Alan,
First off, it may just be a phishing attempt.
The following applies to AI LLM agents. AI agents that work with ocap languages might be entirely different (see Scala work). The difference there is the language is constrained, whereas there’s no real constraints on general languages. I am not an ocap expert, but I do read a few things on list.
I’d tread very carefully here. There’s not much stuff an agent can do without granting it access to *everything*. Where there’s a will, there’s a way. Ocaps are intended to defeat the will, so to speak.
As is typical with SQL in security, if what an agent gets is text, text can be injected. So I would say any agent that deals with text is not using ocaps, except in languages designed to defeat any injection attempts, including swapping capabilities for malicious purposes. This should never happen if the capability is tied to the resource and the action, but a confused deputy might choose the wrong capability. Ideally, you only give the deputy one capability, so it won’t be confused.
Understanding of course that you work in SAML, which is likely text (but I’ve never looked at SAML seriously). Maybe that’s why it’s contacting you. Maybe you should ask if its prompts are encrypted like your ocaps???
If one attacks the text LLM prompt before encryption or after decryption, that would be a possible attack on LLM agents. There’s also man-in-the-middle attacks. I don’t see anything going through Cloudflare as secure, for example.
The confused deputy might even be the agent creating the LLM prompt.
Probably the only thing to make agents secure is to use an ocap language for the prompt and result. And then who is the expert giving out object capabilities in a possibly secure language? Are we relying on AI agents to adequately give authority????? Or are all text ocaps necessarily encrypted with quantum-resistant encryption?
Has anyone tried Fable 5 on a capability system?
Hard questions.
John