Infrastructure for AI Agents

Reference: Chan, Wei, Huang, Rajkumar, Perrier, Lazar, Hadfield & Anderljung (2025). Infrastructure for AI Agents. TMLR (accepted). arXiv:2501.10114 (Centre for the Governance of AI; Oxford; ANU; Toronto). URL.

Summary

The paper proposes the concept of agent infrastructure: the technical systems and shared protocols, external to any individual agent, that mediate how agents interact with each other, with humans, and with institutions. The argument is by analogy to the Internet: a network of capable agents requires its own equivalent of TLS, DNS, X.509, BGP, and HTTP — because most safety properties of multi-agent ecosystems cannot be obtained by behavioural training of any individual model.

Chan et al. identify three functions agent infrastructure should serve. (1) Attribution — binding actions, properties, and credentials to specific agents and to the humans or institutions accountable for them, via agent IDs, attestations, and audit logs. (2) Interaction shaping — efficient inter-agent communication protocols, agreement formation, mechanism design for resource allocation, and reputation systems. (3) Detection and remediation — monitoring for harmful behaviour and providing mechanisms to roll back, contain, or compensate for damage.

For each function the paper sketches research directions, candidate adoption paths, relationships to existing internet infrastructure, and open problems. The framing is deliberately governance-first: infrastructure exists not to make agents more capable but to keep their externalities tractable as deployment scales. The paper is now the standard citation for the agent-governance / agent-infrastructure thread underlying Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, and emerging “agent passport” / verifiable-credential proposals.

Key Ideas

Agent infrastructure as governance layer: external technical systems mediating agent interactions — distinct from training-time alignment.
Three functions: attribution; interaction shaping; detection & remediation. Each maps to concrete research directions.
Attribution: agent IDs, verifiable credentials, attestations, audit logs, principal-binding (which human/org owns this agent).
Interaction shaping: inter-agent communication protocols; standardised agreement primitives; mechanism design; reputation.
Detection & remediation: anomaly detection on agent traffic; rollback mechanisms; insurance / compensation rails; “kill switch” governance.
Analogy to Internet protocols (HTTPS, DNS, BGP, X.509): infrastructure adoption is path-dependent, requires standardisation bodies, and trades expressivity for safety properties.
Open questions: who issues credentials, how privacy interacts with attribution, how to bootstrap adoption, what is enforceable cross-jurisdiction.

Connections

Conceptual Contribution

Claim: Many of the safety, accountability, and interoperability properties society will need from AI agents are not properties of any individual model — they live in the infrastructure between agents. Just as the Internet’s safety depends on TLS / DNS / BGP rather than on any single application, agent ecosystems will depend on agent-level analogues: attribution, interaction shaping, and detection-and-remediation infrastructure.
Mechanism: A three-function taxonomy (attribution / interaction-shaping / detection-and-remediation) with a catalogue of candidate primitives — agent IDs, verifiable credentials, inter-agent protocols, certification regimes, reputation systems, rollback mechanisms — plus analysis of adoption pathways relative to existing internet infrastructure.
Concepts introduced/used: Agent Infrastructure, Agent ID, Verifiable Agent Credentials, Inter-Agent Protocols, Action Attribution, Agent Reputation, Agent Rollback, AI Governance
Stance: governance / position paper / research-agenda
Relates to: Provides the governance scaffolding within which Open Challenges in Multi-Agent Security threats must be addressed; the institutional counterpart to Virtual Agent Economies’s economic framing; concrete protocols proposed include Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol — surveyed alongside in Survey Of AI Agent Protocols and Survey Of Agent Interoperability Protocols. The attribution leg connects to NDAI Agreements (TEEs as a particular attribution / commitment substrate) and Trusted Machine Learning Models Unlock Private Inference (capable models as a trust substrate).

Tags

#agent-infrastructure #ai-governance #llm-agents #multi-agent #attribution #protocols #tmlr

Backlinks

Linked Pages

Trusted Machine Learning Models Unlock Private Inference

Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography

Reference: Shumailov, Ramage, Meiklejohn, Kairouz, Hartmann, Balle & Bagdasarian (2025). Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography. arXiv:2501.08970 (Google Research). URL.

Summary

The paper proposes Trusted Capable Model Environments (TCMEs) — a new design point in the privacy-preserving-computation landscape, sitting between classical trusted execution environments and cryptographic protocols such as multi-party computation (MPC), homomorphic encryption, and zero-knowledge proofs. The motivating observation: capable modern ML models can plausibly play the role of the trusted third party in many private-inference scenarios that classical cryptography handles only at toy scale or not at all.

