The digital era is shifting toward an ‘agent economy,’ where networks of autonomous AI systems reshape how value is created and exchanged. In this article, Thorsten Jelinek, PhD, outlines a strategic framework for AI security, highlighting why safeguarding these evolving systems is essential to ensure they drive progress while serving societal interests.
The digital transformation is moving towards an “agent economy”. While AI’s impact on labour and its contribution to GDP growth may become modest through the end of this decade, economic activity will increasingly be shaped not by human interaction, but by networks of autonomously interacting agents – systems progressively capable of self-design, self-modification, and physical-world manipulation. As this amplifies the drive for efficiency and economic expansion, human interaction with these systems remains essential to ensure they serve the interests of society.
Advances in algorithmic performance and accelerated computing, as well as an evolving ICT infrastructure, are driving this transformation. AI-enhanced 5G standalone networks are already a critical enabler for exponential data flows and ultra-low-latency connection, eventually powering real-time orchestration of complex cyber-physical systems across all sectors. This means AI security will become even more important for ensuring safety and trust in the future economy.
Core bottlenecks of agentic systems
Aside from building out and enhancing digital infrastructure, three fundamental bottlenecks must be addressed for agentic systems to become a practical reality.
a) Persistence: Agents must retain memory, context, and identity across sessions and over time to enable long-term autonomy, task continuity, and adaptive inferencing.
b) Common Protocol: Agents must communicate, coordinate, and interoperate across systems to function reliably in multi-agent environments.
c) Security: As the range of possible threats expands and changes, security and trust are essential for inter-agent exchange and interoperable governance across borders.
Progress in both persistence and protocol remains nascent. Today's agents are still unreliable, short-lived, and confined to isolated environments, lacking the ability to retain memory, context, or identity over time. Current research into memory-enhanced AI architectures is aimed at building long-term memory systems essential for continuity and adaptation. Fundamental improvements in persistence are also expected to reduce the current need for autonomous agents to use large amounts of short-term data (“token expenditure”) to remain coherent and stay on task (“reasoning decay”) when performing longer or more complex sequences. Likewise, there is no universal standard AI protocol like the Internet Protocol TCP/IP that enables agents to communicate and coordinate across systems. All major large language model (LLM) providers are exploring open-source projects like Anthropic’s MCP, including in China, yet they still lack broad compatibility and robust mechanisms to ensure safe and ethical behaviour. However, a unified protocol - a common set of rules - including agent memory interoperability (to safeguard against companies locking users into their systems and gaining too much control over agents) – may ultimately be constrained by countries’ focus on digital sovereignty that borders on protectionism and coercion. This is particularly evident in Washington’s escalating AI restrictions and prolonged opposition to China’s proposal to overhaul the Internet protocol – a proposal that has regained significance with the development of sixth-generation (6G) networks.
Six AI guards: A security architecture for foundation models and agents
While the geopoliticisation of digital sovereignty may be counterproductive and risks undermining cybersecurity, securing agentic systems is one of the three key engineering and governance challenges in AI development today. This is because AI significantly enlarges and alters the range of possible cyberattacks, making AI security and trust essential for autonomous agents to interact safely and exchange resources at scale. The vast automation of economic activity requires a holistic security approach that builds security into the architecture from the start and treats it as a shared, ecosystem-wide responsibility. The table below outlines six AI guards to help map emerging technological risks and actively develop AI governance.
| AI Guards | Function | Representative Threat Examples |
|---|---|---|
| 0. Compute Guard | Hardware-rooted protection and trusted execution | - Root of Trust (cryptographic engine, trusted interconnection) - Unauthorised access and key compromise - Insecure data transmission and model storage - Untrusted execution environment - Hardware and firmware compromise - Supply chain and lifecycle intrusion |
| 1. Data Guard | Integrity and provenance of training inputs | - Toxic fine-tuning and biased training data - Adversarial input poisoning and memory manipulation - Sensitive data leakage from training - Data provenance failure and unverifiable sources - Dataset bias and unfair distribution effects |
| 2. Model Guard | Protection of model architecture and weights | - Sleeper agents triggered under specific condition - Model extraction/cloning - Drift and unintended emergent capabilities due to updates/scale effects - Reasoning limits due to poor generalisation, flawed multi-step inference, or low interpretability |
| 3. Alignment Guard | Behavioural safety and goal control | - Jailbreaks via crafted prompts - Goal drift, reward hacking, or emergent deception - Triggered sleeper behaviour resulting in unintended agent goals |
| 4. Interface Guard | Securing input/output and APIs | - Prompt injection and manipulation of inputs - Toolchain hijack through compromised APIs or external services - Retrieval-layer poisoning (e.g., RAG data) |
| 5. Operations Guard | Runtime resilience and update hygiene | - Zero-days, adversarial inputs, and prompt-based exploits - Data leakage, orchestration failures, and model drift - Insider log tampering and compromised updates - Cascading failures and agent misalignment |
Together, these guards form a security framework spanning the full AI system lifecycle – from data ingestion and model development to how AI operates in real-time and runs on hardware. By integrating both software and compute-layer protections, the framework addresses vulnerabilities not only in algorithmic behaviour but also across the underlying infrastructure. Alignment, interface, and operations guards are most relevant for managing threats to agents, which interact with tools, environments, and other agents. Because they can adapt and cooperate in complex ways, they require real-time verification, security measures across IT components, and resilient deployment. The other two, data and model guards, secure the early stages of development, shielding data from tampering, degradation of models over time, and data thefz during training and fine-tuning.
