defense 2026

Authenticated Workflows: A Systems Approach to Protecting Agentic AI

Mohan Rajagopalan 1, Vinay Rao 2

1 MACAW Security, Inc.

2 ROOST.tools

0 citations · 39 references · arXiv (Cornell University)
α

Published on arXiv

2602.10465

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Achieves 100% recall with zero false positives across 174 test cases and protects against 9 of 10 OWASP LLM Top 10 risks with complete mitigation of two high-impact production CVEs.

Authenticated Workflows / MAPL

Novel technique introduced

Agentic AI systems automate enterprise workflows but existing defenses--guardrails, semantic filters--are probabilistic and routinely bypassed. We introduce authenticated workflows, the first complete trust layer for enterprise agentic AI. Security reduces to protecting four fundamental boundaries: prompts, tools, data, and context. We enforce intent (operations satisfy organizational policies) and integrity (operations are cryptographically authentic) at every boundary crossing, combining cryptographic elimination of attack classes with runtime policy enforcement. This delivers deterministic security--operations either carry valid cryptographic proof or are rejected. We introduce MAPL, an AI-native policy language that expresses agentic constraints dynamically as agents evolve and invocation context changes, scaling as O(log M + N) policies versus O(M x N) rules through hierarchical composition with cryptographic attestations for workflow dependencies. We prove practicality through a universal security runtime integrating nine leading frameworks (MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, Haystack) through thin adapters requiring zero protocol modifications. Formal proofs establish completeness and soundness. Empirical validation shows 100% recall with zero false positives across 174 test cases, protection against 9 of 10 OWASP Top 10 risks, and complete mitigation of two high impact production CVEs.

Key Contributions

  • Authenticated workflows: a deterministic trust layer combining cryptographic proof of intent and integrity at four boundary types (prompts, tools, data, context) for enterprise agentic AI.
  • MAPL, an AI-native hierarchical policy language for agentic constraints that scales as O(log M + N) versus O(M×N) for traditional rule systems.
  • Universal security runtime with thin adapters for nine leading agent frameworks (MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, Haystack) requiring zero protocol modifications.

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Datasets
174 custom test casestwo production CVEs
Applications
enterprise agentic aillm agent orchestrationmulti-agent systems
Read PDF arXiv DOI

Similar Papers

defense

Governance Architecture for Autonomous Agent Systems: Threats, Framework, and Engineering Practice

2026 0 cit.
93%
defense

A Safety and Security Framework for Real-World Agentic Systems

2025 2 cit.
88%
survey

Human Society-Inspired Approaches to Agentic AI Security: The 4C Framework

2026 0 cit.
87%
survey

SoK: Trust-Authorization Mismatch in LLM Agent Interactions

2025 2 cit.
87%
survey

A Survey on Agentic Security: Applications, Threats and Defenses

2025 8 cit.
87%
survey

From Thinker to Society: Security in Hierarchical Autonomy Evolution of AI Agents

2026 0 cit.
87%
survey

Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats

2026 0 cit.
87%
benchmark

Evaluating Privilege Usage of Agents on Real-World Tools

2026 0 cit.
81%