Skip to content

Research

Peer-shareable research and specifications on AI agent security, zero-trust execution, and cryptographic infrastructure for autonomous systems. Archived on Zenodo for citation and long-term preservation.

Author identifier: ORCID 0009-0005-7040-8751

Papers

VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense

May 6, 2026 — Preprint v1.2

An investigation into how attackers with write access to RAG ingestion pipelines can hide payload data inside vector embeddings using techniques like noise injection, rotation, and scaling while preserving normal retrieval behavior. The paper proposes VectorPin, a cryptographic provenance defense using Ed25519 signatures to authenticate embeddings against source content and models. Evaluated across multiple embedding models (OpenAI, Nomic, EmbeddingGemma, others) and vector databases (FAISS, Chroma, Qdrant).

DOI: 10.5281/zenodo.20076420arXiv:2605.13764PDF Reference implementation: VectorSmuggle

Typestate-Enforced Agent Loops: Making Policy Gates Unskippable at Compile Time

April 25, 2026 — Preprint v0.3

A type-system-based approach to enforcing policy gates in AI agent loops. Rather than relying on runtime callbacks, this work uses Rust's typestate pattern to make policy enforcement a compile-time requirement: skipping the gate, dispatching without reasoning, observing without dispatching, or substituting an action between policy approval and execution become expressions that fail to compile. Empirical results from 874 cloud-adversarial runs show 263 forbidden tool-call attempts refused with zero execution breaches.

DOI: 10.5281/zenodo.19746724PDF Related: Open Agent Trust Stack • Reference implementation: symbiont-orga-demo • Runtime: Symbiont

Open Agent Trust Stack (OATS): A System Specification for Zero-Trust AI Agent Execution

April 17, 2026 — Specification v1.1.0

OATS is an open specification for zero-trust AI agent execution in environments requiring consequential actions like database queries and file modifications. It moves security enforcement from output filtering to pre-execution governance using three core principles: declarative tool contract enforcement, compile-time enforcement of the Observe–Reason–Gate–Act loop, and policy gate isolation from LLM influence. The system spans five layers including cryptographic identity infrastructure and a formally verifiable policy engine.

DOI: 10.5281/zenodo.19636534PDF Related: Open Agent Trust Stack (specification site) • Reference implementation: Symbiont