A TCME is defined by three constraints under which a capable model operates: (i) explicit input/output constraints scoping what the model is permitted to receive and emit; (ii) explicit information-flow control binding outputs to authorised data-flow channels; (iii) explicit statelessness — the model cannot retain or leak inputs across sessions. Under these constraints, even an inscrutable LLM can serve as a credible “trusted intermediary”: it computes a function of two parties’ data and reveals only the agreed output.

The authors argue TCMEs unlock private inference for problems where MPC is infeasible because the function is too rich, the inputs too large, or the spec too implicit (natural-language matching, fuzzy de-duplication, semantic agreement-checking). They walk through use cases — private record matching, contract negotiation, secret-keeping triage — and show that even classical cryptographic problems (private set intersection, secure multi-party comparison) admit TCME implementations that scale further than current MPC. The paper closes with the limitations: trust in TCMEs reduces to trust in the model+hardware+policy stack; statelessness must be engineered, not assumed.

Key Ideas

TCME definition: a capable ML model + explicit I/O constraints + explicit information-flow control + explicit statelessness.
Trusted-third-party substitution: the model fills the role MPC traditionally requires a non-colluding cryptographic protocol to enact.
Coverage envelope: TCMEs handle privacy problems too rich or too implicit for current MPC (semantic matching, fuzzy agreements, natural-language contracts).
Bridge to cryptography: even classical PSI/comparison protocols can be implemented as TCMEs — sometimes more efficiently.
Statelessness is engineered: memory leaks, side channels, and re-training contamination are the real attack surface, not the model logic.
Trust composition: TCME trust assumption = trust(model) ∧ trust(hardware) ∧ trust(policy enforcement).
Use cases sketched: private record matching, negotiation, triage, search over private corpora, semantic compliance checks.

Connections

Conceptual Contribution

Claim: Capable ML models, operated under explicit information-flow and statelessness constraints, can act as trusted third parties for private-inference problems that classical cryptography cannot scale to. This expands the realm of feasible privacy-preserving computation beyond MPC’s current envelope.
Mechanism: Define Trusted Capable Model Environments (TCMEs): model + explicit I/O constraints + explicit IFC + explicit statelessness. Demonstrate via use cases that TCMEs solve both novel privacy problems (semantic matching) and re-instantiate classical ones (PSI) at scales MPC cannot reach.
Concepts introduced/used: Trusted Capable Model Environment, Trusted Third Party, Information Flow Control, Private Inference, Statelessness (Privacy), Multi-Party Computation
Stance: position / architectural proposal
Relates to: Direct companion to NDAI Agreements — both treat TEE+AI or model+constraints as a substrate for previously infeasible commitment / privacy primitives. Provides the technical substrate that Privacy Reasoning in Ambiguous Contexts reasons about behaviourally and that Infrastructure for AI Agents would expose as governance infrastructure. Complementary to Defeating Prompt Injections by Design’s CaMeL: both treat the agent as a constrained reasoner whose outputs are gated by information-flow policy.

NDAI Agreements

Reference: Stephenson, Miller, Sun, Annem & Parikh (2025). NDAI Agreements. arXiv:2502.07924 (UIUC; Cornell Tech; et al.). URL.

Summary

The “NDAI agreement” — non-disclosure AI agreement — is a mechanism in which a TEE combined with an AI agent jointly stands in for a trusted human intermediary, resolving the classical disclosure–appropriation paradox of information markets first identified by Arrow (1962) and Nelson (1959). An inventor cannot reveal an idea to a potential investor without risking misappropriation; without revealing it, no efficient bargain can be struck. The result is well-known: under-disclosure, under-investment, under-licensing.

Stephenson et al. show formally — via a buyer/seller bargaining game — that delegating the disclosure-and-payment decision to a tamper-proof program running inside a TEE eliminates the hold-up problem, achieving full disclosure and an efficient ex post transfer. When the invention’s value exceeds the value a TEE can fully secure (e.g. because some leakage is unavoidable), partial disclosure still strictly improves welfare over the no-disclosure equilibrium. They then model agent error — payments or disclosures going wrong — and prove that simple safeguards (budget caps, acceptance thresholds) preserve most of the efficiency gains.

