Zero-Trust Runtime Verification for Agentic Payment Protocols: Mitigating Replay and Context-Binding Failures in AP2

• URL: http://arxiv.org/abs/2602.06345v1
• Date: Fri, 06 Feb 2026 03:22:11 GMT
• Title: Zero-Trust Runtime Verification for Agentic Payment Protocols: Mitigating Replay and Context-Binding Failures in AP2
• Authors: Qianlong Lan, Anuj Kaul, Shaun Jones, Stephanie Westrum,
• Abstract summary: We present a security analysis of the AP2 mandate lifecycle and identify enforcement gaps that arise during runtime in agent-based payment systems.<n>We propose a zero-trust runtime verification framework that enforces explicit context binding and consume-once mandate semantics.<n>We show that context-aware binding and consume-once enforcement address distinct and complementary attack classes, and that both are required to prevent replay and context-redirect attacks.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: The deployment of autonomous AI agents capable of executing commercial transactions has motivated the adoption of mandate-based payment authorization protocols, including the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2). These protocols replace interactive, session-based authorization with cryptographically issued mandates, enabling asynchronous and autonomous execution. While AP2 provides specification-level guarantees through signature verification, explicit binding, and expiration semantics, real-world agentic execution introduces runtime behaviors such as retries, concurrency, and orchestration that challenge implicit assumptions about mandate usage. In this work, we present a security analysis of the AP2 mandate lifecycle and identify enforcement gaps that arise during runtime in agent-based payment systems. We propose a zero-trust runtime verification framework that enforces explicit context binding and consume-once mandate semantics using dynamically generated, time-bound nonces, ensuring that authorization decisions are evaluated at execution time rather than assumed from static issuance properties. Through simulation-based evaluation under high concurrency, we show that context-aware binding and consume-once enforcement address distinct and complementary attack classes, and that both are required to prevent replay and context-redirect attacks. The proposed framework mitigates all evaluated attacks while maintaining stable verification latency of approximately 3.8~ms at throughput levels up to 10{,}000 transactions per second. We further demonstrate that the required runtime state is bounded by peak concurrency rather than cumulative transaction history, indicating that robust runtime security for agentic payment execution can be achieved with minimal and predictable overhead.

