Model

Instead of 'read email,' capability = 'read email from sender=X on date=Y.' Fine-grained. Attacker-controlled prompt can't broaden.

Advertisement

Token issuance

User (or task planner) issues capabilities at task start. Agent uses within scope. Cannot self-issue new capabilities.

Advertisement

Attenuation

Sub-agents receive subset of parent's capabilities. Never elevate. Chains of trust decay downward.

Revocation

Capabilities time-boxed + revocable. Compromised agent's capabilities revoked immediately.