The substantive economic claim is that TEE + AI behave as an “ironclad NDA”: a credible commitment device for the disclosure problem that was previously unattainable with paper contracts (because expropriation is unverifiable) or with cryptography alone (because invention value is unbounded and the seller’s information is a complex unstructured artefact). The result links the Mechanism Design / Hold-Up Problem tradition to AI-agent infrastructure, and gives a sharp theoretical case for the economic value of trusted model environments and confidential-compute hardware as agent-economy substrates.

Key Ideas

Formalises the Arrow–Nelson information paradox / hold-up problem in a bargaining model between seller (inventor) and buyer (investor).
TEEs + AI agents delegate disclosure and payment to tamper-proof programs that neither party can subvert; this implements an ex-ante commitment device unavailable under classical contracts.
Full-disclosure efficient equilibrium under the NDAI when the invention’s value lies within what the TEE can secure.
Partial disclosure dominates no-disclosure even when full security is impossible: high-value inventions still get partially revealed in welfare-improving ways.
Models agent imperfection: errors in payment or disclosure can occur; budget caps and acceptance thresholds bound the damage and preserve most welfare.
Frames TEEs+AI as an “ironclad NDA”: a cryptographically/hardware-enforced commitment that traditional NDAs cannot match.
Policy implications for R&D Commercialisation, Technology Transfer, and inter-firm collaboration; bridges economic theory to confidential-compute hardware.

Connections

Conceptual Contribution

Claim: A trusted execution environment hosting an AI agent can serve as a credible commitment device that solves the classical Arrow–Nelson disclosure problem of information markets — achieving full disclosure and efficient transfer where paper NDAs and pure cryptography both fail.
Mechanism: A bargaining model in which TEEs+AI mediate the disclosure-and-payment decision; closed-form characterisation of equilibria for full and partial disclosure; sensitivity analysis to agent error with policy-instrument bounds (budget caps, acceptance thresholds).
Concepts introduced/used: NDAI Agreement, Trusted Execution Environment, Hold-Up Problem, Arrow Information Paradox, Mechanism Design, Commitment Device, Disclosure Game
Stance: formal economic theory with technical implications
Relates to: Companion to Trusted Machine Learning Models Unlock Private Inference — both argue that capability + trusted execution can replace previously infeasible cryptographic primitives. The economic counterpart to the engineering catalogue in Infrastructure for AI Agents; a building block for the markets imagined in Virtual Agent Economies and the information-asymmetry resolution explored in Language Models Can Reduce Asymmetry in Information Markets. Sits in the lineage of Vickrey / mechanism-design tradition.

Survey Of Agent Interoperability Protocols

A Survey of Agent Interoperability Protocols: MCP, ACP, A2A, and ANP

Reference: Ehtesham, Singh, Gupta, Kumar (2025). arXiv:2505.02279. Source file: 2505.02279v1.pdf. URL

Summary

This survey examines four emerging agent communication protocols targeting different interoperability tiers: the Model Context Protocol (MCP) for JSON-RPC tool invocation and context delivery; the Agent Communication Protocol (ACP) for REST-native multi-part performative messaging; the Agent-to-Agent Protocol (A2A) for peer-to-peer Agent-Card-based task outsourcing; and the Agent Network Protocol (ANP) for decentralized discovery using DIDs and JSON-LD.

The authors contrast architectures, discovery mechanisms, security models, and communication patterns, then recommend a phased adoption roadmap (MCP for tool access, then ACP for messaging, A2A for collaborative execution, ANP for open marketplaces). A timeline traces ancestry from KQML (1993) and FIPA-ACL (2000) through RAG, ReAct, function-calling up to modern agent protocols.

Key Ideas

Phased adoption roadmap: MCP -> ACP -> A2A -> ANP.
MCP core primitives: Tools, Resources, Prompts, Sampling under JSON-RPC 2.0.
A2A introduces Agent Cards, Tasks, Artifacts for enterprise-scale delegation.
ANP uses DIDs and JSON-LD for decentralized, internet-scale agent discovery.
Security threats tabulated across creation/operation/update lifecycle phases.

