# Agent Containment and Linked Data Identity Meshup
Related files: [HTML](../webpages/agent-containment-linked-data-identity-meshup-gpt5-1.html), [RDF](../rdf/agent-containment-linked-data-identity-meshup-gpt5-1.ttl)
## Fundamental Thesis
Agent safety cannot be reduced to better prompts, model classifiers, or per-action approval dialogs. The durable enterprise pattern is loose coupling: deterministic containment limits blast radius, hyperlink-based identity denotes agents and users, profile documents express delegation symbolically, authentication remains protocol-owned, ABAC makes fine-grained authorization decisions, and data spaces become explicit read/write boundaries.
## Source Synthesis
- [Tomasz Tunguz / Jonathan Jaffe office-hours source](https://tomtunguz.com/jonathan-jaffe-office-hours-post-event/) frames enterprise agent security as a systems problem where defenders and attackers both operate at machine speed.
- [Anthropic's containment article](https://www.anthropic.com/engineering/how-we-contain-claude) supplies the operational lesson: environment controls, filesystem boundaries, VMs, egress controls, and tool proxies are the deterministic layer that remains when probabilistic model defenses miss.
- [YouID DPKI](https://medium.com/openlink-software-blog/youid-self-sovereign-identity-using-decentralized-public-key-infrastructure-dpki-4fa72cbdccc8), [NetID-TLS via YouID profile documents](https://medium.com/openlink-software-blog/how-to-guide-self-sovereign-identity-using-netid-tls-via-a-youid-generated-profile-document-c3fdc7b35082), and [Web, Logic, Sentences, and the Magic of Being You](https://medium.com/virtuoso-blog/web-logic-sentences-and-the-magic-of-being-you-e2a719d01f73) provide the identity side: hyperlink-denoted principals, profile documents, credential reconciliation, and Web-scale machine-computable claims.
## Citations
1. [Jonathan Jaffe Office Hours Post-Event](https://tomtunguz.com/jonathan-jaffe-office-hours-post-event/) — Prompt source for the agentic enterprise and security framing around Jonathan Jaffe's office-hours discussion. [KG entity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Ftomtunguz.com%2Fjonathan-jaffe-office-hours-post-event%2F%23article).
2. [How we contain Claude across products](https://www.anthropic.com/engineering/how-we-contain-claude) — Prompt source for deterministic containment controls, agent identity questions, and blast-radius reduction. [KG entity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fwww.anthropic.com%2Fengineering%2Fhow-we-contain-claude%23article).
3. [YouID: Self-Sovereign Identity using Decentralized Public Key Infrastructure](https://medium.com/openlink-software-blog/youid-self-sovereign-identity-using-decentralized-public-key-infrastructure-dpki-4fa72cbdccc8) — Prompt source for DPKI, hyperlink-denoted identity, and profile-document identity patterns. [KG entity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fmedium.com%2Fopenlink-software-blog%2Fyouid-self-sovereign-identity-using-decentralized-public-key-infrastructure-dpki-4fa72cbdccc8%23article).
4. [Self-Sovereign Identity using NetID-TLS via a YouID-Generated Profile Document](https://medium.com/openlink-software-blog/how-to-guide-self-sovereign-identity-using-netid-tls-via-a-youid-generated-profile-document-c3fdc7b35082) — Prompt source for NetID-TLS authentication and YouID-generated profile documents. [KG entity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fmedium.com%2Fopenlink-software-blog%2Fhow-to-guide-self-sovereign-identity-using-netid-tls-via-a-youid-generated-profile-document-c3fdc7b35082%23article).
5. [Web, Logic, Sentences, and the Magic of Being You!](https://medium.com/virtuoso-blog/web-logic-sentences-and-the-magic-of-being-you-e2a719d01f73) — Prompt source for Web-scale logic, identity claims, and machine-computable statements about agents and users. [KG entity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fmedium.com%2Fvirtuoso-blog%2Fweb-logic-sentences-and-the-magic-of-being-you-e2a719d01f73%23article).
