๐ป zotero_agentic_payment_candidates.json
json ยท 416 lines ยท โฌ๏ธ Download
[
{
"itemID": 3,
"key": "8IES9AGB",
"typeName": "preprint",
"title": "A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control",
"date": "2025-00-00 2025",
"abstract": "Traditional Identity and Access Management (IAM) systems, primarily designed for human users or static machine identities via protocols such as OAuth, OpenID Connect (OIDC), and SAML, prove fundamentally inadequate for the dynamic, interdependent, and often ephemeral nature of AI agents operating at scale within Multi Agent Systems (MAS), a computational system composed of multiple interacting intelligent agents that work collectively.\n This paper posits the imperative for a novel Agentic AI IAM framework: We deconstruct the limitations of existing protocols when applied to MAS, illustrating with concrete examples why their coarse-grained controls, single-entity focus, and lack of context-awareness falter. We then propose a comprehensive framework built upon rich, verifiable Agent Identities (IDs), leveraging Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), that encapsulate an agents capabilities, provenance, behavioral scope, and security posture.\n Our framework includes an Agent Naming Service (ANS) for secure and capability-aware discovery, dynamic fine-grained access control mechanisms, and critically, a unified global session management and policy enforcement layer for real-time control and consistent revocation across heterogeneous agent communication protocols. We also explore how Zero-Knowledge Proofs (ZKPs) enable privacy-preserving attribute disclosure and verifiable policy compliance.\n We outline the architecture, operational lifecycle, innovative contributions, and security considerations of this new IAM paradigm, aiming to establish the foundational trust, accountability, and security necessary for the burgeoning field of agentic AI and the complex ecosystems they will inhabit.",
"doi": "10.48550/ARXIV.2505.19301",
"url": "https://arxiv.org/abs/2505.19301",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Ken Huang; Vineeth Sai Narajala; John Yeoh; Jason Ross; Ramesh Raskar; Youssef Harkati; Jerry Huang; Idan Habler; Chris Hughes",
"attachKey": "7SP5V4WH",
"contentType": "application/pdf",
"attachPath": "storage:Huang et al. - 2025 - A Novel Zero-Trust Identity Framework for Agentic AI Decentralized Authentication and Fine-Grained.pdf",
"pdfPath": "/Users/jc/Zotero/storage/7SP5V4WH/Huang et al. - 2025 - A Novel Zero-Trust Identity Framework for Agentic AI Decentralized Authentication and Fine-Grained.pdf"
},
{
"itemID": 3,
"key": "8IES9AGB",
"typeName": "preprint",
"title": "A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control",
"date": "2025-00-00 2025",
"abstract": "Traditional Identity and Access Management (IAM) systems, primarily designed for human users or static machine identities via protocols such as OAuth, OpenID Connect (OIDC), and SAML, prove fundamentally inadequate for the dynamic, interdependent, and often ephemeral nature of AI agents operating at scale within Multi Agent Systems (MAS), a computational system composed of multiple interacting intelligent agents that work collectively.\n This paper posits the imperative for a novel Agentic AI IAM framework: We deconstruct the limitations of existing protocols when applied to MAS, illustrating with concrete examples why their coarse-grained controls, single-entity focus, and lack of context-awareness falter. We then propose a comprehensive framework built upon rich, verifiable Agent Identities (IDs), leveraging Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), that encapsulate an agents capabilities, provenance, behavioral scope, and security posture.\n Our framework includes an Agent Naming Service (ANS) for secure and capability-aware discovery, dynamic fine-grained access control mechanisms, and critically, a unified global session management and policy enforcement layer for real-time control and consistent revocation across heterogeneous agent communication protocols. We also explore how Zero-Knowledge Proofs (ZKPs) enable privacy-preserving attribute disclosure and verifiable policy compliance.\n We outline the architecture, operational lifecycle, innovative contributions, and security considerations of this new IAM paradigm, aiming to establish the foundational trust, accountability, and security necessary for the burgeoning field of agentic AI and the complex ecosystems they will inhabit.",
"doi": "10.48550/ARXIV.2505.19301",
"url": "https://arxiv.org/abs/2505.19301",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Ken Huang; Vineeth Sai Narajala; John Yeoh; Jason Ross; Ramesh Raskar; Youssef Harkati; Jerry Huang; Idan Habler; Chris Hughes",
"attachKey": "VIKUE5BS",
"contentType": "application/pdf",
"attachPath": "storage:Huang et al. - 2025 - A Novel Zero-Trust Identity Framework for Agentic AI Decentralized Authentication and Fine-Grained.pdf",
"pdfPath": "/Users/jc/Zotero/storage/VIKUE5BS/Huang et al. - 2025 - A Novel Zero-Trust Identity Framework for Agentic AI Decentralized Authentication and Fine-Grained.pdf"
},
{
"itemID": 4730,
"key": "EGQ3X86R",
"typeName": "preprint",
"title": "A402: Binding Cryptocurrency Payments to Service Execution for Agentic Commerce",
"date": "2026-03-19 2026-03-19",
"abstract": "The rapid proliferation of autonomous AI agents is driving a shift toward agentic commerce, where agents are expected to autonomously invoke and pay for services. While blockchain-based payments offer a programmable foundation for such interactions, the recently proposed x402 standard fails to enforce end-to-end atomicity across service execution, payment, and result delivery. In this paper, we present A402, a trust-minimized payment architecture that securely binds cryptocurrency payments to service execution. A402 introduces Atomic Service Channels (ASCs), a new channel protocol that integrates service execution into payment channels, enabling real-time, high-frequency micropayments for agentic commerce. Within each ASC, A402 employs an atomic exchange protocol based on TEE-assisted adaptor signatures, ensuring that payments are finalized if and only if the requested service is correctly executed and the corresponding result is delivered. To further ensure privacy, A402 incorporates a TEE-based Liquidity Vault that privately manages the lifecycle of ASCs and aggregates their settlements into a single on-chain transaction, revealing only aggregated balances. We implement A402 and evaluate it against x402 with integrations on both Bitcoin and Ethereum. Our results show that A402 delivers orders-of-magnitude performance and on-chain cost improvements over x402 while providing trust-minimized security guarantees.",
