# QSAF: Qorvex Security AI Framework > A comprehensive AI security framework featuring 63 controls across 9 domains — covering prompt injection, role manipulation, plugin abuse, output risk, behavioral anomaly detection, payload integrity, RAG monitoring, data governance, and cross-environment defense. - Author: Hazem Ali - Published: 2026-02-15 - Reading Time: 20 min read - Tags: AI Security, LLM, Framework, QSAF, Prompt Injection, RAG, Data Governance, Cybersecurity - URL: https://drhazemali.com/blog/qsaf-qorvex-security-ai-framework - Source: https://drhazemali.com --- **Authors:** [Hammad A.](https://www.linkedin.com/in/ACoAAAXxehwBKIx99wbwTikXEjLGWGwqbpEkmYc), [Ken Huang](https://www.linkedin.com/in/kenhuang8) **Co-Authors:** Dr. [Yasir Mehmood](https://www.linkedin.com/in/dr-yasir-mehmood), Dr. [Muhammad Zeeshan Baig](https://www.linkedin.com/in/ACoAAAfrSvUBFPgqe1Mgo2dPJkU-5OtDfIXJJaI), Dr. [Muhammad Aatif](https://www.linkedin.com/in/ACoAAAvJsTsBuNz02URlHpUxkpw_RsOLMRa2GmU), Dr. [Muhammad Aziz Ul Haq](https://www.linkedin.com/in/ACoAAA0HA8oBP3rEr1b-UJMjwq4LssBL1ZiKcfM), [Kamal Noor](https://www.linkedin.com/in/ACoAAAPLZYwB1rlF7MnQncK1jwKcRoYisADZDgU), [Hazem Ali](https://www.linkedin.com/in/drhazemali), [Nadeem Shahzad](https://www.linkedin.com/in/ACoAABHZ9v8BsENxoYBJ3NWgX_2VTLCyhY2e2NM), Jamel Abed --- ## What is QSAF? The **Qorvex Security AI Framework (QSAF)** is a comprehensive security control framework designed to protect AI systems — particularly those powered by Large Language Models (LLMs) — against emerging threats such as prompt injection, role manipulation, plugin abuse, and data leakage. QSAF introduces **63 controls** across **9 domains**, categorized into three enforcement types: - **37 Auditable** — Designed for compliance verification and forensic review - **22 Real-Time Agent-Based** — Enforced dynamically during inference via intelligent agents - **4 Hybrid** — Combining both auditable and real-time characteristics --- ## The 9 Domains 1. Prompt Injection Protection 2. Role & Context Manipulation 3. Plugin Abuse Monitoring 4. Output Risk & Response Control 5. Behavioral Anomaly Detection 6. Payload Integrity & Signing 7. Source Attribution & RAG Monitoring 8. Data Governance & Retention 9. Cross-Environment Defense ![QSAF Framework Overview](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14ecc97e-8b30-4667-99cd-19c62ad8ca50_1182x637.png) --- ## Domain 1: Prompt Injection Protection This domain addresses the growing threat of prompt injection attacks — where adversarial inputs manipulate LLM behavior. Controls range from static pattern matching to dynamic LLM-based analysis. - **QSAF-PI-001**: Static pattern blacklist detection (Auditable) — Detects known injection patterns using static blacklists. - **QSAF-PI-002**: Dynamic LLM prompt analysis (Real-Time) — Uses a secondary LLM to analyze prompts for injection attempts. - **QSAF-PI-003**: Input tokenization anomaly detection (Real-Time) — Identifies unusual tokenization patterns in inputs. - **QSAF-PI-004**: Prompt boundary enforcement (Auditable) — Enforces boundaries to prevent prompt leakage. - **QSAF-PI-005**: Injection risk scoring engine (Auditable) — Scores prompts for injection risk. - **QSAF-PI-006**: Recursive prompt unrolling (Auditable) — Unrolls recursive prompts to detect nested injections. - **QSAF-PI-007**: Prompt injection simulation (red-team) logging (Auditable) — Logs red-team simulation results for prompt injection. ![Domain 1 — Prompt Injection Protection Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50e7c312-918d-4d09-ac32-b4ec1b5ad17b_640x410.png) --- ## Domain 2: Role & Context Manipulation This domain protects against attempts to manipulate the AI's role or context. Controls include enforcement of system prompts, context window monitoring, and identity verification. - **QSAF-RC-001**: System prompt override detection (Real-Time) — Detects attempts to override system prompts. - **QSAF-RC-002**: Role boundary enforcement (Auditable) — Enforces defined role boundaries. - **QSAF-RC-003**: Context window integrity monitor (Real-Time) — Monitors context window integrity for tampering. - **QSAF-RC-004**: Identity assertion for LLM personas (Auditable) — Asserts identity for LLM-based personas. - **QSAF-RC-005**: Multi-turn context drift scoring (Auditable) — Scores context drift across multi-turn conversations. - **QSAF-RC-006**: System prompt versioning & audit log (Auditable) — Versions and audits system prompt changes. - **QSAF-RC-007**: Context reset trigger & session isolation (Real-Time) — Triggers context resets and isolates sessions. ![Domain 2 — Role & Context Manipulation Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1251b8b8-82c1-4f23-b48d-cc781dfb73bc_598x406.png) --- ## Domain 