Model
Instead of 'read email,' capability = 'read email from sender=X on date=Y.' Fine-grained. Attacker-controlled prompt can't broaden.
Advertisement
Token issuance
User (or task planner) issues capabilities at task start. Agent uses within scope. Cannot self-issue new capabilities.
Advertisement
Attenuation
Sub-agents receive subset of parent's capabilities. Never elevate. Chains of trust decay downward.
Revocation
Capabilities time-boxed + revocable. Compromised agent's capabilities revoked immediately.