NIST 800-53 SI-4
    An agent that strays from its usual pattern is flagged.
  • Emergency stop (kill switch).
    NIST 800-53 AC-12
    A misbehaving agent can be halted instantly.

Architecture notes

  • Bound what the agent can chain, not only what it can call.details ▸
    Danger arises from the composition of actions.
    Two harmless tools (read a file, send an email) become exfiltration once chained.

References

NIST SP 800-53 Rev5
AC-3, AC-4 (Information Flow), AC-6 (Least Privilege), AC-24, SC-5, AC-12.
OWASP LLM06:2025
Excessive Agency — the orchestrator is its central control point.
NIST AI 600-1
GV-3.2 — oversight of human-AI configurations.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone