This is Part 2 of our series on agent security. Part 1: Agent Context: The New Attack Surface established the threat model. This post introduces the solution.
Your agent just approved a $2.4M enterprise contract at startup pricing. The decision logic was flawless. The reasoning was sound. The customer context was poisoned three hops upstream.
The Integrity Gap
We’ve spent a decade building integrity guarantees for different layers of the stack:
- Content Authenticity (C2PA): “Is this image what it claims to be?”
- Software Integrity (SLSA, in-toto, SBOMs): “Is this binary what it claims to be?”
These aren’t theoretical concerns. Deepfakes have undermined elections. Supply chain attacks have compromised thousands of organizations through a single poisoned dependency. The response was cryptographic: sign the content, attest the provenance, verify before trust.
But as AI agents become the new runtime—negotiating contracts, approving purchases, coordinating across organizational boundaries—we’ve left a gap.
Who verifies the context they reason over?
Google’s Agent-to-Agent (A2A) protocol standardizes how agents communicate across enterprises: message formats, task lifecycles, discovery mechanisms. It doesn’t define how to verify that context received from other agents is authentic, unmodified, and from authoritative sources.
That’s the missing layer.
Context as Infrastructure
Foundation Capital calls context graphs “AI’s trillion-dollar opportunity”—the structured knowledge layers that let AI systems reason over relationships, not just retrieve documents.
Gartner’s February 2026 report identifies “Context as a Service” as the next AI revenue surge, with MCP servers enabling a new generation of context infrastructure.1
A new category of memory and context layer startups has emerged—systems that maintain persistent context graphs across agent sessions.
The market agrees: context is infrastructure.
But infrastructure without integrity is an attack surface. Right now, none of these context systems carry cryptographic provenance.
Every context graph is an unsigned artifact. Every memory layer is an unattested claim. Every “Context as a Service” offering delivers content without credentials.
Beyond Prompt Injection
Security discourse around AI systems focuses on prompt injection—manipulating agent instructions to cause unintended actions. The defenses are familiar: input sanitization, output filtering, instruction hierarchies.
Context poisoning is different. It doesn’t manipulate what agents do. It corrupts what agents know.
A prompt-injected agent executes malicious instructions. A context-poisoned agent executes legitimate instructions based on false premises. The agent believes Acme Corp is an enterprise customer. It offers enterprise pricing. The reasoning is valid. The premises are wrong.
The agent’s behavior appears normal under inspection. Its decision-making process is sound. Only its inputs are lies.
The Shape of Context
Modern agent context is structured as context graphs—JSON-LD knowledge graphs that represent entities, relationships, and claims.
A pricing decision might traverse:
Customer → Contract → Volume Commitment → Discount Tier → PriceEach node is an entity. Each edge is a relationship. The agent walks this graph to answer: “What should Acme Corp pay?”
This structure creates multiple attack surfaces:
| Attack | Description |
|---|---|
| Relationship Fabrication | Creating false edges between authentic nodes |
| Authority Injection | Adding nodes with fabricated permissions |
| Relationship Severance | Removing edges to hide constraints |
| Subgraph Recontextualization | Embedding authentic subgraphs in malicious frames |
Signing individual nodes doesn’t protect against these attacks. The structure itself requires attestation.
The Inter-Enterprise Reality
A2A’s value proposition is cross-organizational agent collaboration. Your procurement agent negotiates with a supplier’s sales agent. Your compliance agent coordinates with a partner’s audit agent.
Each interaction crosses trust boundaries.
When context flows from Acme’s CRM through Contoso’s integration layer to Globex’s procurement system, each organization maintains distinct infrastructure, security postures, and incentives. The recipient cannot verify that context originated from the claimed source. They can only authenticate the immediate sender via TLS.
Three organizations. Three security perimeters. Zero end-to-end context verification.
Why TLS Isn’t the Answer
TLS provides real guarantees: server authentication, confidentiality, in-transit integrity. But its threat model doesn’t match agent context flows.
Connection vs. Content Authentication TLS authenticates endpoints, not payloads. A counterparty with a valid certificate can send false context through a secure connection.
Hop-by-Hop Protection Content decrypts at each intermediary. TLS protection ends at every hop.
No Non-Repudiation Ephemeral session keys mean no cryptographic proof binding senders to messages.
Wrong Question TLS answers: “Am I connected to the right domain?” Agents need: “Should I trust this specific claim from this specific entity?”
Context Integrity
Context Integrity is cryptographic verification that the semantic context an AI agent reasons over is authentic, unmodified, and attributable to authoritative sources.
The same pattern—content binding, signer identification, provenance chains—applied to the knowledge layer.
| Layer | Question | Solution |
|---|---|---|
| Software Integrity | Is this code trustworthy? | SLSA, in-toto, SBOMs |
| Content Authenticity | Is this media real? | C2PA manifests |
| Context Integrity | Is this context authentic? | What we’re building |
Context Integrity applies proven patterns to the artifacts agents depend on: JSON-LD context graphs, capability tokens, session state, business facts.
The Properties
Context Integrity requires five properties:
1. Content Binding
Context graphs must be cryptographically bound to a hash. We use RDF canonicalization (URDNA2015) so identical graphs produce identical hashes regardless of serialization.
2. Signer Identification
Signatures bind to Decentralized Identifiers (DIDs)—cryptographic identifiers supporting granular delegation. One key signs pricing claims. Another signs identity assertions.
3. Provenance Chains
Composed context carries full provenance. Each component’s attestation travels with the composition. Verifiers evaluate trust at every link.
4. Temporal Validity
Attestations carry trusted timestamps. Freshness policies prevent replay. A valid signature on stale context is still a vulnerability.
5. Policy Integration
Trust isn’t binary. Policy engines evaluate: Which signers? For which claims? Under what conditions?
Building on Standards
We’re assembling proven components:
| Component | Standard |
|---|---|
| Attestation format | SLSA / in-toto |
| Identity | W3C DIDs |
| Signatures | COSE / JWS |
| Canonicalization | URDNA2015 (RDF) |
| Capabilities | W3C Verifiable Credentials |
| Timestamps | RFC 3161 |
The Cost of Inaction
Context is becoming infrastructure. Investment is flowing. Systems are being built.
Without integrity, every context graph is an unverified claim. Every memory layer is a potential attack vector. Every “Context as a Service” is a trust-me proposition.
The attack surface is the unsigned context flowing through every agent interaction.
What’s Next
We’ve proven we can sign media. Content Authenticity is shipping in cameras and social platforms.
We’ve proven we can sign software. Software Integrity is a federal procurement requirement.
Now we need to sign the context agents act on.
The primitives exist. The standards exist. We’re building the integration.
Build With Us
We’re developing Context Integrity infrastructure for A2A and MCP—message-level security for the knowledge layer agents reason over.
If you’re building agent systems that cross trust boundaries, get in touch.
Footnotes
-
Gartner, “Emerging Tech: AI Vendor Race: MCP Servers Will Fuel the Next AI Revenue Surge — ‘Context as a Service,’” 19 February 2026. ↩