"doi": "10.48550/arXiv.2603.01179",
"url": "http://arxiv.org/abs/2603.01179",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Ke Wang; Yue Li; Lei Wang; Kaixuan Wang; Zhiqiang Yang; Zhi Guan; Jianbo Gao",
"attachKey": "5QEIYRRN",
"contentType": "application/pdf",
"attachPath": "storage:Li et al. - 2026 - A402 Binding Cryptocurrency Payments to Service Execution for Agentic Commerce.pdf",
"pdfPath": "/Users/jc/Zotero/storage/5QEIYRRN/Li et al. - 2026 - A402 Binding Cryptocurrency Payments to Service Execution for Agentic Commerce.pdf"
},
{
"itemID": 4730,
"key": "EGQ3X86R",
"typeName": "preprint",
"title": "A402: Binding Cryptocurrency Payments to Service Execution for Agentic Commerce",
"date": "2026-03-19 2026-03-19",
"abstract": "The rapid proliferation of autonomous AI agents is driving a shift toward agentic commerce, where agents are expected to autonomously invoke and pay for services. While blockchain-based payments offer a programmable foundation for such interactions, the recently proposed x402 standard fails to enforce end-to-end atomicity across service execution, payment, and result delivery. In this paper, we present A402, a trust-minimized payment architecture that securely binds cryptocurrency payments to service execution. A402 introduces Atomic Service Channels (ASCs), a new channel protocol that integrates service execution into payment channels, enabling real-time, high-frequency micropayments for agentic commerce. Within each ASC, A402 employs an atomic exchange protocol based on TEE-assisted adaptor signatures, ensuring that payments are finalized if and only if the requested service is correctly executed and the corresponding result is delivered. To further ensure privacy, A402 incorporates a TEE-based Liquidity Vault that privately manages the lifecycle of ASCs and aggregates their settlements into a single on-chain transaction, revealing only aggregated balances. We implement A402 and evaluate it against x402 with integrations on both Bitcoin and Ethereum. Our results show that A402 delivers orders-of-magnitude performance and on-chain cost improvements over x402 while providing trust-minimized security guarantees.",
"doi": "10.48550/arXiv.2603.01179",
"url": "http://arxiv.org/abs/2603.01179",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Ke Wang; Yue Li; Lei Wang; Kaixuan Wang; Zhiqiang Yang; Zhi Guan; Jianbo Gao",
"attachKey": "M7Q2T2YK",
"contentType": "application/pdf",
"attachPath": "storage:Li et al. - 2026 - A402 Binding Cryptocurrency Payments to Service Execution for Agentic Commerce.pdf",
"pdfPath": "/Users/jc/Zotero/storage/M7Q2T2YK/Li et al. - 2026 - A402 Binding Cryptocurrency Payments to Service Execution for Agentic Commerce.pdf"
},
{
"itemID": 4752,
"key": "A7LMV8QT",
"typeName": "preprint",
"title": "A402: Binding Cryptocurrency Payments to Service Execution for Agentic Commerce",
"date": "2026-00-00 2026",
"abstract": "The rapid proliferation of autonomous AI agents is driving a shift toward agentic commerce, where agents are expected to autonomously invoke and pay for services. While blockchain-based payments offer a programmable foundation for such interactions, the recently proposed x402 standard fails to enforce end-to-end atomicity across service execution, payment, and result delivery.\n In this paper, we present A402, a trust-minimized payment architecture that securely binds cryptocurrency payments to service execution. A402 introduces Atomic Service Channels (ASCs), a new channel protocol that integrates service execution into payment channels, enabling real-time, high-frequency micropayments for agentic commerce. Within each ASC, A402 employs an atomic exchange protocol based on TEE-assisted adaptor signatures, ensuring that payments are finalized if and only if the requested service is correctly executed and the corresponding result is delivered. To further ensure privacy, A402 incorporates a TEE-based Liquidity Vault that privately manages the lifecycle of ASCs and aggregates their settlements into a single on-chain transaction, revealing only aggregated balances.\n We implement A402 and evaluate it against x402 with integrations on both Bitcoin and Ethereum. Our results show that A402 delivers orders-of-magnitude performance and on-chain cost improvements over x402 while providing trust-minimized security guarantees.",
"doi": "10.48550/ARXIV.2603.01179",
"url": "https://arxiv.org/abs/2603.01179",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Ke Wang; Yue Li; Lei Wang; Kaixuan Wang; Zhiqiang Yang; Zhi Guan; Jianbo Gao",
"attachKey": "Z48BFUHD",
"contentType": "application/pdf",
"attachPath": "storage:2603.01179.pdf",
"pdfPath": "/Users/jc/Zotero/storage/Z48BFUHD/2603.01179.pdf"
},
{
"itemID": 4728,
"key": "TGSR9XSS",
"typeName": "webpage",
"title": "A402๏ผๅฐๅ ๅฏ่ดงๅธๆฏไป็ปๅฎไธบไปฃ็ๅไบคๆๆๅกๆง่ก --- A402: Binding Cryptocurrency Payments to Service Execution for Agentic Commerce",
"date": null,
"abstract": null,
"doi": null,
"url": "https://arxiv.org/html/2603.01179v2",
"publication": null,
"proceedings": null,
"repository": null,
"authors": "",
"attachKey": null,
"contentType": null,
"attachPath": null,
"pdfPath": ""
},
{
"itemID": 4751,
"key": "W65TTDI2",
"typeName": "journalArticle",
"title": "Agentic commerce and payments : Exploring the implications of robots paying robots",
"date": "2025-03-01 2025-3-1",