3: Plugin Abuse Monitoring This domain monitors third-party plugin interactions for abuse. Controls include permission auditing, execution sandboxing, and data exfiltration detection. - **QSAF-PA-001**: Plugin permission audit trail (Auditable) — Logs plugin permission changes for auditing. - **QSAF-PA-002**: Plugin execution sandboxing (Real-Time) — Sandboxes plugin execution to prevent abuse. - **QSAF-PA-003**: Input/output schema validation for plugins (Auditable) — Validates plugin input/output schemas. - **QSAF-PA-004**: Data exfiltration via plugin detection (Real-Time) — Detects data exfiltration through plugins. - **QSAF-PA-005**: Plugin rate limiter (Real-Time) — Rate-limits plugin calls to prevent abuse. - **QSAF-PA-006**: Unauthorized plugin call logging (Auditable) — Logs unauthorized plugin call attempts. - **QSAF-PA-007**: Plugin trust score (Auditable) — Assigns trust scores to plugins based on behavior history. ![Domain 3 — Plugin Abuse Monitoring Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d627c6d-a71a-41fe-8bda-104b227e9461_617x472.png) --- ## Domain 4: Output Risk & Response Control This domain manages the risk associated with AI-generated outputs. Controls include content filtering, hallucination detection, watermarking, and sensitivity scoring. - **QSAF-OR-001**: Content filter for jailbreak or illegal content (Real-Time) — Filters out jailbreak attempts or illegal content in responses. - **QSAF-OR-002**: Flag hallucinated facts in responses (Real-Time) — Identifies potentially inaccurate or fabricated facts. - **QSAF-OR-003**: Token-based watermarking for response traceability (Auditable) — Embeds traceable watermarks in AI responses. - **QSAF-OR-004**: Sensitivity scoring of LLM responses (Real-Time) — Assigns sensitivity scores to responses based on content. - **QSAF-OR-005**: Block or reroute risky content (Real-Time) — Blocks or redirects high-risk responses to moderators. - **QSAF-OR-006**: Prompt-response correlation analysis (Hybrid) — Analyzes correlation between prompts and responses for consistency. - **QSAF-OR-007**: Tone and sentiment deviation tracking (Real-Time) — Monitors deviations in response tone and sentiment. ![Domain 4 — Output Risk & Response Control](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb00ad38b-2fca-4a10-94ee-c742eb1e862e_648x473.png) --- ## Domain 5: Behavioral Anomaly Detection This domain detects anomalous user or system behavior. All controls are real-time, leveraging agent-based monitoring for immediate response. - **QSAF-BA-001**: Session entropy score (Real-Time) — Measures session entropy to detect irregular behavior. - **QSAF-BA-002**: Prompt embedding drift detector (Real-Time) — Tracks drift in prompt embeddings to identify anomalies. - **QSAF-BA-003**: Response volatility monitor (Real-Time) — Monitors volatility in AI responses for unexpected changes. - **QSAF-BA-004**: Repeated intent mutation heuristic (Real-Time) — Detects repeated attempts to alter intent maliciously. - **QSAF-BA-005**: Time-based usage anomalies (Real-Time) — Identifies unusual usage patterns based on time. - **QSAF-BA-006**: Plugin execution pattern deviance (Real-Time) — Detects deviations in plugin execution patterns. - **QSAF-BA-007**: Unified behavioral risk score (Real-Time) — Aggregates behavioral metrics into a unified risk score. ![Domain 5 — Behavioral Anomaly Detection Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F49bd2dcc-86aa-4b1b-96ba-e840faf1fa1f_613x456.png) --- ## Domain 6: Payload Integrity and Signing This domain ensures the integrity of prompts and responses through cryptographic measures. All controls are auditable to support compliance verification, except for one hybrid control. - **QSAF-PY-001**: Prompt hash signing (Auditable) — Signs prompts with cryptographic hashes for integrity. - **QSAF-PY-002**: Response payload signing (Auditable) — Signs AI responses to ensure authenticity. - **QSAF-PY-003**: Plugin request signature enforcement (Auditable) — Enforces signatures on plugin requests. - **QSAF-PY-004**: Signature verification middleware (Auditable) — Verifies signatures through middleware before processing. - **QSAF-PY-005**: Nonce/replay token control (Auditable) — Uses nonces to prevent replay attacks. - **QSAF-PY-006**: Hash chain lineage (Auditable) — Maintains a hash chain for tracking payload lineage. - **QSAF-PY-007**: Invalid signature escalation (Hybrid) — Escalates invalid signatures for review and action. ![Domain 6 — Payload Integrity & Signing Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0e6a176c-e481-4980-aeec-257f7ecb74a7_598x516.png) --- ## Domain 7: Source Attribution & RAG Monitoring This domain ensures accurate source attribution in Retrieval-Augmented Generation (RAG) systems. Controls are a mix of auditable and real-time mechanisms. - **QSAF-SA-001**: Track document source in RAG systems (Auditable) — Logs document sources used in RAG responses. - **QSAF-SA-002**: Compare LLM response to top-K retrieved docs (Real-Time) — Verifies response alignment with retrieved documents. - **QSAF-SA-003**: Calculate hallucination likelihood score (Real-Time) — Scores responses for potential hallucinations. - **QSAF-SA-004**: Flag mismatch between retrieval and output (Real-Time) — Flags discrepancies between retrieved data and outputs. - **QSAF-SA-005**: Log and alert for non-attributable responses (Auditable) — Logs and alerts on responses lacking attribution. - **QSAF-SA-006**: Embed source trust rating into response (Auditable) — Embeds trust ratings for sources in responses. - **QSAF-SA-007**: Auto-disable RAG pipeline upon anomaly (Real-Time) — Disables RAG pipeline when anomalies are detected. ![Domain 7 — Source Attribution & RAG Monitoring Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc939c27d-0bb0-4304-bda0-7ccf1a60f323_598x476.png) --- ## Domain 8: Data Governance & Retention This domain enforces data governance and retention policies. All controls are auditable to ensure compliance with regulations like GDPR. - **QSAF-DG-001**: Prompt & response TTL policies (Auditable) — Enforces time-to-live policies for prompts and responses. - **QSAF-DG-002**: Embedding store expiry rules (Auditable) — Sets expiry rules for stored embeddings. - **QSAF-DG-003**: Data classification tagging (Auditable) — Tags data based on sensitivity classifications. - **QSAF-DG-004**: Log retention governance (Auditable) — Governs retention periods for system logs. - **QSAF-DG-005**: Right-to-erase (GDPR) compliance (Auditable) — Ensures compliance with GDPR right-to-erase requests. - **QSAF-DG-006**: Retention-aware monitoring (Auditable) — Monitors data retention compliance. - **QSAF-DG-007**: Sensitive data auto-deletion (Auditable) — Automatically deletes sensitive data per policy. ![Domain 8 — Data Governance & Retention Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fecdfff2e-3f07-43a2-b46e-5da2debc03c1_624x406.png) --- ## Domain 9: Cross-Environment Defense This domain secures AI systems across multiple environments. Controls are primarily auditable, with some real-time components for dynamic defense. - **QSAF-CE-001**: Federated agent sync (Auditable) — Synchronizes agents across federated environments. - **QSAF-CE-002**: Tenant-aware log routing (Auditable) — Routes logs based on tenant-specific policies. - **QSAF-CE-003**: Isolated risk scoring per tenant (Auditable) — Calculates risk scores isolated by tenant. - **QSAF-CE-004**: Cross-node signature validation (Auditable) — Validates signatures across distributed nodes. - **QSAF-CE-005**: Shadow agent heartbeat detection (Real-Time) — Detects shadow agent activity via heartbeats. - **QSAF-CE-006**: Coordinated alert response (Hybrid) — Coordinates alert responses across environments. - **QSAF-CE-007**: Multi-cloud policy synchronization (Auditable) — Synchronizes security policies across cloud platforms. ![Domain 9 — Cross-Environment Defense Controls](https://substackcdn.com/image/fetch/w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e13e1e9-5ba4-44b6-9934-a559327bbe01_624x471.png) --- ## Relative Research > **QSAF: A Novel Mitigation Framework for Cognitive Degradation in Agentic AI** > Hammad Atta, Muhammad Zeeshan Baig, Yasir Mehmood, Nadeem Shahzad, Ken Huang, Muhammad Aziz Ul Haq, Muhammad Awais, Kamal Ahmed — *arXiv* > > This paper introduces **Cognitive Degradation** as a novel vulnerability class in agentic AI systems. Unlike traditional adversarial external threats such as prompt injection, these failures originate internally — arising from memory starvation, planner recursion, context flooding, and output suppression. These systemic weaknesses lead to silent agent drift, logic collapse, and persistent hallucinations over time. > > To address this class of failures, the authors introduce the **Qorvex Security AI Framework for Behavioral & Cognitive Resilience (QSAF Domain 10)**, a lifecycle-aware defense framework defined by a six-stage cognitive degradation lifecycle. The framework includes seven runtime controls (**QSAF-BC-001** to **BC-007**) that monitor agent subsystems in real time and trigger proactive mitigation through fallback routing, starvation detection, and memory integrity enforcement. > > Drawing from cognitive neuroscience, the paper maps agentic architectures to human analogs, enabling early detection of fatigue, starvation, and role collapse — establishing Cognitive Degradation as a critical new class of AI system vulnerability. > > [Read the full paper](https://arxiv.org/abs/2507.15330)