SECURITY-AS-CODE APPROACH FOR AUTOMATING PCI DSS COMPLIANCE USING AUTONOMOUS AGENTS BASED ON LARGE LANGUAGE MODELS
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1187Keywords:
PCI DSS; Security-as-Code; Policy-as-Code; Compliance-as-Code; autonomous agents; large language models; DevSecOps; admission control; continuous compliance.Abstract
This paper investigates the Security-as-Code approach for automating PCI DSS compliance in cloud-native environments using autonomous agents based on large language models. Based on an analysis of PCI DSS v4.0.1, which defines twelve principal requirements and emphasizes continuous assessment, evidence-based validation of controls, and proper scoping, a reference architecture is proposed that integrates declarative security policies, preventive configuration enforcement mechanisms, and runtime behavioral monitoring. The study formalizes a mechanism for transforming regulatory requirements into machine-verifiable policies through the use of control specifications (ControlSpec), a structured knowledge base, and a Retrieval-Augmented Generation approach, ensuring policy provenance and reducing the risk of incorrect generation. A model of autonomous agents is proposed to perform functions including requirements-to-policy transformation, configuration drift analysis, evidence collection and normalization, and the generation of remediation recommendations using controlled change mechanisms. Metrics for evaluating continuous compliance are defined, including control coverage, drift detection latency, Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), completeness of evidence, and detection accuracy. An experimental validation plan is proposed using a test environment that simulates a Cardholder Data Environment. Particular attention is given to the analysis of risks associated with autonomous agents, including model hallucinations, prompt injection attacks, sensitive data leakage, and excessive tool privileges. Mitigation measures are defined, including deterministic policy enforcement, tool isolation, agent action logging, and the use of a human-in-the-loop approach for critical operations. The proposed approach enables continuous, verifiable, and scalable PCI DSS compliance in cloud-native environments.
Downloads
References
Chornii, V., Martseniuk, Y., Partyka, A., & Harasymchuk, O. (2025). Information security risks associated with the uncontrolled storage of secrets in source code. CEUR Workshop Proceedings, 4042. https://ceur-ws.org/Vol-4042/paper19.pdf
Das, B. K. S., & Chu, V. (2023). Security as code: DevSecOps patterns with AWS. O’Reilly Media.
Kubernetes Blog. (2019). OPA Gatekeeper: Policy and governance for Kubernetes. https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
Lewis, P., et al. (2020). Retrieval-augmented generation for knowledge-intensive NLP tasks. In Advances in Neural Information Processing Systems (NeurIPS). https://proceedings.neurips.cc/paper/2020/file/6b493230205f780e1bc26945df7481e5-Paper.pdf
Martseniuk, Y., Partyka, A., Harasymchuk, O., & Korshun, N. (2024). Automated conformity verification concept for cloud security. CEUR Workshop Proceedings, 3654. https://ceur-ws.org/Vol-3654/paper3.pdf
Martseniuk, Y., et al. (2024). Shadow IT risk analysis in public cloud infrastructure. CEUR Workshop Proceedings, 3800. https://ceur-ws.org/Vol-3800/paper3.pdf
Mazzola, F., et al. (2023). Runtime security enforcement in containerized environments using Falco. CEUR Workshop Proceedings, 3421. https://ceur-ws.org/Vol-3421/
National Institute of Standards and Technology. (2020). Security and privacy controls for information systems and organizations (SP 800-53 Rev. 5). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0). https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf
Open Policy Agent. (n.d.). Policy language (Rego). https://openpolicyagent.org/docs/policy-language
Open Policy Agent Gatekeeper. (n.d.). Gatekeeper documentation. https://open-policy-agent.github.io/gatekeeper/website/docs/
OWASP Foundation. (n.d.). LLM prompt injection prevention cheat sheet. https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html
OWASP Foundation. (n.d.). OWASP top 10 for large language model applications. https://owasp.org/www-project-top-10-for-large-language-model-applications/
PCI Security Standards Council. (2018). PCI SSC cloud computing guidelines v3. https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf
PCI Security Standards Council. (2022). Summary of changes from PCI DSS version 3.2.1 to 4.0. https://listings.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf
PCI Security Standards Council. (2024a). Payment card industry data security standard: Requirements and testing procedures (v4.0.1). https://www.middlebury.edu/sites/default/files/2025-01/PCI-DSS-v4_0_1.pdf
PCI Security Standards Council. (2024b). PCI DSS overview. https://www.pcisecuritystandards.org/standards/pci-dss/
PCI Security Standards Council Blog. (2024a, June 11). Just published: PCI DSS v4.0.1. https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1
PCI Security Standards Council Blog. (2024b, August 20). Now is the time for organizations to adopt the future-dated requirements of PCI DSS v4.x. https://blog.pcisecuritystandards.org/now-is-the-time-for-organizations-to-adopt-the-future-dated-requirements-of-pci-dss-v4-x
Sapsai, O. S., Martseniuk, Y. V., & Partyka, A. I. (2025). Automate cloud security incident management with a SOAR-based approach. Cybersecurity: Education, Science, Technique, 7(2). https://science.lpnu.ua/csn/all-volumes-and-issues/volume-7-number-2-2025/automate-cloud-security-incident-management-soar
Souppaya, M., Morello, J., & Scarfone, K. (2017). Application container security guide (SP 800-190). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf
The Falco Project. (n.d.). Falco documentation. https://falco.org/docs/
The Falco Project. (n.d.). Alerts forwarding (Falcosidekick). https://falco.org/docs/concepts/outputs/forwarding/
Vakhula, O., Kurii, Y., Opirskyy, I., & Susukailo, V. (2024). Security-as-code concept for fulfilling ISO/IEC 27001:2022 requirements. CEUR Workshop Proceedings, 3654. https://ceur-ws.org/Vol-3654/paper6.pdf
Vakhula, O., & Opirskyy, I. (2024). Research on security-as-code approach for cloud-native applications based on Kubernetes cluster. CEUR Workshop Proceedings, 3800. https://ceur-ws.org/Vol-3800/paper6.pdf
Vakhula, O., Opirskyy, I., Vorobets, P., Bobko, O., & Kulinich, O. (2025). Research on policy-as-code for implementation of role-based and attribute-based access control. CEUR Workshop Proceedings, 3991. https://ceur-ws.org/Vol-3991/paper11.pdf
Wang, L., Ma, Y., Zhang, Q., et al. (2024). A survey on large language model-based autonomous agents. Frontiers of Computer Science. https://arxiv.org/abs/2308.11432
Wei, H., Madhavji, N., & Steinbacher, J. (2025). Understanding everything as code: A taxonomy and conceptual model. arXiv. https://arxiv.org/pdf/2507.05100
Yao, S., et al. (2022). ReAct: Synergizing reasoning and acting in language models. arXiv. https://arxiv.org/abs/2210.03629
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Олександр Валуха, Дмитро Марчук
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