"abstract": "A new frontier for payments is emerging where the โtraditionalโ world of machine-to-machine and automated payments intersects with the rapidly evolving world of artificial intelligence (AI). As the bots evolve from simple chatbots to intelligent agents, known as Agentic AI, they will evolve from machines (in the most general sense) under our control into robots capable of making their own decisions and, by implication, their own payments. This is where we see an emerging demand for robot-to-robot (R2R) payments and the commensurate need for a strategic response from the payments sector to meet this need. While early experiments in machine payments have used existing mechanisms (eg blockchain and payment cards) it is not clear that these mechanisms can satisfy the needs of the emerging sector. This paper extends a taxonomy of payment types to include AI and looks at the specific needs of the R2R subsector. It presents some of the opportunities for FinTechs to create new products and services to complement the offerings of the โtraditionalโ players at the intersection of AI, machine payments and financial services. It concludes that the smart wallet (ie a digital wallet that can be operated by a robot) will be the central orchestration mechanism. We see the potential for a new payments infrastructure emerging to both re-energise past propositions (eg micropayments) and create entirely new ones (supply-chain currencies). New transactions and new trade mean new prosperity. With the right governance in place, the payments industry can explore this entirely new frontier to the great benefit of the economy as a whole.",
"doi": "10.69554/NGEA2302",
"url": "https://hstalks.com/doi/10.69554/NGEA2302/",
"publication": "Journal of Payments Strategy & Systems",
"proceedings": null,
"repository": null,
"authors": "David G. W. Birch; Debbie Gamble",
"attachKey": null,
"contentType": null,
"attachPath": null,
"pdfPath": ""
},
{
"itemID": 2,
"key": "EJSCF5IH",
"typeName": "preprint",
"title": "Binding Agent ID: Unleashing the Power of AI Agents with accountability and credibility",
"date": "2025-00-00 2025",
"abstract": "Autonomous AI agents lack traceable accountability mechanisms, creating a fundamental dilemma where systems must either operate as ``downgraded tools'' or risk real-world abuse. This vulnerability stems from the limitations of traditional key-based authentication, which guarantees neither the operator's physical identity nor the agent's code integrity. To bridge this gap, we propose BAID (Binding Agent ID), a comprehensive identity infrastructure establishing verifiable user-code binding. BAID integrates three orthogonal mechanisms: local binding via biometric authentication, decentralized on-chain identity management, and a novel zkVM-based Code-Level Authentication protocol. By leveraging recursive proofs to treat the program binary as the identity, this protocol provides cryptographic guarantees for operator identity, agent configuration integrity, and complete execution provenance, thereby effectively preventing unauthorized operation and code substitution. We implement and evaluate a complete prototype system, demonstrating the practical feasibility of blockchain-based identity management and zkVM-based authentication protocol.",
"doi": "10.48550/ARXIV.2512.17538",
"url": "https://arxiv.org/abs/2512.17538",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Zibin Lin; Shengli Zhang; Guofu Liao; Dacheng Tao; Taotao Wang",
"attachKey": "5GKF4HXU",
"contentType": "application/pdf",
"attachPath": "storage:Lin et al. - 2025 - Binding Agent ID Unleashing the Power of AI Agents with accountability and credibility.pdf",
"pdfPath": "/Users/jc/Zotero/storage/5GKF4HXU/Lin et al. - 2025 - Binding Agent ID Unleashing the Power of AI Agents with accountability and credibility.pdf"
},
{
"itemID": 2,
"key": "EJSCF5IH",
"typeName": "preprint",
"title": "Binding Agent ID: Unleashing the Power of AI Agents with accountability and credibility",
"date": "2025-00-00 2025",
"abstract": "Autonomous AI agents lack traceable accountability mechanisms, creating a fundamental dilemma where systems must either operate as ``downgraded tools'' or risk real-world abuse. This vulnerability stems from the limitations of traditional key-based authentication, which guarantees neither the operator's physical identity nor the agent's code integrity. To bridge this gap, we propose BAID (Binding Agent ID), a comprehensive identity infrastructure establishing verifiable user-code binding. BAID integrates three orthogonal mechanisms: local binding via biometric authentication, decentralized on-chain identity management, and a novel zkVM-based Code-Level Authentication protocol. By leveraging recursive proofs to treat the program binary as the identity, this protocol provides cryptographic guarantees for operator identity, agent configuration integrity, and complete execution provenance, thereby effectively preventing unauthorized operation and code substitution. We implement and evaluate a complete prototype system, demonstrating the practical feasibility of blockchain-based identity management and zkVM-based authentication protocol.",
"doi": "10.48550/ARXIV.2512.17538",
"url": "https://arxiv.org/abs/2512.17538",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Zibin Lin; Shengli Zhang; Guofu Liao; Dacheng Tao; Taotao Wang",
"attachKey": "YGM8SQG7",
"contentType": "application/pdf",
"attachPath": "storage:Lin et al. - 2025 - Binding Agent ID Unleashing the Power of AI Agents with accountability and credibility.pdf",
"pdfPath": "/Users/jc/Zotero/storage/YGM8SQG7/Lin et al. - 2025 - Binding Agent ID Unleashing the Power of AI Agents with accountability and credibility.pdf"
},
{
"itemID": 50,
"key": "U9SN57PX",
"typeName": "preprint",
"title": "Blind Gods and Broken Screens: Architecting a Secure, Intent-Centric Mobile Agent Operating System",
"date": "2026-02-13 2026-02-13",
