Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Authenticated Workflows: A Systems Approach to Protecting Agentic AI

Mohan Rajagopalan, Vinay Rao

TL;DR

The paper addresses the security gaps in enterprise agentic AI by introducing authenticated workflows as a complete trust layer that guards four fundamental boundaries: prompts, tools, data, and context. It combines cryptographic integrity with runtime policy enforcement, delivering deterministic security through independent policy enforcement points and attestations of workflow progress. MAPL provides an AI-native policy language enabling scalable, hierarchical, and attestable policies that reduce policy specification from $O(M \times N)$ to $O(\log M + N)$. A universal security runtime integrates nine heterogeneous frameworks via thin adapters, supported by formal proofs of completeness and soundness and empirical validation showing 100% recall, 0% false positives across 174 test cases, and protection against notable production CVEs. The approach promises practical deployment by bridging enterprise IAM, ensuring boundary-level integrity, and enabling provable, auditable, and scalable agentic AI in production.

Abstract

Agentic AI systems automate enterprise workflows but existing defenses--guardrails, semantic filters--are probabilistic and routinely bypassed. We introduce authenticated workflows, the first complete trust layer for enterprise agentic AI. Security reduces to protecting four fundamental boundaries: prompts, tools, data, and context. We enforce intent (operations satisfy organizational policies) and integrity (operations are cryptographically authentic) at every boundary crossing, combining cryptographic elimination of attack classes with runtime policy enforcement. This delivers deterministic security--operations either carry valid cryptographic proof or are rejected. We introduce MAPL, an AI-native policy language that expresses agentic constraints dynamically as agents evolve and invocation context changes, scaling as O(log M + N) policies versus O(M x N) rules through hierarchical composition with cryptographic attestations for workflow dependencies. We prove practicality through a universal security runtime integrating nine leading frameworks (MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, Haystack) through thin adapters requiring zero protocol modifications. Formal proofs establish completeness and soundness. Empirical validation shows 100% recall with zero false positives across 174 test cases, protection against 9 of 10 OWASP Top 10 risks, and complete mitigation of two high impact production CVEs.

Authenticated Workflows: A Systems Approach to Protecting Agentic AI

TL;DR

The paper addresses the security gaps in enterprise agentic AI by introducing authenticated workflows as a complete trust layer that guards four fundamental boundaries: prompts, tools, data, and context. It combines cryptographic integrity with runtime policy enforcement, delivering deterministic security through independent policy enforcement points and attestations of workflow progress. MAPL provides an AI-native policy language enabling scalable, hierarchical, and attestable policies that reduce policy specification from to . A universal security runtime integrates nine heterogeneous frameworks via thin adapters, supported by formal proofs of completeness and soundness and empirical validation showing 100% recall, 0% false positives across 174 test cases, and protection against notable production CVEs. The approach promises practical deployment by bridging enterprise IAM, ensuring boundary-level integrity, and enabling provable, auditable, and scalable agentic AI in production.

Abstract

Agentic AI systems automate enterprise workflows but existing defenses--guardrails, semantic filters--are probabilistic and routinely bypassed. We introduce authenticated workflows, the first complete trust layer for enterprise agentic AI. Security reduces to protecting four fundamental boundaries: prompts, tools, data, and context. We enforce intent (operations satisfy organizational policies) and integrity (operations are cryptographically authentic) at every boundary crossing, combining cryptographic elimination of attack classes with runtime policy enforcement. This delivers deterministic security--operations either carry valid cryptographic proof or are rejected. We introduce MAPL, an AI-native policy language that expresses agentic constraints dynamically as agents evolve and invocation context changes, scaling as O(log M + N) policies versus O(M x N) rules through hierarchical composition with cryptographic attestations for workflow dependencies. We prove practicality through a universal security runtime integrating nine leading frameworks (MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, Haystack) through thin adapters requiring zero protocol modifications. Formal proofs establish completeness and soundness. Empirical validation shows 100% recall with zero false positives across 174 test cases, protection against 9 of 10 OWASP Top 10 risks, and complete mitigation of two high impact production CVEs.
Paper Structure (17 sections, 4 equations, 4 figures, 3 tables)

This paper contains 17 sections, 4 equations, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. The Problem: How Agents Work
  3. Specifying Intent: MAPL Policy Language
  4. Authenticated Workflows
  5. Design Principles
  6. Verification Flow
  7. A Universal Security Abstraction
  8. Framework Integration
  9. Protocol-Level Universality
  10. The Agentic AI Trust Layer
  11. Architecture
  12. Design Decisions
  13. Formal Analysis
  14. Attack-Defense Validation
  15. Performance
  16. ...and 2 more sections

Figures (4)

  • Figure 1: Agentic workflow showing attack cascade across four boundaries.
  • Figure 2: Registration and invocation flow showing authentication, entity registration, signed invocation, and bidirectional verification.
  • Figure 3: PEP verification flow with three-stage cryptographic verification and optional custom verifiers.
  • Figure 4: Agentic AI Trust Layer.