Papers
Topics
Authors
Recent
Search
2000 character limit reached

Agents-A1: Secure and Scalable AI Agents

Updated 1 July 2026
  • Agents-A1 are autonomous computational entities that perceive, reason, and act using LLMs, simulation frameworks, and formal protocols.
  • Agent architectures employ hierarchical isolation and precise memory management to enhance security, efficiency, and scalability in complex environments.
  • Empirical benchmarks demonstrate that Agents-A1 dramatically reduce attack success rates and improve task performance via robust schema validation and protocol-driven collaboration.

An agent, in computational and AI contexts, refers to an autonomous computational entity that perceives its environment, reasons about observations, and takes actions to achieve goals—often in interaction with other agents, humans, or digital artifacts. The “Agents-A1” lineage encompasses recent innovations across secure LLM agents, vision-language-action models, agentic simulation environments, protocols for agent identity and collaboration, and robust reasoning frameworks that address security, efficiency, and explainability.

1. Formal Definitions and Taxonomy of Agents

AI agents are formally defined as mappings from sequences of percepts (inputs) to actions: an agent A:PAA: \mathcal{P}^* \rightarrow \mathcal{A}, where the selected action a=A(p1,,pt)a^* = A(p_1,\ldots,p_t) maximizes expected utility UU given current percept history (Desai et al., 25 Feb 2025). Key subclasses include:

  • LLM-based Autonomous Agents: Software components that leverage foundation language or multimodal models to generate plans, call tools, interact with APIs, and perform delegated workflows.
  • Simulation/ABM Agents: Autonomous units in agent-based modeling platforms like Agents.jl, interacting via explicit rules in spatial, network, or graph-based environments (Datseris et al., 2021).
  • Vision-Language-Action Agents: Models integrating perception (e.g., image or video frames), language, and action selection for real-world agents or robots (Zhang et al., 7 Apr 2026).
  • Protocol Agents: Entities defined and managed via formal protocols (e.g., OIDC-A, ACPs), which govern interactions, identity, and trust across heterogeneous digital environments (Nagabhushanaradhya, 30 Sep 2025, Liu et al., 18 May 2025).

The taxonomy spans cognitive, collaborative, simulation-native, and physically-embedded agents, unified by autonomous reasoning and decision-making capabilities.

2. Architectures and Memory Management in Modern Agent Frameworks

Current agent architectures emphasize modularity, process-isolation, and robust memory management to ensure reliable and secure operation. Exemplars include:

AgentSys employs a strict hierarchical architecture:

  • Main Agent (Delegator): Maintains long-horizon context, delegates tool calls, and defines minimal JSON schemas (ItI_t) specifying permissible return structures.
  • Worker Agents: Spawned per tool call, operate in isolated memory with access only to the raw tool output yy, intent schema ItI_t, and a compact call Stack. They extract return values rr that must conform to ItI_t and never inject yy into the main agent’s context (Wen et al., 7 Feb 2026).
  • Validator/Sanitizer: Mediates risky commands, checking action legitimacy and sanitizing outputs as needed.

This architecture severs attack persistence by ensuring that untrusted content (e.g., from web or API responses) remains sand-boxed at the worker level—only schema-validated, JSON-parsable results propagate upward. The main agent’s context thus grows only with compact, trusted objects (O(T)O(T) context overhead), sharply reducing the attack surface and attention cost compared to conventional a=A(p1,,pt)a^* = A(p_1,\ldots,p_t)0 context growth.

3. Security and Robustness: Defending Against Indirect Prompt Injection

Indirect prompt injection (IPI) is a dominant threat against LLM agents that ingest untrusted data (e.g., web, user-generated content). The feedback loop—where early injected adversarial content persists throughout the agent’s memory and is re-processed at every step—drives high attack success rates (ASR):

a=A(p1,,pt)a^* = A(p_1,\ldots,p_t)1

Under the "important_instruction" attack on AgentDojo, conventional agents realize ASR of 30.66% overall and up to 60.53% if injection occurs on the first step of a four-round task.

AgentSys’s defense achieves a ∼39× ASR reduction (0.78% vs. 30.66%), remains effective across multiple backbone models and under adaptive attacker strategies (max ASR 2.06%). Its hierarchical separation, deterministic schema-bounded communication, and event-driven policy validation preclude both attack persistence and utility degradation (Wen et al., 7 Feb 2026).