The compute guard is foundational and protects the entire AI computing infrastructure – from chipsets (e.g., GPUs, NPUs) and compute nodes to firmware and interconnects. It safeguards data and systems through trusted hardware technologies such as confidential computing and encryption. This is especially critical in shared environments and remote AI training centres, where low-level areas vulnerable to attack are exposed. While primarily designed to defend against external and runtime threats (e.g., adversarial prompts, supply chain compromise, or insider abuse), the compute guard also addresses risks inherent in the models themselves, including flawed reasoning and low interpretability – that may lead to unintended harm even without malicious input.
AI security practices across major platforms
While the six AI guards define a comprehensive architecture for system security, leading technology providers (including Microsoft, Google, AWS, or Huawei) are actively using them across the AI lifecycle. Despite originating from different layers of the AI stack – including cloud services, application platforms, model development, full-stack infrastructure, and chipset design – all these players are aligning around shared security priorities: integrity, alignment, transparency, and resilience.
For example:
· Microsoft integrates model- and runtime-level safeguards into its Security Copilot platform, part of a broader AI defence strategy developed in collaboration with OpenAI, combining threat detection, incident response, and shadow AI monitoring.
· Google is enhancing detection, analysis, and threat response across Gemini and its broader ecosystem through its Security Operations (SecOps) framework.
· AWS provides runtime monitoring and threat detection via GuardDuty, while also investing in foundational model governance through Bedrock Guardrails (content & prompt safety) and SageMaker Model Monitor (drift and quality alerts).
· Huawei offers a vertically integrated safeguard architecture spanning data, model, application, operations and maintenance, and compute-level protection – enabled by its deep footprint across ICT infrastructure and system design.
Leading AI providers are converging towards end-to-end protection, using proprietary tools, open-source frameworks, and cross-industry collaboration. These approaches are both feasible and scalable, and can lay the groundwork for technical and procedural standards that are measurable and enforceable. However, capacity constraints remain a challenge – particularly for smaller platforms or modular applications that rely on third-party models and infrastructure. Even advanced AI players face dependencies, upstream vulnerabilities, and interface-level risks. This reinforces the need for shared security responsibilities, interoperability protocols, and verifiable security standards across the AI supply and deployment chain. As agentic systems become more distributed and autonomous, effective security will depend not only on internal safeguards but also on cross-provider coordination, auditability, and transparency – to ensure that security keeps up with real-world complexity.
AI security within a mature cybersecurity framework
AI security is not solely a technological matter. The growing demand for digital sovereignty – especially amid rising geopolitical tensions – has broadened the scope of security to include strategic concerns around autonomy and self-reliance. With the rise of AI, this need now extends beyond data and networks to encompass compute sovereignty itself: control over the physical, infrastructural, and supply-chain layers of AI computing.
As highlighted in recent research, compute sovereignty spans three interlocking dimensions: (1) territorial jurisdiction over AI data centres, (2) control over cloud providers and orchestration platforms that manage AI workloads, and (3) hardware dependence – particularly on foreign advanced accelerator chip vendors like NVIDIA and AMD (as shown in the figure below). In U.S. strategic thinking, the ambition is to secure full AI stack dominance, extending control from chips and compute to cloud platforms, models, and applications as one integrated system. This pursuit highlights the geopolitical stakes of compute sovereignty, but it also risks conflating resilience with dominance.
These dependencies shape not just the cost and scalability of AI, but also national exposure to extraterritorial law, export controls, and supply chain disruptions. AI security and compute sovereignty are therefore inseparable. Without trust in the underlying hardware, interconnection protocols, and training environments, even the most robust model safeguards may be compromised. This calls for a more integrated, infrastructure-aware approach to AI security, one that recognises sovereignty, transparency, and resilience as not just political ideals, but operational preconditions for safe and trusted AI ecosystems.
Figure: Al accelerator vendor nationality by country: domestic vs. foreign (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5312977)
However, today’s heightened demand for digital sovereignty risks distorting cybersecurity into an instrument of geopolitical competition. Rather than advancing verifiable standards or engineering-based resilience, security policy is increasingly shaped by narrative framing and exclusion logic.
This shift doesn't necessarily enhance protection – it risks undermining it. Politicisation of technology fragments technical baselines, disrupts international coordination, and weakens the maturity needed for secure, interoperable AI systems. National security must be taken seriously, but resilience is not built through isolation. Today, it is a matter of trade-offs.
Robust AI security depends on transparent, testable practices, auditable processes, hardware-rooted safeguards, and lifecycle governance. The six AI guards offer precisely that: a basis for securing AI systems across development, deployment, and infrastructure – helping governments and organizations move beyond fear and towards safe, confident adoption. As AI agents expand into all domains of human activity, policymakers and practitioners should consider these interlocking dimensions when crafting governance approaches, controls, and trust mechanisms fit for the agent economy.
Preview photo by Felipe Souza on Unsplash