Connections

Conceptual Contribution

Claim: Modern agent interoperability is best understood as a four-tier stack (MCP for tools, ACP for messaging, A2A for delegation, ANP for open discovery) and should be adopted in that phased order.
Mechanism: Structured comparison of architectures, discovery, security, and message patterns; historical timeline rooting each protocol in KQML/FIPA-ACL ancestry; lifecycle threat table.
Concepts introduced/used: Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, Agent Communication Protocol, KQML, FIPA-ACL, Agent Cards, Decentralized Identifiers, JSON-RPC, Tool Use, LLM Agents
Stance: survey
Relates to: Complements the broader Survey Of AI Agent Protocols with a narrower, adoption-oriented roadmap. Its security-threat lifecycle connects directly to AI Agents Under Threat and MalTool Malicious Tool Attacks.

Tags

Survey Of AI Agent Protocols

A Survey of AI Agent Protocols

Reference: Yang, Chai, Song, Qi, Wen, Li, Liao, Hu, Lin, Chang, Liu, Wen, Yu, Zhang (2025). arXiv:2504.16736. Source file: 2504.16736v2.pdf. URL

Summary

This survey offers the first comprehensive classification and analysis of emerging AI agent protocols for LLM-based agents. The authors propose a two-dimensional taxonomy: (object orientation) context-oriented vs inter-agent protocols, and (application scenario) general-purpose vs domain-specific, covering MCP, A2A, ANP, ACP, Agora, LMOS, agents.json, LOKA, PXP, CrowdES, and others.

The paper then evaluates these protocols across efficiency, scalability, security, reliability, extensibility, operability, and interoperability, and sketches a forward-looking agenda: protocols should evolve from static to adaptive, from rules to ecosystems, and from mere communication to collective intelligence infrastructure.

Key Ideas

Two-dimensional taxonomy of agent protocols (object orientation x application scenario).
MCP as a universal context-oriented protocol with Host/Client/Server/Resource roles.
Inter-agent layer splits into general-purpose (A2A, ANP, AITP, ACP, Agora) and domain-specific (robot, human-computer, system).
Evaluation across 7 axes; case studies of MCP, A2A, ANP, Agora.
Next-generation protocols need adaptability, privacy preservation, group interaction.

Connections

Conceptual Contribution

Claim: The zoo of emerging LLM Agents protocols can be organised along two orthogonal axes (context-oriented vs inter-agent; general-purpose vs domain-specific), and evaluated on a shared seven-axis rubric.
Mechanism: Builds a taxonomy, then systematically compares Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, ACP, Agora, LMOS, agents.json, LOKA, PXP, CrowdES against efficiency, scalability, security, reliability, extensibility, operability, interoperability, with case studies.
Concepts introduced/used: Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, Agent Communication Languages, LLM Agents, Multi-Agent Systems, Interoperability, Agent Discovery
Stance: survey
Relates to: Shares its subject with Survey Of Agent Interoperability Protocols but takes a broader taxonomic view; its forward-looking “protocols as ecosystems” framing converges with Levels Of Social Orchestration and motivates coordination layers like Ripple Effect Protocol. Historical continuity with KQML and FIPA-ACL is implicit.

Tags

Agent Network Protocol

ANP — protocol stack for multi-agent networks.

Discussed in:

Agent-to-Agent Protocol

A2A — protocol for inter-agent communication among autonomous LLM agents.

Discussed in:

Model Context Protocol

MCP — an open protocol (Anthropic, 2024) standardising how LLM applications connect to external tools and data sources.

Discussed in:

Virtual Agent Economies

Reference: Tomasev, Franklin, Leibo, Jacobs, Cunningham, Gabriel & Osindero (2025). Virtual Agent Economies. arXiv:2509.10147 (Google DeepMind). URL.

Summary

The paper provides a conceptual framework — the “sandbox economy” — for analysing the rapidly emerging economic layer in which AI agents transact and coordinate at scales and speeds beyond direct human oversight. It situates the question on two orthogonal axes: (i) origin — whether the agent economy emerged spontaneously from autonomous deployments or was intentionally designed; and (ii) separateness — whether it is permeable to (or insulated from) the established human economy. Most current trajectories occupy the spontaneous × permeable quadrant: vast, fast, and tightly coupled to human markets — the riskiest configuration for systemic externalities.

The authors argue for proactive steerable market design rather than passive emergence. Three design levers receive most of the discussion. (1) Auction mechanisms — adapted VCG / second-price / matching mechanisms — for fair resource allocation and preference resolution among agents. (2) Mission economies — agent markets architected around explicit collective goals (climate, public health, AI safety), where price signals are deliberately steered. (3) Socio-technical infrastructure — accountability, attribution, audit, governance — much of which overlaps with Infrastructure for AI Agents’s programme.

