AI is changing the world of work, one agent at a time. Two-thirds of enterprises are experimenting with the technology, with a growing number scaling projects to deliver “tangible business value,” according to McKinsey. But as agents find their way into a diverse range of business-critical workflows, a new trust problem is emerging.
As AI’s focus shifts from generating content to autonomously taking action, the core security question is also evolving: from one of model intelligence to authorization and accountability. This is not a problem probabilistic controls alone can solve. They are only valuable when layered on a foundation of deterministic trust. And that is best delivered by cryptographic signing.
A new trust problem
Key takeaways
- AI agents are becoming embedded in the fabric of business, shifting the primary security challenge from intelligence to authorization and accountability.
- A new trust problem is emerging. Even verified agent identities can be manipulated through prompt injection, replay attacks or compromised upstream systems.
- Probabilistic security controls are not enough. They can estimate apparent safety but cannot guarantee legitimate authorization.
- Enterprises need deterministic trust guarantees verifying who authorized an instruction, whether it was altered, and whether it’s current — not replayed.
- Cryptographic signing delivers deterministic guarantees via four approaches: prompt signing, LLM signing, skill (tool) signing, and identity attestation signing.
- Post-quantum computers will soon break today’s encryption. Use ML-DSA (PQC-safe signing) now to counter “Harvest Now, Decrypt Later” risks for AI agents.
The attack surface has shifted. Agents can execute API calls, modify infrastructure, and trigger financial and operational actions. And they’re increasingly being deployed in high-risk environments. Recent research reveals that 29% of organizations already use AI agents for security-related help desk tickets, with a further 64% planning to do so within the year.
In a worst-case scenario, every agent becomes a potential tool for data theft, unauthorized access, fraud, sabotage and more. Identifying each agent is important. But it doesn’t solve the fundamental trust problem. Even a perfectly identified agent can be hijacked. Prompt injection, replay attacks, and compromised upstream systems can enable threat actors to silently execute malicious instructions. With current controls, there’s no way for security teams to detect if a directive was illegitimate or not.
This is not just a theoretical risk. Researchers have documented many examples of these attacks in the wild. Indirect prompt injection is particularly insidious because malicious instructions could be hidden in a potentially vast array of content an agent may need to interact with to complete its assigned tasks.
In this context, the attack surface isn’t just the agent — it’s every instruction the agent receives, from every source.
Origin, integrity and relevance
When AI has this much agency, enterprise security teams need to be able to say with certainty that a specific action was explicitly authorized by the right entity, at the right time, and wasn’t tampered with.
Probabilistic controls cannot provide this guarantee. They can help decide whether something seems safe. But a deterministic approach is required to establish the three key elements needed to ensure agents can trust the directives they are given: origin, integrity and relevance.
By origin, we mean who authorized a directive: whether it came from an approved orchestrator and not an injected payload or rogue process. Integrity checks determine whether a directive has been tampered with in transit. And “relevance” denotes whether a directive has been replayed. Timestamps and nonces can ensure a directive is current and ensure replayed instructions are automatically rejected.
Four approaches to cryptographic signing
So, establishing trust at a foundational level requires a deterministic approach. But what should this look like in practice? This is where cryptographic signing comes into its own — providing mathematical proof of origin, integrity and relevance. Consider four use cases: prompt signing, LLM signing, skill (tool) signing, and identity attestation signing.
Cryptographically signing prompts provides deterministic protection against prompt injection, tampering and replay attacks. It ensures agents only act on instructions issued by authorized systems or individuals. Without it, there’s no way of distinguishing approved from injected or manipulated directives.
Signing LLM outputs allows teams to trace actions, recommendations, or downstream decisions back to their authorized source(s). It doesn’t magically make these outputs legitimate. But it does make them accountable — supporting auditability, compliance, and incident investigation.
Signing skills is another important part of a deterministic crypto-signing approach. As AI agents gain access to enterprise tools and APIs, skills become a high-risk execution surface. Signing them is akin to singing binaries in traditional software environments. It ensures only approved capabilities are invoked, preventing unauthorized actions even when models behave unpredictably.
The final piece of the puzzle is identity attestation signing, which allows agents to authenticate, prove authorization scope, and interact securely with enterprise systems. It means access controls, lifecycle management, and revocation can be consistently enforced as per any other workload identity. And ensures agents are integrated into zero trust architectures.
Scale demands better governance
IDC predicts AI agent deployments will grow 77-fold over the coming years to hit 2.2 billion by 2030. More significantly, it claims the annual number of tasks executed by these agents will grow at a CAGR of 524% to reach 415 trillion by the end of the decade. But technology transformation on this scale first requires trust guarantees.
Probabilistic controls will play a key role here, by interpreting behaviour. But you can’t safely interpret what you don’t trust. Only deterministic controls can prove authorization. For that reason, they’re the foundation on which every other layer of AI governance depends.