"abstract": "The evolution of Large Language Models (LLMs) has shifted mobile computing from App-centric interactions to system-level autonomous agents. Current implementations predominantly rely on a \"Screen-as-Interface\" paradigm, which inherits structural vulnerabilities and conflicts with the mobile ecosystem's economic foundations. In this paper, we conduct a systematic security analysis of state-of-the-art mobile agents using Doubao Mobile Assistant as a representative case. We decompose the threat landscape into four dimensions - Agent Identity, External Interface, Internal Reasoning, and Action Execution - revealing critical flaws such as fake App identity, visual spoofing, indirect prompt injection, and unauthorized privilege escalation stemming from a reliance on unstructured visual data. To address these challenges, we propose Aura, an Agent Universal Runtime Architecture for a clean-slate secure agent OS. Aura replaces brittle GUI scraping with a structured, agent-native interaction model. It adopts a Hub-and-Spoke topology where a privileged System Agent orchestrates intent, sandboxed App Agents execute domain-specific tasks, and the Agent Kernel mediates all communication. The Agent Kernel enforces four defense pillars: (i) cryptographic identity binding via a Global Agent Registry; (ii) semantic input sanitization through a multilayer Semantic Firewall; (iii) cognitive integrity via taint-aware memory and plan-trajectory alignment; and (iv) granular access control with non-deniable auditing. Evaluation on MobileSafetyBench shows that, compared to Doubao, Aura improves low-risk Task Success Rate from roughly 75% to 94.3%, reduces high-risk Attack Success Rate from roughly 40% to 4.4%, and achieves near-order-of-magnitude latency gains. These results demonstrate Aura as a viable, secure alternative to the \"Screen-as-Interface\" paradigm.",
"doi": "10.48550/arXiv.2602.10915",
"url": "http://arxiv.org/abs/2602.10915",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Zhenhua Zou; Sheng Guo; Qiuyang Zhan; Lepeng Zhao; Shuo Li; Qi Li; Ke Xu; Mingwei Xu; Zhuotao Liu",
"attachKey": "EFMPYCQ4",
"contentType": "application/pdf",
"attachPath": "storage:Zou et al. - 2026 - Blind Gods and Broken Screens Architecting a Secure, Intent-Centric Mobile Agent Operating System.pdf",
"pdfPath": "/Users/jc/Zotero/storage/EFMPYCQ4/Zou et al. - 2026 - Blind Gods and Broken Screens Architecting a Secure, Intent-Centric Mobile Agent Operating System.pdf"
},
{
"itemID": 219,
"key": "D7DCUDB4",
"typeName": "preprint",
"title": "BlockA2A: Towards Secure and Verifiable Agent-to-Agent Interoperability",
"date": "2025-09-21 2025-09-21",
"abstract": "The rapid adoption of agentic AI, powered by large language models (LLMs), is transforming enterprise ecosystems with autonomous agents that execute complex workflows. Yet we observe several key security vulnerabilities in LLM-driven multi-agent systems (MASes): fragmented identity frameworks, insecure communication channels, and inadequate defenses against Byzantine agents or adversarial prompts. In this paper, we present the first systematic analysis of these emerging multi-agent risks and explain why the legacy security strategies cannot effectively address these risks. Afterwards, we propose BlockA2A, the first unified multi-agent trust framework that enables secure and verifiable and agent-to-agent interoperability. At a high level, BlockA2A adopts decentralized identifiers (DIDs) to enable fine-grained cross-domain agent authentication, blockchain-anchored ledgers to enable immutable auditability, and smart contracts to dynamically enforce context-aware access control policies. BlockA2A eliminates centralized trust bottlenecks, ensures message authenticity and execution integrity, and guarantees accountability across agent interactions. Furthermore, we propose a Defense Orchestration Engine (DOE) that actively neutralizes attacks through real-time mechanisms, including Byzantine agent flagging, reactive execution halting, and instant permission revocation. Empirical evaluations demonstrate BlockA2A's effectiveness in neutralizing prompt-based, communication-based, behavioral and systemic MAS attacks. We formalize its integration into existing MAS and showcase a practical implementation for Google's A2A protocol. Experiments confirm that BlockA2A and DOE operate with sub-second overhead, enabling scalable deployment in production LLM-based MAS environments.",
"doi": "10.48550/arXiv.2508.01332",
"url": "http://arxiv.org/abs/2508.01332",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Zhenhua Zou; Qiuyang Zhan; Lepeng Zhao; Zhuotao Liu",
"attachKey": "L4QWX82G",
"contentType": "application/pdf",
"attachPath": "storage:Zou et al. - 2025 - BlockA2A Towards Secure and Verifiable Agent-to-Agent Interoperability.pdf",
"pdfPath": "/Users/jc/Zotero/storage/L4QWX82G/Zou et al. - 2025 - BlockA2A Towards Secure and Verifiable Agent-to-Agent Interoperability.pdf"
},
{
"itemID": 219,
"key": "D7DCUDB4",
"typeName": "preprint",
"title": "BlockA2A: Towards Secure and Verifiable Agent-to-Agent Interoperability",
"date": "2025-09-21 2025-09-21",
"abstract": "The rapid adoption of agentic AI, powered by large language models (LLMs), is transforming enterprise ecosystems with autonomous agents that execute complex workflows. Yet we observe several key security vulnerabilities in LLM-driven multi-agent systems (MASes): fragmented identity frameworks, insecure communication channels, and inadequate defenses against Byzantine agents or adversarial prompts. In this paper, we present the first systematic analysis of these emerging multi-agent risks and explain why the legacy security strategies cannot effectively address these risks. Afterwards, we propose BlockA2A, the first unified multi-agent trust framework that enables secure and verifiable and agent-to-agent interoperability. At a high level, BlockA2A adopts decentralized identifiers (DIDs) to enable fine-grained cross-domain agent authentication, blockchain-anchored ledgers to enable immutable auditability, and smart contracts to dynamically enforce context-aware access control policies. BlockA2A eliminates centralized trust bottlenecks, ensures message authenticity and execution integrity, and guarantees accountability across agent interactions. Furthermore, we propose a Defense Orchestration Engine (DOE) that actively neutralizes attacks through real-time mechanisms, including Byzantine agent flagging, reactive execution halting, and instant permission revocation. Empirical evaluations demonstrate BlockA2A's effectiveness in neutralizing prompt-based, communication-based, behavioral and systemic MAS attacks. We formalize its integration into existing MAS and showcase a practical implementation for Google's A2A protocol. Experiments confirm that BlockA2A and DOE operate with sub-second overhead, enabling scalable deployment in production LLM-based MAS environments.",