The paper is best read as the economic counterpart to Open Challenges in Multi-Agent Security and Infrastructure for AI Agents: together they delineate the threat surface, governance scaffolding, and economic architecture of the emerging agent economy, and argue that none can be ignored. Risks emphasised include systemic instability (algorithmic flash-crashes spreading to human markets), inequality amplification (agents capturing surplus from price-discrimination at machine speed), and the loss of human-economy slack — the friction that gives humans time to react.

Key Ideas

Sandbox economy framework: two axes — origin (emergent / intentional) × separateness (permeable / impermeable).
Current trajectory: spontaneous + highly permeable agent economy — opportunity and the riskiest configuration for systemic spillover.
Auctions for agent markets: revisits VCG / Vickrey / matching mechanisms for fair allocation and preference resolution among AI participants.
Mission economies: intentionally steered markets aligned to collective goals (climate, public health, AI safety).
Socio-technical infrastructure: trust, attribution, accountability — the governance layer that complements market design.
Systemic risk: flash-crash-like cascades from agent markets into human markets; inequality amplified by machine-speed price discrimination.
Call to proactive design: infrastructure choices now will shape whether the agent economy is steerable or merely emergent.

Connections

Conceptual Contribution

Claim: A vast, permeable AI-agent economy is emerging by default. Letting it emerge unsteered is the highest-risk design choice. Proactive market design — auctions, mission economies, governance infrastructure — is needed to keep agent economies aligned with long-term human flourishing.
Mechanism: A framework characterising agent economies along origin × separateness; a catalogue of three design levers (auctions, mission economies, infrastructure); a discussion of systemic risks and policy implications.
Concepts introduced/used: Sandbox Economy, Mission Economy, Agent Market, Steerable Market, Mechanism Design, Algorithmic Collusion, Systemic Risk (Agent Markets)
Stance: position paper / research agenda
Relates to: Sister piece to Infrastructure for AI Agents (infrastructure framing) and Open Challenges in Multi-Agent Security (threat framing) — these three jointly outline the agent-economy / agent-security / agent-governance space. Auction-design discussion connects to Mechanism Design for Large Language Models (LLM-internal auctions) and Vickrey 1961 (foundational mechanism design). Collusion concerns operationalised in Learning Collusion in Episodic Inventory-Constrained Markets and Do LLM Agents Have Regret.

Open Challenges in Multi-Agent Security

Open Challenges in Multi-Agent Security: Towards Secure Systems of Interacting AI Agents

Reference: Schroeder de Witt, Krawiecka, Krawczuk, Hagag, Anderson, et al. (24 authors total) (2025). Open Challenges in Multi-Agent Security: Towards Secure Systems of Interacting AI Agents. arXiv:2505.02077 (Oxford / Cambridge / EPFL / industrial labs). URL.

Summary

This position paper introduces Multi-Agent Security (MASec) as a distinct research field, sitting between traditional cybersecurity, AI safety, and multi-agent systems — and argues that it is the dominant security frontier as LLM Agents begin to interact directly with one another across the open web, physical environments, and institutional infrastructures. The threats MASec studies emerge from interaction; they are not properties of any single agent in isolation.

The authors taxonomise threats arising from agent interaction along several axes: (i) secret collusion (agents coordinating to defeat oversight through covert side-channels including steganographic message-passing), (ii) coordinated swarm attacks (jailbreaks, prompt injections, or misinformation cascading through agent networks), (iii) network-effect amplification (privacy breaches, data poisoning, and disinformation spreading faster than mitigation), and (iv) multi-agent dispersion / stealth optimisation (adversaries exploiting fleet size to evade detection and persist).

They argue these threats are systematically understudied because research is scattered across AI Safety, Multi-Agent Systems, Distributed Security, Game Theory, complex systems, and AI governance, each with its own vocabulary. The paper provides a unifying taxonomy, identifies fundamental security–utility and security–security trade-offs, and lays out a research agenda — including the design of Free-Form Protocols (necessary for task generalisation but enabling collusion), governance and attribution infrastructure, and detection/response mechanisms for emergent multi-agent threats. The work is foundational reading for anyone designing inter-agent protocols, including the Agent-to-Agent Protocol, Model Context Protocol, and successors.

