Cisco releases Foundry security spec

Cisco published an open specification this week for securing and evaluating AI agents, extending a broader push by the networking and security company into enterprise AI controls. The release, called the Foundry Security Spec, is framed as a blueprint rather than a finished product: Cisco says companies bring their own models, infrastructure and targets, while the spec defines the system shape, requirements and safety rules. The move lands as large companies test “agentic” AI systems that can act across tools and data sources, but face pressure to prove where models came from and how those systems are constrained once deployed. Cisco paired the Foundry release with a separate open-source Model Provenance Kit published in late April. That toolkit is designed to test whether one machine-learning model is derived from another by comparing fingerprints from weights, tokenizers and architecture metadata. Together, the two projects show where Cisco is trying to standardize controls: before deployment, through model lineage checks, and during deployment, through evaluation workflows and runtime guardrails. ### What exactly did Cisco release this week? Cisco said on May 12 that it was open-sourcing the Foundry Security Spec, which it described as a “battle-tested blueprint” for building an agentic security evaluation system. Omar Santos, a principal engineer at Cisco, wrote in a company blog post that the framework is model-agnostic and stack-agnostic, and is intended to help organizations build their own evaluation harnesses rather than adopt Cisco’s internal code. The GitHub repository says Foundry is published as a specification and a “constitution.” The specification covers eight core agent roles, five extension roles, a finding lifecycle, a coordination substrate and about 130 functional requirements with inline rationale. The constitution sets out 11 “inviolable principles” that any implementation is supposed to uphold. (blogs.cisco.com) ### How is this different from Cisco shipping a product? Cisco’s repository says Foundry “is not our code” and calls it an organization-neutral specification distilled from internal security-evaluation systems built by Cisco’s Advanced Security Initiatives Group. The idea is that a company supplies a frontier model and a target to evaluate, then uses the specification as a blueprint for its own implementation. (blogs.cisco.com) GitHub’s spec-kit is part of the intended workflow. Cisco’s blog says Foundry is meant to be used with GitHub’s spec-kit, which the company describes as an industry-wide set of spec-driven development workflows that can be used with different AI agents. ### Where does model provenance fit into this? Cisco released the Model Provenance Kit as open source on April 30. (github.com) Ehsan Aghaei, Amy Chang, Ankit Garg and Sanket Mendapara wrote in a Cisco blog post that the toolkit is meant to address a weak point in AI supply-chain security by helping organizations determine where models come from and whether they have been modified. (blogs.cisco.com) The GitHub repository describes the kit as a Python toolkit and command-line interface for detecting model provenance. It compares models across eight provenance signals and can either run pairwise comparisons or scan a model against a reference database of known base-model fingerprints. Cisco’s blog says the kit examines both metadata and learned parameters to assess whether models share a common origin. (blogs.cisco.com) The post argues that repository documentation can be altered or incomplete, making weight-level and structural checks more useful for downstream users trying to verify lineage, licensing exposure or inherited vulnerabilities. ### Why is Cisco tying this to AI agents? (github.com) Cisco has spent much of 2026 positioning AI agents as a security and governance problem as much as a productivity tool. In February, the company said AI Defense was adding AI supply-chain governance and runtime protections for agentic tool use. In March, Cisco said it was extending identity, access and runtime controls for what it called the “agentic workforce.” (blogs.cisco.com) Jeetu Patel, Cisco’s president and chief product officer, said in the March announcement that security teams would be central to making AI agents “safe enough to trust.” That same release said 85% of surveyed enterprise customers were experimenting with AI agents, while 5% had moved the technology into production. (newsroom.cisco.com) ### What should developers and security teams watch next? Cisco’s public repositories indicate both projects are meant to evolve in the open. The Foundry repository includes changelogs, maintainers and supporting documents alongside the core spec and constitution, while the Model Provenance Kit repository shows active commits and documentation updates in May. (newsroom.cisco.com) The next concrete step is adoption by teams building internal agent-evaluation systems. Cisco has already published the Foundry Security Spec under CiscoDevNet and the Model Provenance Kit under its AI Defense organization on GitHub, where developers can review requirements, test the CLI and track subsequent revisions. (github.com)