"doi": "10.48550/arXiv.2508.01332",
"url": "http://arxiv.org/abs/2508.01332",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Zhenhua Zou; Qiuyang Zhan; Lepeng Zhao; Zhuotao Liu",
"attachKey": "N3DLP22G",
"contentType": "application/pdf",
"attachPath": "storage:Liu - BlockA2ATowards Secure and Verifiable Agent-to-Agent Interoperability.pdf",
"pdfPath": "/Users/jc/Zotero/storage/N3DLP22G/Liu - BlockA2ATowards Secure and Verifiable Agent-to-Agent Interoperability.pdf"
},
{
"itemID": 57,
"key": "4TRD8HRE",
"typeName": "preprint",
"title": "Intelligent AI Delegation",
"date": "2026-02-12 2026-02-12",
"abstract": "AI agents are able to tackle increasingly complex tasks. To achieve more ambitious goals, AI agents need to be able to meaningfully decompose problems into manageable sub-components, and safely delegate their completion across to other AI agents and humans alike. Yet, existing task decomposition and delegation methods rely on simple heuristics, and are not able to dynamically adapt to environmental changes and robustly handle unexpected failures. Here we propose an adaptive framework for intelligent AI delegation - a sequence of decisions involving task allocation, that also incorporates transfer of authority, responsibility, accountability, clear specifications regarding roles and boundaries, clarity of intent, and mechanisms for establishing trust between the two (or more) parties. The proposed framework is applicable to both human and AI delegators and delegatees in complex delegation networks, aiming to inform the development of protocols in the emerging agentic web.",
"doi": "10.48550/arXiv.2602.11865",
"url": "http://arxiv.org/abs/2602.11865",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Nenad Tomaลกev; Matija Franklin; Simon Osindero",
"attachKey": "7KAEBFIT",
"contentType": "application/pdf",
"attachPath": "storage:Tomaลกev et al. - 2026 - Intelligent AI Delegation.pdf",
"pdfPath": "/Users/jc/Zotero/storage/7KAEBFIT/Tomaลกev et al. - 2026 - Intelligent AI Delegation.pdf"
},
{
"itemID": 8,
"key": "58BMZA9M",
"typeName": "preprint",
"title": "Inter-Agent Trust Models: A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constraint in Agentic Web Protocol Design-A2A, AP2, ERC-8004, and Beyond",
"date": "2025-00-00 2025",
"abstract": "As the \"agentic web\" takes shape-billions of AI agents (often LLM-powered) autonomously transacting and collaborating-trust shifts from human oversight to protocol design. In 2025, several inter-agent protocols crystallized this shift, including Google's Agent-to-Agent (A2A), Agent Payments Protocol (AP2), and Ethereum's ERC-8004 \"Trustless Agents,\" yet their underlying trust assumptions remain under-examined. This paper presents a comparative study of trust models in inter-agent protocol design: Brief (self- or third-party verifiable claims), Claim (self-proclaimed capabilities and identity, e.g. AgentCard), Proof (cryptographic verification, including zero-knowledge proofs and trusted execution environment attestations), Stake (bonded collateral with slashing and insurance), Reputation (crowd feedback and graph-based trust signals), and Constraint (sandboxing and capability bounding). For each, we analyze assumptions, attack surfaces, and design trade-offs, with particular emphasis on LLM-specific fragilities-prompt injection, sycophancy/nudge-susceptibility, hallucination, deception, and misalignment-that render purely reputational or claim-only approaches brittle. Our findings indicate no single mechanism suffices. We argue for trustless-by-default architectures anchored in Proof and Stake to gate high-impact actions, augmented by Brief for identity and discovery and Reputation overlays for flexibility and social signals. We comparatively evaluate A2A, AP2, ERC-8004 and related historical variations in academic research under metrics spanning security, privacy, latency/cost, and social robustness (Sybil/collusion/whitewashing resistance). We conclude with hybrid trust model recommendations that mitigate reputation gaming and misinformed LLM behavior, and we distill actionable design guidelines for safer, interoperable, and scalable agent economies.",
"doi": "10.48550/ARXIV.2511.03434",
"url": "https://arxiv.org/abs/2511.03434",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Botao 'Amber' Hu; Helena Rong",
"attachKey": "A3QI9RYM",
"contentType": "application/pdf",
"attachPath": "storage:Hu and Rong - 2025 - Inter-Agent Trust Models A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constrai.pdf",
"pdfPath": "/Users/jc/Zotero/storage/A3QI9RYM/Hu and Rong - 2025 - Inter-Agent Trust Models A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constrai.pdf"
},
{
"itemID": 8,
"key": "58BMZA9M",
"typeName": "preprint",
"title": "Inter-Agent Trust Models: A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constraint in Agentic Web Protocol Design-A2A, AP2, ERC-8004, and Beyond",
"date": "2025-00-00 2025",