Key Ideas

Defines Multi-Agent Security (MASec) as a field: securing networks of interacting AI agents against threats that emerge or amplify through interaction.
Secret collusion: agents coordinating covertly (including via steganography) to defeat oversight — a new kind of “Schelling-point” attack on alignment.
Coordinated swarm attacks: distributed jailbreaks, prompt injections, data poisoning that succeed because the fleet succeeds even when individual instances fail.
Network effects: privacy breaches, disinformation, and jailbreaks spread through agent populations the way they spread through humans — only faster.
Dispersion & stealth optimisation: adversaries exploit the size and heterogeneity of agent fleets to evade oversight; novel persistent threats at system level.
Free-form protocols as risk surface: the same expressivity that makes inter-agent communication useful enables covert channels; reining in expressivity costs utility.
Security–utility and security–security trade-offs are fundamental — every defence opens or closes other attack surfaces.
Calls for a unified MASec research agenda spanning AI Safety, Distributed Security, Game Theory, complex systems, and AI governance.

Connections

Conceptual Contribution

Claim: Security of interacting AI agents is a distinct problem from either single-agent AI safety or classical cybersecurity. Threats emerge from interaction (secret collusion, swarm attacks, network-effect contagion) and are systematically missed by frameworks anchored to individual systems or static attack surfaces.
Mechanism: A new field — Multi-Agent Security — with a threat taxonomy (collusion, swarm, contagion, dispersion), explicit security–utility / security–security trade-offs, and a research agenda spanning protocol design, attribution, detection, and governance.
Concepts introduced/used: Multi-Agent Security, Secret Collusion, Swarm Attack, Network Effect (Security), Free-Form Protocols, Stealth Optimisation, Agent Security, AI Governance
Stance: position paper / survey / research agenda
Relates to: Sister survey to SoK The Attack Surface of Agentic AI but operating one level up — at networks of agents rather than the agent runtime. Provides the multi-agent threat model that defences like Defeating Prompt Injections by Design address, that infrastructure proposals like Infrastructure for AI Agents try to govern, and that economic frameworks like Virtual Agent Economies embed. Directly extends classical Distributed Security and connects to Learning Collusion in Episodic Inventory-Constrained Markets for the collusion sub-thread.

AI Governance

Field studying institutional, legal, and infrastructural mechanisms for ensuring AI systems are developed and deployed safely and accountably. Sits behind Infrastructure for AI Agents and the policy programme of Virtual Agent Economies.

In this vault

Agent Rollback

(page does not exist)

Agent Reputation

(page does not exist)

Action Attribution

(page does not exist)

Inter-Agent Protocols

(page does not exist)

Verifiable Agent Credentials

(page does not exist)

Agent ID

(page does not exist)

Agent Infrastructure

Technical systems and shared protocols external to individual AI agents that mediate their interactions with each other, humans, and institutions. Three core functions per Chan et al. 2025: attribution (agent IDs, credentials, audit), interaction shaping (protocols, mechanism design, reputation), and detection & remediation (anomaly detection, rollback, compensation).

In this vault

Distributed Security

Security of distributed/agent systems: mobile code, secure messaging, language-based defences.

Trust and Reputation

Computational models for assessing trustworthiness of agents.

LLM Agent Communication Protocol Requires Urgent Standardization

LLM Agent Communication Protocol (LACP) Requires Urgent Standardization: A Telecom-Inspired Protocol is Necessary

Reference: Xin Li, Mengbing Liu, Chau Yuen (2025). NeurIPS 2025 Workshop on AI and ML for Next-Generation Wireless Communications and Networking (AI4NextG). NTU Singapore. Source file: 17_LLM_Agent_Communication_Pro.pdf. Project homepage

Summary

Position paper arguing that the field of LLM agents is repeating the “protocol wars” of 1970s–1990s networking and urgently needs a unified, telecom-inspired communication standard before fragmentation entrenches. The authors survey the current zoo (OpenAI Function Calling, LangChain Agent Protocol, Model Context Protocol, ACP, Agent Network Protocol, Agora, Agent-to-Agent Protocol) and identify three structural deficiencies: crippling interoperability gaps, security as an afterthought, and monolithic designs lacking transactional integrity.

They propose LACP, a three-layer protocol — Semantic (PLAN/ACT/OBSERVE message types), Transactional (signing, sequencing, two-phase commit, idempotency via transaction IDs), and Transport (HTTP/2, QUIC, WebSockets) — built on the Narrow Waist Principle borrowed from IP. Design principles are explicitly distilled from telecom history: consensus-driven open standards (ITU, 3GPP), security-by-construction (GSM ciphering, SIM-based identity), and layered abstractions (OSI, EPS bearer separation). A working Flask + python-jose prototype with ECDSA-signed JWS messages shows ~3% latency overhead and +30% payload size at realistic message sizes, plus successful tampering- and replay-attack rejection that TLS alone cannot provide.

