Authenticated Workflows: A Systems Approach to Protecting Agentic AI

Agentic AI systems automate enterprise workflows but existing defenses–guardrails, semantic filters–are probabilistic and routinely bypassed. We introduce authenticated workflows, the first complete trust layer for enterprise agentic AI. Security reduces to protecting four fundamental boundaries: prompts, tools, data, and context. We enforce intent (operations satisfy organizational policies) and integrity (operations are cryptographically authentic) at every boundary crossing, combining cryptographic elimination of attack classes with runtime policy enforcement. This delivers deterministic security–operations either carry valid cryptographic proof or are rejected. We introduce MAPL, an AI-native policy language that expresses agentic constraints dynamically as agents evolve and invocation context changes, scaling as O(log M + N) policies versus O(M x N) rules through hierarchical composition with cryptographic attestations for workflow dependencies. We prove practicality through a universal security runtime integrating nine leading frameworks (MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, Haystack) through thin adapters requiring zero protocol modifications. Formal proofs establish completeness and soundness. Empirical validation shows 100% recall with zero false positives across 174 test cases, protection against 9 of 10 OWASP Top 10 risks, and complete mitigation of two high impact production CVEs.

💡 Research Summary

The paper tackles a pressing problem in enterprise AI: agentic large‑language‑model (LLM) systems are increasingly used to automate complex workflows such as financial processing, patient‑record handling, and infrastructure management. Existing defenses—guardrails, semantic filters, prompt‑injection detectors—are fundamentally probabilistic. They rely on pattern matching or heuristic models, which attackers can evade by encoding malicious instructions, using multi‑turn context manipulation, or exploiting subtle data‑injection pathways. Consequently, enterprises face low recall and high false‑positive rates, making large‑scale deployment risky.

The authors propose Authenticated Workflows, a protocol‑level trust layer that reduces the security problem to protecting four immutable boundaries that every agentic interaction must cross: (1) Prompts (user or system instructions entering the LLM), (2) Tools (function calls, filesystem access, API invocations), (3) Data (external corpora, vector stores, web‑scraped content), and (4) Context (the conversational state that persists across turns). At each crossing the system enforces two orthogonal properties:

1. Intent – the operation must satisfy organizational policy.
2. Integrity – the operation must be cryptographically authentic (signed, untampered).

By requiring a valid cryptographic proof for every request, the system guarantees deterministic security: an operation either carries a verifiable signature that satisfies all relevant policies, or it is rejected before execution. This eliminates entire classes of attacks (identity spoofing, replay, policy substitution) because breaking the system would require breaking the underlying cryptographic primitives.

To express the required policies, the authors introduce MAPL (AI‑Native Policy Language). MAPL is designed for the dynamic nature of agents that can change identity, spawn sub‑agents, and evolve capabilities at runtime. Its key features are:

• Dynamic principal resolution – the principal is inferred from authenticated context at execution time, removing the need for static “who‑can‑do‑what” tables.
• Independent caller and resource policies – policies for the invoking agent and the target resource are specified separately and combined via intersection, providing defense‑in‑depth without tight coupling.
• Attestation‑based workflow dependencies – policies can require cryptographically signed attestations that previous steps have completed (e.g., “export data only after an anonymization attestation exists”).

The MAPL grammar is intentionally minimal yet expressive: a policy consists of a unique identifier, an optional extends field for hierarchical inheritance, resource allow/deny patterns (with wildcards), parameter constraints, and a list of required attestations. Hierarchical composition ensures that child policies can only tighten restrictions, never relax them, and the overall policy set scales as O(log M + N) rather than the naïve O(M × N), where M is the number of users and N the number of resources.

Implementation-wise, the authors built a distributed Policy Enforcement Point (PEP) that sits at each of the four boundaries. Each PEP independently verifies signatures and evaluates MAPL policies with sub‑millisecond latency, requiring no centralized authority. To demonstrate ecosystem‑agnostic applicability, thin adapters (200‑500 lines of code) were written for nine popular AI frameworks: MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, and Haystack. These adapters translate framework‑specific calls into the authenticated‑workflow protocol without modifying the original APIs, proving that the trust layer can be retro‑fitted to existing deployments.

The paper provides rigorous formal analysis. Lemma 6 proves that the four boundaries are both complete (cover all attack surfaces) and minimal (no redundant boundary). Theorems 1‑3 establish that hierarchical policy composition preserves security properties, while Lemmas 1‑7 collectively demonstrate soundness (no false‑positive acceptance) and completeness (no false‑negative rejection) under the cryptographic hardness assumption (L1) and a minimal trusted control plane (L2‑L3).

Empirically, the authors evaluated the system on 174 test cases covering a wide spectrum of attacks: prompt injection, tool misuse, data poisoning, context poisoning, replay, and multi‑turn compositional attacks. The authenticated workflow achieved 100 % recall and 0 % false positives. It mitigated 9 of the 10 OWASP Top 10 risks (all except “Insufficient Logging & Monitoring”, which is out of scope) and fully neutralized two high‑impact production CVEs (the OpenAI Atlas credential‑exfiltration bug and a critical MCP exploit). Measured overhead was under 3 % additional latency per request, confirming practical viability.

The authors acknowledge limitations: the trust layer does not replace application‑level safety checks (e.g., business‑logic validation), key management remains a critical operational concern, and attacks that compromise the underlying operating system or hardware (kernel exploits, side‑channel attacks) are outside the threat model. Nonetheless, by shifting the security boundary from “pattern detection” to “cryptographic verification + policy enforcement”, the work offers a deterministic, composable, and framework‑agnostic solution for securing agentic AI in enterprise environments.

In summary, the paper makes five major contributions:

1. Problem formalization – identification of four universal attack surfaces and a threat model encompassing sophisticated adversaries.
2. Authenticated workflow protocol – a cryptographic primitive that guarantees intent and integrity at every boundary crossing.
3. MAPL – a novel policy language enabling dynamic, hierarchical, and attestation‑driven policy specification.
4. Universal runtime – lightweight adapters for nine major AI frameworks, demonstrating practical, zero‑protocol‑change deployment.
5. Formal and empirical validation – proofs of completeness and soundness, and extensive testing showing deterministic security with negligible performance impact.

Overall, the work presents a compelling blueprint for building a robust AI trust layer that can be adopted across heterogeneous enterprise AI stacks, paving the way for safe, large‑scale deployment of autonomous agents.