"abstract": "As the \"agentic web\" takes shape-billions of AI agents (often LLM-powered) autonomously transacting and collaborating-trust shifts from human oversight to protocol design. In 2025, several inter-agent protocols crystallized this shift, including Google's Agent-to-Agent (A2A), Agent Payments Protocol (AP2), and Ethereum's ERC-8004 \"Trustless Agents,\" yet their underlying trust assumptions remain under-examined. This paper presents a comparative study of trust models in inter-agent protocol design: Brief (self- or third-party verifiable claims), Claim (self-proclaimed capabilities and identity, e.g. AgentCard), Proof (cryptographic verification, including zero-knowledge proofs and trusted execution environment attestations), Stake (bonded collateral with slashing and insurance), Reputation (crowd feedback and graph-based trust signals), and Constraint (sandboxing and capability bounding). For each, we analyze assumptions, attack surfaces, and design trade-offs, with particular emphasis on LLM-specific fragilities-prompt injection, sycophancy/nudge-susceptibility, hallucination, deception, and misalignment-that render purely reputational or claim-only approaches brittle. Our findings indicate no single mechanism suffices. We argue for trustless-by-default architectures anchored in Proof and Stake to gate high-impact actions, augmented by Brief for identity and discovery and Reputation overlays for flexibility and social signals. We comparatively evaluate A2A, AP2, ERC-8004 and related historical variations in academic research under metrics spanning security, privacy, latency/cost, and social robustness (Sybil/collusion/whitewashing resistance). We conclude with hybrid trust model recommendations that mitigate reputation gaming and misinformed LLM behavior, and we distill actionable design guidelines for safer, interoperable, and scalable agent economies.",
"doi": "10.48550/ARXIV.2511.03434",
"url": "https://arxiv.org/abs/2511.03434",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Botao 'Amber' Hu; Helena Rong",
"attachKey": "J4MMJQFK",
"contentType": "application/pdf",
"attachPath": "storage:Hu and Rong - 2025 - Inter-Agent Trust Models A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constrai.pdf",
"pdfPath": "/Users/jc/Zotero/storage/J4MMJQFK/Hu and Rong - 2025 - Inter-Agent Trust Models A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constrai.pdf"
},
{
"itemID": 215,
"key": "NQKCHGFJ",
"typeName": "preprint",
"title": "Les Dissonances: Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents",
"date": "2025-12-03 2025-12-03",
"abstract": "Large Language Model (LLM) agents are autonomous systems powered by LLMs, capable of reasoning and planning to solve problems by leveraging a set of tools. However, the integration of multi-tool capabilities in LLM agents introduces challenges in securely managing tools, ensuring their compatibility, handling dependency relationships, and protecting control flows within LLM agent workflows. In this paper, we present the first systematic security analysis of task control flows in multi-tool-enabled LLM agents. We identify a novel threat, Cross-Tool Harvesting and Polluting (XTHP), which includes multiple attack vectors to first hijack the normal control flows of agent tasks, and then collect and pollute confidential or private information within LLM agent systems. To understand the impact of this threat, we developed Chord, a dynamic scanning tool designed to automatically detect real-world agent tools susceptible to XTHP attacks. Our evaluation of 66 real-world tools from the repositories of two major LLM agent development frameworks, LangChain and LlamaIndex, revealed a significant security concern: 75% are vulnerable to XTHP attacks, highlighting the prevalence of this threat.",
"doi": "10.48550/arXiv.2504.03111",
"url": "http://arxiv.org/abs/2504.03111",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Zichuan Li; Jian Cui; Xiaojing Liao; Luyi Xing",
"attachKey": "VQ88DKCR",
"contentType": "application/pdf",
"attachPath": "storage:Li et al. - 2025 - Les Dissonances Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents.pdf",
"pdfPath": "/Users/jc/Zotero/storage/VQ88DKCR/Li et al. - 2025 - Les Dissonances Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents.pdf"
},
{
"itemID": 75,
"key": "78TT4BFW",
"typeName": "preprint",
"title": "SAKSHI: Decentralized AI Platforms",
"date": "2023-07-31 2023-07-31",
"abstract": "Large AI models (e.g., Dall-E, GPT4) have electrified the scientific, technological and societal landscape through their superhuman capabilities. These services are offered largely in a traditional web2.0 format (e.g., OpenAI's GPT4 service). As more large AI models proliferate (personalizing and specializing to a variety of domains), there is a tremendous need to have a neutral trust-free platform that allows the hosting of AI models, clients receiving AI services efficiently, yet in a trust-free, incentive compatible, Byzantine behavior resistant manner. In this paper we propose SAKSHI, a trust-free decentralized platform specifically suited for AI services. The key design principles of SAKSHI are the separation of the data path (where AI query and service is managed) and the control path (where routers and compute and storage hosts are managed) from the transaction path (where the metering and billing of services are managed over a blockchain). This separation is enabled by a \"proof of inference\" layer which provides cryptographic resistance against a variety of misbehaviors, including poor AI service, nonpayment for service, copying of AI models. This is joint work between multiple universities (Princeton University, University of Illinois at Urbana-Champaign, Tsinghua University, HKUST) and two startup companies (Witness Chain and Eigen Layer).",
"doi": "10.48550/arXiv.2307.16562",
"url": "http://arxiv.org/abs/2307.16562",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Xuechao Wang; Suma Bhat; Canhui Chen; Zerui Cheng; Zhixuan Fang; Ashwin Hebbar; Sreeram Kannan; Ranvir Rana; Peiyao Sheng; Himanshu Tyagi; Pramod Viswanath",
"attachKey": "CCMZAJUU",
"contentType": "application/pdf",
"attachPath": "storage:Bhat et al. - 2023 - SAKSHI Decentralized AI Platforms.pdf",
"pdfPath": "/Users/jc/Zotero/storage/CCMZAJUU/Bhat et al. - 2023 - SAKSHI Decentralized AI Platforms.pdf"
},
{
"itemID": 4747,
"key": "NSWC4TT7",
"typeName": "preprint",
"title": "Secure Autonomous Agent Payments: Verifying Authenticity and Intent in a Trustless Environment",
"date": "2025-11-08 2025-11-08",
