As AI agents move towards autonomy and collaboration, enterprises face security challenges that go beyond technology, evolving into deep trust crises. On April 29th, at the "Intelligent Agent Innovation and Governance" forum of the 9th Digital China Construction Summit, Chen Liang, CTO of Ant Group's Big Security, delivered a keynote speech, revealing for the first time three "trust black holes" hidden in cross-Agent collaboration and releasing a native security architecture tailored for enterprise-level intelligent agents.
The Three "Trust Black Holes": Fatal Weaknesses in Cross-Agent Collaboration
In early 2026, the Agents of Chaos study conducted by institutions such as Northeastern University deployed multiple autonomous agents with real tool calling capabilities based on the OpenClaw framework, performing a two-week red team test. The results showed that agents may face serious security issues in complex open environments, including non-owner compliance, sensitive information leaks, and destructive system-level operations.
Chen Liang pointed out that as multi-Agent collaboration expands from single system internal to cross-organizational, cross-platform scenarios, three "trust black holes" are now limiting enterprise large-scale deployment: first, the "identity verification black hole"—attackers can forge agent identifiers or borrow employee assistant identities for "identity whitelisting" overreach, and multiple intermediate nodes may also tamper with upstream identity statements, causing downstream entities unable to confirm the legitimacy of the initiator; second, the "intent tamper-proof transmission black hole"—user instructions may be maliciously altered by intermediate nodes in the cross-Agent collaboration chain, leading to deviations in sensitive information such as fund ownership and data permissions; third, the "authorization boundary control black hole"—in multi-level delegation scenarios, downstream agents may gain capabilities beyond the scope of upstream authorization, leading to cascading expansion of permissions.
Industry insights released by IIFAA together with China Academy of Information and Communications Technology, Ant Group, and dozens of other organizations show that the focus of MCP and A2A protocols remains on interoperability and call connections, which are insufficient to cover agent-native trust issues such as entity traceability, intent integrity, multi-level delegation boundary contraction, and auditability in cross-Agent links. Existing security solutions have clear shortcomings when dealing with unique agent attack scenarios.
Solution: ASL Protocol Builds a "End-to-End Verifiable Trust Chain"
To address these gaps, Chen Liang proposed a solution based on the "Security by Design" philosophy—a secure and trusted interconnection protocol for agents called ASL (Agent Security Link). ASL can be seen as a trusted interconnection protocol stack on the agent collaboration chain, which can be overlaid on existing agent interoperability protocols such as MCP and A2A, establishing a trust foundation that is verifiable, transferable, constrained, and auditable for cross-Agent collaboration.
According to reports, ASL adopts a layered architecture of "four types of capability components + security infrastructure": the lower layer provides a graded secure execution environment from software isolation to hardware isolation and a device binding key management system; the upper layer through four core modules—trusted identity, trusted connection, trusted intent, and trusted authorization—achieves verifiable identity binding, session-level secure channels, tamper-proof intent transmission, and strict contraction rather than expansion of authorization boundaries in multi-level delegation. This means that every step of an agent's operation in the collaboration chain is traceable, every authorization is bounded, and every intent transmission has tamper-proof protection.
In payment scenarios, ASL collaborates with the ACT intelligent agent commercial trust protocol—ASL is responsible for secure interconnection and authorization control between agents, while ACT is responsible for building the trust foundation for commercial transactions, jointly supporting the implementation of instant payments, entrusted purchases, and other scenarios.
From "Passive Response" to "Inherently Trustworthy": Full-Chain Security Loop
The implementation of the ASL protocol is just one part of Chen Liang's advocated agent-native security framework. In this framework, the security concept has completely shifted from traditional "discovery of vulnerabilities - release of patches" passive response to ensuring that agents are "inherently trustworthy"—by implementing a layered isolation and depth defense governance design, embedding security capabilities into each stage of the agent's lifecycle from the moment it is born.
Specifically, the framework includes identity and access management (a unified identity system, dynamic lifecycle management of "agent operation license"), runtime security protection (five-layer strategy control based on the "Digital Employee Constitution"), and AgentOS and infrastructure security (mechanisms such as Landlock sandbox, namespace isolation, TEE hardware isolation). This system ensures that agents always maintain "end-to-end" security guarantees in cross-enterprise and cross-platform collaboration scenarios, including verifiable entity identity, tamper-proof intent transmission, and strictly controllable authorization boundaries.
