--- title: "CaML-Inspired IETF Draft Proposals" source_paper: "Defeating Prompt Injections by Design (arXiv:2503.18813)" source_authors: "Debenedetti, Shumailov, Fan, Hayes, Carlini, Fabian, Kern, Shi, Terzis, Tramèr" date: 2026-03-09 status: proposal --- # CaML-Inspired IETF Draft Proposals Six IETF Internet-Draft proposals derived from [Defeating Prompt Injections by Design](https://arxiv.org/abs/2503.18813) (Google DeepMind / ETH Zurich, 2025), cross-referenced with the 12 identified gaps in the IETF AI agent standards landscape. ## Source Paper: CaML (CApabilities for MachinE Learning) CaML proposes a **capability-based security layer** around LLM agents that defeats prompt injection attacks by design, not through model training. Key concepts: - **Privileged/Quarantined LLM separation**: planning (trusted) vs. data processing (untrusted) - **Capability tags**: every data value carries provenance (source) and access control (allowed readers) - **Security policies**: Python-expressible per-tool policies checked before execution - **Data flow graph**: tracks dependencies between all variables across tool calls - **Control flow integrity**: prevents untrusted data from influencing execution plans - Evaluated on AgentDojo: 77% task success with **provable** security (vs. 84% undefended) ## Draft Overview | # | Draft Name | Status | Primary Gaps | CaML Section | |---|-----------|--------|-------------|-------------| | 1 | [Capability-Based Security Policies](01-capability-security-policies.md) | outline | #86, #89, #93 | §5.2, §5.3 | | 2 | [Control/Data Flow Integrity](02-control-data-flow-integrity.md) | outline | #85, #88, #89 | §2, §5.4, §6.4 | | 3 | [Data Provenance Tracking Protocol](03-data-provenance-tracking.md) | outline | #84, #88, #93 | §5.3, §5.4 | | 4 | [Security Policy Federation](04-security-policy-federation.md) | outline | #83, #87, #90 | §5.2, §9.1 | | 5 | [Privileged/Quarantined Execution Model](05-privileged-quarantined-execution.md) | outline | #89, #92, #94 | §5.1 | | 6 | [Side-Channel Mitigation Framework](06-side-channel-mitigation.md) | outline | #89, #93 | §7 | ## Dependency Graph ``` Draft 5 (Execution Model) └─► Draft 1 (Capabilities) ◄── foundational ├─► Draft 2 (Flow Integrity) ├─► Draft 3 (Provenance) └─► Draft 4 (Policy Federation) └─► Draft 6 (Side Channels) ◄── BCP document ``` **Reading order**: 5 → 1 → 2/3 (parallel) → 4 → 6 ## Gap Coverage Matrix | Gap | Topic | Drafts | |-----|-------|--------| | #83 | Cross-org AI agent liability | 4 | | #84 | Real-time explainability | 3 | | #85 | Emergency shutdown coordination | 2 | | #86 | Resource consumption governance | 1 | | #87 | Cross-domain identity federation | 4 | | #88 | Decision audit trail interop | 2, 3 | | #89 | Adversarial agent detection | 1, 2, 5, 6 | | #90 | Capability negotiation protocols | 4 | | #91 | Decentralized model version control | — | | #92 | Ethical decision conflict resolution | 5 (partial) | | #93 | Privacy-preserving A2A communication | 1, 3, 6 | | #94 | Behavioral specification languages | 5 | ## Relationship to Existing Work These drafts **build on** (not compete with) existing IETF work: - **WIMSE** (Workload Identity in Multi-System Environments): identity + security context propagation → our capabilities extend this with data-level provenance - **ECT** (Execution Context Tokens): DAG-linked audit records → our provenance tracking is complementary - **MCP** (Model Context Protocol): tool interface standard → our security policies wrap around MCP tool calls - **A2A** (Agent-to-Agent): agent communication → our flow integrity applies to A2A message exchanges - **GNAP/OAuth**: authorization → our policy federation extends authz to data-flow-aware decisions ## Iteration Tracking | Date | Change | Author | |------|--------|--------| | 2026-03-09 | Initial outlines for all 6 drafts | — |