"abstract": "Artificial intelligence (AI) agents are increasingly capable of initiating financial transactions on behalf of users or other agents. This evolution introduces a fundamental challenge: verifying both the authenticity of an autonomous agent and the true intent behind its transactions in a decentralized, trustless environment. Traditional payment systems assume human authorization, but autonomous, agent-led payments remove that safeguard. This paper presents a blockchain-based framework that cryptographically authenticates and verifies the intent of every AI-initiated transaction. The proposed system leverages decentralized identity (DID) standards and verifiable credentials to establish agent identities, on-chain intent proofs to record user authorization, and zero-knowledge proofs (ZKPs) to preserve privacy while ensuring policy compliance. Additionally, secure execution environments (TEE-based attestations) guarantee the integrity of agent reasoning and execution. The hybrid on-chain/off-chain architecture provides an immutable audit trail linking user intent to payment outcome. Through qualitative analysis, the framework demonstrates strong resistance to impersonation, unauthorized transactions, and misalignment of intent. This work lays the foundation for secure, auditable, and intent-aware autonomous economic agents, enabling a future of verifiable trust and accountability in AI-driven financial ecosystems.",
"doi": "10.48550/arXiv.2511.15712",
"url": "http://arxiv.org/abs/2511.15712",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Vivek Acharya",
"attachKey": "UANK3TN4",
"contentType": "application/pdf",
"attachPath": "storage:Acharya - 2025 - Secure Autonomous Agent Payments Verifying Authenticity and Intent in a Trustless Environment.pdf",
"pdfPath": "/Users/jc/Zotero/storage/UANK3TN4/Acharya - 2025 - Secure Autonomous Agent Payments Verifying Authenticity and Intent in a Trustless Environment.pdf"
},
{
"itemID": 49,
"key": "EYUQ4L3M",
"typeName": "preprint",
"title": "SoK: Blockchain Agent-to-Agent Payments",
"date": "2026-04-04 2026-04-04",
"abstract": "Agentic AI rivals human capabilities across a wide range of domains. Looking ahead, it is foreseeable that AI agents will autonomously handle complex workflows and interactions. Early prototypes of this paradigm are emerging, e.g., OpenClaw and Moltbook, signaling a shift toward Agent-to-Agent (A2A) ecosystems. However, despite these promising blueprints, critical trust and security challenges remain, particularly in scenarios involving financial transactions. Ensuring secure and reliable payment mechanisms between unknown and untrusted agents is crucial to complete a fully functional and trustworthy A2A ecosystem. Although blockchain-based infrastructures provide a natural foundation for this setting, via programmable settlement, transparent accounting, and open interoperability, trust and security challenges have not yet been fully addressed. Hence, for the first time, we systematize blockchain-based A2A payments, e.g., X402, with a four-stage lifecycle: discovery, authorization, execution, and accounting. We categorize representative designs at each stage and identify key challenges, including weak intent binding, misuse under valid authorization, payment-service decoupling, and limited accountability. We highlight future directions for strengthening cross-stage consistency, enabling behavior-aware control, and supporting compositional payment workflows across agents and systems.",
"doi": "10.48550/arXiv.2604.03733",
"url": "http://arxiv.org/abs/2604.03733",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Yuanzhe Zhang; Yuexin Xiang; Yuchen Lei; Qin Wang; Tian Qiu; Yujing Sun; Spiridon Zarkov; Tsz Hon Yuen; Andreas Deppeler; Jiangshan Yu; Kwok-Yan Lam",
"attachKey": "4KGCXQUB",
"contentType": "application/pdf",
"attachPath": "storage:Zhang et al. - 2026 - SoK Blockchain Agent-to-Agent Payments.pdf",
"pdfPath": "/Users/jc/Zotero/storage/4KGCXQUB/Zhang et al. - 2026 - SoK Blockchain Agent-to-Agent Payments.pdf"
},
{
"itemID": 49,
"key": "EYUQ4L3M",
"typeName": "preprint",
"title": "SoK: Blockchain Agent-to-Agent Payments",
"date": "2026-04-04 2026-04-04",
"abstract": "Agentic AI rivals human capabilities across a wide range of domains. Looking ahead, it is foreseeable that AI agents will autonomously handle complex workflows and interactions. Early prototypes of this paradigm are emerging, e.g., OpenClaw and Moltbook, signaling a shift toward Agent-to-Agent (A2A) ecosystems. However, despite these promising blueprints, critical trust and security challenges remain, particularly in scenarios involving financial transactions. Ensuring secure and reliable payment mechanisms between unknown and untrusted agents is crucial to complete a fully functional and trustworthy A2A ecosystem. Although blockchain-based infrastructures provide a natural foundation for this setting, via programmable settlement, transparent accounting, and open interoperability, trust and security challenges have not yet been fully addressed. Hence, for the first time, we systematize blockchain-based A2A payments, e.g., X402, with a four-stage lifecycle: discovery, authorization, execution, and accounting. We categorize representative designs at each stage and identify key challenges, including weak intent binding, misuse under valid authorization, payment-service decoupling, and limited accountability. We highlight future directions for strengthening cross-stage consistency, enabling behavior-aware control, and supporting compositional payment workflows across agents and systems.",
"doi": "10.48550/arXiv.2604.03733",
"url": "http://arxiv.org/abs/2604.03733",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Yuanzhe Zhang; Yuexin Xiang; Yuchen Lei; Qin Wang; Tian Qiu; Yujing Sun; Spiridon Zarkov; Tsz Hon Yuen; Andreas Deppeler; Jiangshan Yu; Kwok-Yan Lam",
"attachKey": "9J9H6MZX",
"contentType": "application/pdf",
"attachPath": "storage:Zhang et al. - 2026 - SoK Blockchain Agent-to-Agent Payments.pdf",
"pdfPath": "/Users/jc/Zotero/storage/9J9H6MZX/Zhang et al. - 2026 - SoK Blockchain Agent-to-Agent Payments.pdf"
