diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000000..544491c0e3
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,17 @@
+# Agent guidance
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md), which links to
+the canonical model document at
+<https://shiro.apache.org/security-model.html>.
+
+Agents that scan this repository should consult the linked
+security model for the project's threat model, in-scope /
+out-of-scope declarations, and known non-findings before
+reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..0be9170af5
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security
+
+Apache Shiro's security model and disclosure process are
+published on the project website rather than in the repository:
+
+- **Threat and security model**:
+  <https://shiro.apache.org/security-model.html>
+- **Security policy, vulnerability reporting, past advisories and CVEs**:
+  <https://shiro.apache.org/security-reports.html>
+
+The project website is the authoritative source; this file
+exists so agents and tooling that look for `SECURITY.md` in
+the repository can mechanically follow the link to the
+canonical documents.
diff --git a/pom.xml b/pom.xml
index 66792eaa19..e4fc6008f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -359,6 +359,8 @@
                             <!-- Apparently some test in samples/spring-client generates velocity log - would better to reconfigure to output to target/ -->
                             <exclude>velocity.log</exclude>
                             <exclude>CONTRIBUTING.md</exclude>
+                            <exclude>AGENTS.md</exclude>
+                            <exclude>SECURITY.md</exclude>
                             <exclude>**/README.md</exclude>
                             <exclude>**/*.json</exclude>
                             <exclude>**/spring.factories</exclude>
@@ -1595,6 +1597,8 @@
                         <!-- Apparently some test in samples/spring-client generates velocity log - would better to reconfigure to output to target/ -->
                         <exclude>velocity.log</exclude>
                         <exclude>CONTRIBUTING.md</exclude>
+                        <exclude>AGENTS.md</exclude>
+                        <exclude>SECURITY.md</exclude>
                         <exclude>**/README.md</exclude>
                         <exclude>**/*.json</exclude>
                         <exclude>**/spring.factories</exclude>