Related papers

• Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections [57.64370755825839]
  Self-evolving agents update their internal state across sessions, often by writing and reusing long-term memory.<n>We study this risk and formalize a persistent attack we call a Zombie Agent.<n>We present a black-box attack framework that uses only indirect exposure through attacker-controlled web content.
  arXiv  Detail & Related papers  (2026-02-17T15:28:24Z)
• Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime [0.0]
  This paper introduces Autonomous Action Management (AARM), an open specification for securing AI-driven actions at runtime.<n>AARM intercepts actions before execution, accumulates session context, evaluates against policy and intent alignment, enforces authorization decisions, and records tamper-evident receipts for forensic reconstruction.<n>AARM is model-agnostic, framework-agnostic, and vendor-neutral, treating action execution as the stable security boundary.
  arXiv  Detail & Related papers  (2026-02-10T05:57:30Z)
• Faramesh: A Protocol-Agnostic Execution Control Plane for Autonomous Agent Systems [0.0]
  Faramesh is a protocol-agnostic execution control plane that enforces execution-time authorization for agent-driven actions.<n>We show how these primitives yield enforceable, predictable governance for autonomous execution.
  arXiv  Detail & Related papers  (2026-01-25T08:27:27Z)
• Preventing the Collapse of Peer Review Requires Verification-First AI [49.995126139461085]
  We propose truth-coupling, i.e. how tightly venue scores track latent scientific truth.<n>We formalize two forces that drive a phase transition toward proxy-sovereign evaluation.
  arXiv  Detail & Related papers  (2026-01-23T17:17:32Z)
• Towards Verifiably Safe Tool Use for LLM Agents [53.55621104327779]
  Large language model (LLM)-based AI agents extend capabilities by enabling access to tools such as data sources, APIs, search engines, code sandboxes, and even other agents.<n>LLMs may invoke unintended tool interactions and introduce risks, such as leaking sensitive data or overwriting critical records.<n>Current approaches to mitigate these risks, such as model-based safeguards, enhance agents' reliability but cannot guarantee system safety.
  arXiv  Detail & Related papers  (2026-01-12T21:31:38Z)
• VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit [44.24310459184061]
  LLM agents operating in open environments face escalating risks from indirect prompt injection.<n>We propose textbfVIGIL, a framework that shifts the paradigm from restrictive isolation to a verify-before-commit protocol.
  arXiv  Detail & Related papers  (2026-01-09T12:19:49Z)
• SmartSnap: Proactive Evidence Seeking for Self-Verifying Agents [45.71333459905404]
  SmartSnap is a paradigm shift from passive, post-hoc verification to proactive, in-situ self-verification by the agent itself.<n>We introduce the Self-Verifying Agent, a new type of agent designed with dual missions: to complete a task and to prove its accomplishment with curated evidences.<n>Experiments on mobile tasks across model families and scales demonstrate that our SmartSnap paradigm allows training LLM-driven agents in a scalable manner.
  arXiv  Detail & Related papers  (2025-12-26T14:51:39Z)
• Binding Agent ID: Unleashing the Power of AI Agents with accountability and credibility [46.323590135279126]
  BAID (Binding Agent ID) is a comprehensive identity infrastructure establishing verifiable user-code binding.<n>We implement and evaluate a complete prototype system, demonstrating the practical feasibility of blockchain-based identity management and zkVM-based authentication protocol.
  arXiv  Detail & Related papers  (2025-12-19T13:01:54Z)
• Context Lineage Assurance for Non-Human Identities in Critical Multi-Agent Systems [0.08316523707191924]
  We introduce a cryptographically grounded mechanism for lineage verification, anchored in append-only Merkle tree structures.<n>Unlike traditional A2A models that primarily secure point-to-point interactions, our approach enables both agents and external verifiers to cryptographically validate multi-hop provenance.<n>In parallel, we augment the A2A agent card to incorporate explicit identity verification primitives, enabling both peer agents and human approvers to authenticate the legitimacy of NHI representations.
  arXiv  Detail & Related papers  (2025-09-22T20:59:51Z)
• Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents [0.6747475365990533]
  In agentic settings reasoning, prompt injection, or multi-agent orchestration can silently expand privileges.<n>We introduce Agentic JWT (A-JWT), a dual-faceted intent token that binds each agent's action to verifiable user intent.<n>A-JWT carries an agent's identity as a one-way hash derived from its prompt, tools and configuration.
  arXiv  Detail & Related papers  (2025-09-16T23:43:24Z)
• BlockA2A: Towards Secure and Verifiable Agent-to-Agent Interoperability [8.539128225018489]
  BlockA2A is a unified multi-agent trust framework for agent-to-agent interoperability.<n>It eliminates centralized trust bottlenecks, ensures message authenticity and execution integrity, and guarantees accountability across agent interactions.<n>It neutralizes attacks through real-time mechanisms, including Byzantine agent flagging, reactive execution halting, and instant permission revocation.
  arXiv  Detail & Related papers  (2025-08-02T11:59:21Z)
• SOPBench: Evaluating Language Agents at Following Standard Operating Procedures and Constraints [59.645885492637845]
  SOPBench is an evaluation pipeline that transforms each service-specific SOP code program into a directed graph of executable functions.<n>Our approach transforms each service-specific SOP code program into a directed graph of executable functions and requires agents to call these functions based on natural language SOP descriptions.<n>We evaluate 18 leading models, and results show the task is challenging even for top-tier models.
  arXiv  Detail & Related papers  (2025-03-11T17:53:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.