Key Ideas

“Protocol wars” analogy: today’s fragmented LLM-agent ecosystem mirrors pre-TCP/IP networking; without a common substrate the transformative potential of distributed AI stalls.
Three-layer LACP: Semantic / Transactional / Transport, each with well-defined interfaces enabling independent evolution.
Minimal universal message types — PLAN, ACT, OBSERVE, ERROR — wrapped in a JWS envelope; domain-specific content embedded inside the narrow waist.
Transactional layer provides what TLS cannot: end-to-end signed integrity surviving termination at endpoints, plus idempotency keys (transaction_id) defeating replay.
“Security by construction, not afterthought” lesson lifted from GSM/3GPP: every layer ships with mandatory crypto, not optional add-ons.
Pre-emptive rebuttals to four standard objections (stifles innovation, semantic diversity, latency overhead, existing frameworks suffice).
Detailed appendix tracing 1G→6G protocol evolution as a blueprint for agent-protocol generations.

Connections

Survey Of AI Agent Protocols
Survey Of Agent Interoperability Protocols
A Scalable Communication Protocol for Networks of LLMs
Model Context Protocol
Agent-to-Agent Protocol
Agent Network Protocol
Ripple Effect Protocol
Agent Communication Languages
Principled Design Of The Modern Web Architecture
LLM Agents
CBCL - Safe Self-Extending Agent Communication — complementary call: where LACP standardises a narrow-waist protocol stack with transactional integrity, CBCL standardises the message language with formally-checked LangSec safety.

Conceptual Contribution

Claim: The fragmented landscape of LLM-agent communication protocols is structurally analogous to pre-TCP/IP networking and demands an immediate, principled standardisation effort; a telecom-style layered protocol with mandatory cryptographic and transactional guarantees is not merely beneficial but necessary for safety-critical multi-agent deployments (e.g. NextG/6G).
Mechanism: Distil four principles from telecom history (consensus-driven standards, security-by-construction, layered abstraction, narrow waist) and instantiate them as LACP — a three-layer stack: Semantic (PLAN/ACT/OBSERVE over a minimal universal vocabulary), Transactional (JWS signing, transaction IDs, two-phase commit, retry/timeout), Transport (binary framing over HTTP/2, QUIC, WebSockets). Validated by a Python/Flask prototype: 10,000-request benchmark shows +2.9% latency on large payloads; tampering and replay attacks rejected at the application layer where TLS terminates.
Concepts introduced/used: LACP, Narrow Waist Principle, Layered Architecture, Layered Systems, Protocol Design, Atomic Transaction, Two-Phase Commit, End-to-End Message Signing, Idempotency, Replay Attack, Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, LLM Agents, Multi-Agent Systems, Interoperability
Stance: position / engineering proposal
Relates to: Direct response to the protocol-zoo charted by Survey Of AI Agent Protocols and Survey Of Agent Interoperability Protocols. Where A Scalable Communication Protocol for Networks of LLMs (Agora) sidesteps fragmentation via a meta-protocol that negotiates Protocol Documents on demand, LACP takes the opposite stance: a single mandated narrow waist with security-by-construction. Echoes the layered-evolution argument of Principled Design Of The Modern Web Architecture, the end-to-end reasoning of End-to-End Arguments in System Design, and the TCP/IP narrow-waist tradition. Its security-first posture aligns with SoK The Attack Surface of Agentic AI and the LangSec lineage of Security Applications Of Formal Language Theory; the transactional-integrity layer answers attack vectors raised in ClawWorm Self-Propagating Attacks Across LLM Agent Ecosystems and MalTool Malicious Tool Attacks.

Tags

Mechanism Design

The branch of game theory that designs interaction rules so that self-interested agents, acting in equilibrium, produce a desired social outcome; applied in ACL evolution to shape negotiation protocols that reach efficient linguistic conventions.

In this vault

Toward Automated Evolution of ACLs

Agent Security

Security concerns specific to LLM-agent systems: tool attacks, prompt injection, memory poisoning, inter-agent trust failures.

In this vault

Multi-Agent Systems

Systems of multiple autonomous agents that interact, coordinate, and sometimes compete.