4. Benchmarking, Evaluation Metrics, and Empirical Results

Agent systems are evaluated across utility, robustness, and efficiency axes:

  • AgentSys (AgentDojo, Agent Security Bench): | Setting | ASR (%) | Benign Utility (%) | Attack Utility (%) | |------------------------|---------|--------------------|-------------------| | Undefended | 30.66 | 63.54 | 48.27 | | AgentSys | 0.78 | 64.36 | 52.87 |
  • Scaling: AgentSys context grows as a=A(p1,,pt)a^* = A(p_1,\ldots,p_t)2, with validator/sanitizer overhead scaling to the number of command operations, not total context length.
  • Robustness: Across GPT-4o, GPT-5.1, Claude-3.7, Gemini-2.5, Qwen-2.5, ASR remains a=A(p1,,pt)a^* = A(p_1,\ldots,p_t)3.

This demonstrates that principled, architectural memory isolation can simultaneously harden agents against prompt-injection and improve decision quality, contrary to approaches focused solely on context lengthening or statistical sanitization (Wen et al., 7 Feb 2026).

5. Representative Implementations and Agent Protocols

Agent-Based Modelling (ABM):

Agents.jl implements high-performance, low-complexity ABM via Julia. Agents are mutable structs with minimal field requirements and operate in a variety of spatial and network environments. Benchmarks show 40–50% reduced code lines and 2–125× runtime speedups compared to major Python and Java frameworks (Datseris et al., 2021).

Identity, Collaboration, and Security Protocols:

  • OIDC-A 1.0: Standardizes JWT claims (e.g., agent_type, delegation_chain, agent_attestation), establishes agent-specific endpoints (e.g., /agentinfo, /agent/token), and provides algorithms for cryptographically-validated delegation chains and capability-based authorization (Nagabhushanaradhya, 30 Sep 2025).
  • ACPs: Layered suite for agent registration, discovery, interaction, and tool orchestration across the Internet of Agents, defining state machines, message envelopes (PKI-signed), and workflow models such as Petri-nets for complex task orchestration (Liu et al., 18 May 2025).

Vision-Language-Action and Domain-Specific Agents:

A1 yields a transparent, efficient vision-language-action pipeline with budget-aware early exit and truncated flow matching, achieving up to 72% reduction in per-episode latency on robot manipulation benchmarks without sacrificing task success (Zhang et al., 7 Apr 2026). Domain-specific agents (MadAgents, OptAgent) demonstrate end-to-end automation and interactive orchestration in scientific and cyber-physical environments (Plehn et al., 28 Jan 2026, Jiang et al., 27 Jan 2026).

6. Quality Assurance, SLAs, and Trust Frameworks

Quality Models and SLAs:

AgentSLA extends the ISO/IEC 25010 standard with agent-specific characteristics (autonomy, fairness, sustainability, output properties). It introduces a DSL (JSON-based) for specifying Service Level Agreements (SLAs) on key metrics (e.g., availability, accuracy, conciseness), windowed and drift-aware, and supports automated monitor generation (Jouneaux et al., 4 Nov 2025).

Trust and Economic Alignment:

Protocol-native insurance and attestation mechanisms are explored in “Insured Agents,” which model a decentralized marketplace where specialized insurer agents underwrite service agents with posted collateral, adjudicated via TEEs and hierarchical slashing contracts—offering an alternative to brittle proof-of-stake or reputation systems. Equilibrium analysis shows that rational, honest behavior is sustained through pricing, staking, and dispute protocols (Hu et al., 9 Dec 2025).

7. Methodological Advances: Agentic Reasoning and Human-Like Planning

Recent agentic frameworks (KnowCoder-A1, VideoChat-A1) integrate curriculum RL and multi-stage planning, exceeding prior art in robustness, data efficiency, and adaptability:

  • KnowCoder-A1: Combines outcome-only supervision and curriculum RL for knowledge-base QA, instantiating agents that flexibly explore reasoning paths, correct failures, and optimize toward final answer accuracy with minimal pre-specified intermediate supervision. Experimental results demonstrate a +11.1% gain over baselines on zero-shot evaluation while using a=A(p1,,pt)a^* = A(p_1,\ldots,p_t)4 the data (Chen et al., 29 Oct 2025).
  • VideoChat-A1: Realizes “chain-of-shot” reasoning across long videos, leveraging coarse-to-fine key-information summaries, embedding-based shot retrieval, and self-reflective confidence checks, producing state-of-the-art results on long video analysis with human-like focus adaptation (Wang et al., 6 Jun 2025).

Agents-A1 denotes a convergence of robust, compositional, secure, and collaborative agent architectures grounded in precise protocol, memory, and assurance frameworks. These foundations are critical for trustworthy, scalable, and performant deployment of agents across open networks, physical environments, and complex problem domains (Wen et al., 7 Feb 2026, Datseris et al., 2021, Hu et al., 9 Dec 2025, Nagabhushanaradhya, 30 Sep 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Agents-A1.