Security architecture for agentic systems proposed
The APDI/SEP architecture has been proposed as a layered security model for multi-agent systems. The approach treats every agent action as untrusted until verified and implements a “defense in depth” model. This pattern is gaining traction as a best practice for marketplaces and applications handling sensitive or high-stakes agent workflows.
- The "defense in depth" model addresses specific, critical vulnerabilities in agentic systems, including prompt injection to hijack behavior, memory poisoning to manipulate future decisions, and the misuse of external tools to exfiltrate data or execute unauthorized actions. - A core principle in such architectures is treating the Large Language Model (LLM) as a "confused deputy"—an entity with privileges that can be tricked. Security checks, such as validating the parameters of a tool call or verifying API access rights, are therefore handled by a separate, deterministic orchestration layer rather than by the probabilistic LLM itself. - In China, major technology firms are deploying agentic systems at a massive scale; Tencent's Hunyuan, for example, handles over 10 billion agent tool calls per day within its ecosystem, making scalable security and orchestration a critical infrastructure layer. - Production-grade agent architectures increasingly separate the agent's decision-making from its execution capabilities by using a dedicated "Artifact Layer." This layer serves as a permanent system of record for all agent actions and outputs, creating a forensic audit trail necessary for security reviews and debugging. - China's regulatory landscape requires that such architectures account for compliance. For instance, regulations effective from 2025 mandate the clear labeling of all AI-generated content and require AI services with social mobilization capabilities to file their algorithms with the Cyberspace Administration of China. - Leading Chinese firms like Alibaba and Baidu are focused on creating a comprehensive AI operating system integrated into their platforms, with agent-based systems expected to replace chat interfaces as the primary interaction model by late 2026. - The principle of least privilege is enforced by strictly scoping the tools an agent can use. For example, a customer service agent would be granted `SELECT` permissions for read-only database access at the engine level, with `INSERT` or `DELETE` privileges completely withheld to prevent destructive actions if the agent is compromised. - To secure inter-agent communication in multi-agent systems, a common pattern involves using mutual TLS (mTLS) to cryptographically verify the identity of both the agent initiating a request and the one receiving it, preventing agent impersonation.