},
{
"itemID": 4753,
"key": "47H6YHNR",
"typeName": "preprint",
"title": "SoK: Blockchain Agent-to-Agent Payments",
"date": "2026-00-00 2026",
"abstract": "Agentic AI rivals human capabilities across a wide range of domains. Looking ahead, it is foreseeable that AI agents will autonomously handle complex workflows and interactions. Early prototypes of this paradigm are emerging, e.g., OpenClaw and Moltbook, signaling a shift toward Agent-to-Agent (A2A) ecosystems. However, despite these promising blueprints, critical trust and security challenges remain, particularly in scenarios involving financial transactions. Ensuring secure and reliable payment mechanisms between unknown and untrusted agents is crucial to complete a fully functional and trustworthy A2A ecosystem. Although blockchain-based infrastructures provide a natural foundation for this setting, via programmable settlement, transparent accounting, and open interoperability, trust and security challenges have not yet been fully addressed. Hence, for the first time, we systematize blockchain-based A2A payments, e.g., X402, with a four-stage lifecycle: discovery, authorization, execution, and accounting. We categorize representative designs at each stage and identify key challenges, including weak intent binding, misuse under valid authorization, payment-service decoupling, and limited accountability. We highlight future directions for strengthening cross-stage consistency, enabling behavior-aware control, and supporting compositional payment workflows across agents and systems.",
"doi": "10.48550/ARXIV.2604.03733",
"url": "https://arxiv.org/abs/2604.03733",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Yuanzhe Zhang; Yuexin Xiang; Yuchen Lei; Qin Wang; Tian Qiu; Yujing Sun; Spiridon Zarkov; Tsz Hon Yuen; Andreas Deppeler; Jiangshan Yu; Kwok-Yan Lam",
"attachKey": "K2UMZCAN",
"contentType": "application/pdf",
"attachPath": "storage:2604.03733.pdf",
"pdfPath": "/Users/jc/Zotero/storage/K2UMZCAN/2604.03733.pdf"
},
{
"itemID": 4758,
"key": "EFHNU47X",
"typeName": "preprint",
"title": "Towards Multi-Agent Economies: Enhancing the A2A Protocol with Ledger-Anchored Identities and x402 Micropayments for AI Agents",
"date": "2025-00-00 2025",
"abstract": "This research article presents a novel architecture to empower multi-agent economies by addressing two critical limitations of the emerging Agent2Agent (A2A) communication protocol: decentralized agent discoverability and agent-to-agent micropayments. By integrating distributed ledger technology (DLT), this architecture enables tamper-proof, on-chain publishing of AgentCards as smart contracts, providing secure and verifiable agent identities. The architecture further extends A2A with the x402 open standard, facilitating blockchain-agnostic, HTTP-based micropayments via the HTTP 402 status code. This enables autonomous agents to seamlessly discover, authenticate, and compensate each other across organizational boundaries. This work further presents a comprehensive technical implementation and evaluation, demonstrating the feasibility of DLT-based agent discovery and micropayments. The proposed approach lays the groundwork for secure, scalable, and economically viable multi-agent ecosystems, advancing the field of agentic AI toward trusted, autonomous economic interactions.",
"doi": "10.48550/ARXIV.2507.19550",
"url": "https://arxiv.org/abs/2507.19550",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Awid Vaziry; Sandro Rodriguez Garzon; Axel Kรผpper",
"attachKey": "B3ZT2XHC",
"contentType": "application/pdf",
"attachPath": "storage:2507.19550.pdf",
"pdfPath": "/Users/jc/Zotero/storage/B3ZT2XHC/2507.19550.pdf"
},
{
"itemID": 220,
"key": "45T7I59W",
"typeName": "preprint",
"title": "Why Do Multi-Agent LLM Systems Fail?",
"date": "2025-10-26 2025-10-26",
"abstract": "Despite enthusiasm for Multi-Agent LLM Systems (MAS), their performance gains on popular benchmarks are often minimal. This gap highlights a critical need for a principled understanding of why MAS fail. Addressing this question requires systematic identification and analysis of failure patterns. We introduce MAST-Data, a comprehensive dataset of 1600+ annotated traces collected across 7 popular MAS frameworks. MAST-Data is the first multi-agent system dataset to outline the failure dynamics in MAS for guiding the development of better future systems. To enable systematic classification of failures for MAST-Data, we build the first Multi-Agent System Failure Taxonomy (MAST). We develop MAST through rigorous analysis of 150 traces, guided closely by expert human annotators and validated by high inter-annotator agreement (kappa = 0.88). This process identifies 14 unique modes, clustered into 3 categories: (i) system design issues, (ii) inter-agent misalignment, and (iii) task verification. To enable scalable annotation, we develop an LLM-as-a-Judge pipeline with high agreement with human annotations. We leverage MAST and MAST-Data to analyze failure patterns across models (GPT4, Claude 3, Qwen2.5, CodeLlama) and tasks (coding, math, general agent), demonstrating improvement headrooms from better MAS design. Our analysis provides insights revealing that identified failures require more sophisticated solutions, highlighting a clear roadmap for future research. We publicly release our comprehensive dataset (MAST-Data), the MAST, and our LLM annotator to facilitate widespread research and development in MAS.",
"doi": "10.48550/arXiv.2503.13657",
"url": "http://arxiv.org/abs/2503.13657",
"publication": null,
"proceedings": null,
"repository": "arXiv",
"authors": "Ion Stoica; Mert Cemri; Melissa Z. Pan; Shuyi Yang; Lakshya A. Agrawal; Bhavya Chopra; Rishabh Tiwari; Kurt Keutzer; Aditya Parameswaran; Dan Klein; Kannan Ramchandran; Matei Zaharia; Joseph E. Gonzalez",
"attachKey": "4ECNXHJ4",
"contentType": "application/pdf",
"attachPath": "storage:Cemri et al. - 2025 - Why Do Multi-Agent LLM Systems Fail.pdf",
"pdfPath": "/Users/jc/Zotero/storage/4ECNXHJ4/Cemri et al. - 2025 - Why Do Multi-Agent LLM Systems Fail.pdf"
}
]