## Remedies
### [1. Agent identity through hyperlinks](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23agent-identity)
Give every agent, agent session, and delegated execution context a resolvable IRI. Anthropic's question about whether an agent should be its own principal or an extension of the user becomes less binary: the agent can be its own denoted principal while its profile records the user, purpose, session, and delegation scope.
### [2. Agent profiles as symbolic policy inputs](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23agent-profile-document)
Publish profile documents in RDF or JSON-LD using shared vocabularies. The profile connects agent, user, organization, credential, tool, data space, intended purpose, and on-behalf-of relationships so authorization engines can compute access without bespoke product logic.
### [3. Authentication remains protocol-owned](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23authentication)
Use existing protocols such as OAuth, WebID-TLS, and NetID-TLS instead of inventing agent-specific login systems. The credential proves control of a key, token, or certificate bound to a hyperlink-denoted principal; the agent profile supplies the computable context.
### [4. Authorization is ABAC over graph facts](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23authorization)
Move from coarse allowlists to policy decisions over attributes: principal, acting-on-behalf-of user, resource class, operation, sensitivity, provenance, purpose, time, network route, and write target. Treat every approved domain as a capability surface, not merely a destination.
### [5. Data-space read/write boundaries](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23data-spaces)
Model data spaces as first-class governed resources. Read-only access, write-in-workspace, write-no-delete, named graph updates, and cross-space export become explicit operations checked by policy enforcement points before the agent touches the resource.
## Deployment HowTo
1. [Mint agent and session IRIs](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23step-1): Create persistent IRIs for durable agents and ephemeral IRIs for sessions or runtimes. Keep both dereferenceable.
2. [Publish an agent profile](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23step-2): Describe the agent, controller, user delegation, public keys, permitted tools, data-space claims, and on-behalf-of relationships using RDF or JSON-LD.
3. [Bind authentication to the profile](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23step-3): Use OAuth, WebID-TLS, NetID-TLS, or a comparable protocol to prove credential control and reconcile the credential with the profile document.
4. [Evaluate ABAC before read/write](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23step-4): Call a policy decision point with agent, user, resource, operation, purpose, sensitivity, provenance, and environment attributes.
5. [Enforce at the runtime and data-space edge](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23step-5): Use sandboxes, VMs, egress proxies, filesystem mounts, named graph ACLs, and API gateways as policy enforcement points.
## FAQ
### [What is the fundamental thesis?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q1)
Agent safety cannot rely only on model behavior or approval prompts. It needs deterministic containment plus hyperlink-based identity, profile-driven delegation, standards-based authentication, ABAC authorization, and explicit read/write boundaries around data spaces.
### [How does this remedy Anthropic's agent identity problem?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q2)
It separates principal identity from delegated authority. The agent can have a resolvable identity while the profile states who it represents, why it is acting, which credentials it may use, and which operations policies permit.
### [Why are data spaces central?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q3)
Most agent risk becomes concrete at data boundaries: reading secrets, writing production state, deleting files, uploading to approved APIs, or poisoning persistent context. Data spaces provide the named resources over which ABAC can make precise decisions.
### [Why is containment still needed if authentication is strong?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q4)
Authentication proves who or what is acting. It does not guarantee that the agent's prompt context, tool output, memory, or workflow intent is safe. Containment limits what authenticated code can reach when higher-level controls fail.
### [What should an agent profile document contain?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q5)
It should describe the agent IRI, controller, acting user, on-behalf-of relationship, public keys or credential references, allowed tools, intended purposes, data-space claims, policy attributes, and provenance in machine-computable RDF or JSON-LD.
### [How do OAuth, WebID-TLS, and NetID-TLS fit together?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q6)
They are authentication options, not competing authorization models. OAuth can carry delegated token grants, while WebID-TLS or NetID-TLS can bind certificate-controlled keys to profile documents. ABAC consumes the authenticated identity and profile facts.
### [What does ABAC add beyond role-based access control?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q7)
ABAC can evaluate attributes of the agent, user, resource, operation, purpose, provenance, environment, and delegation. That makes it better suited to agent workflows that cross tools, files, graphs, APIs, and organizational boundaries.
### [How should write operations differ from read operations?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q8)
Write operations need stricter policy because they can mutate state, poison future context, trigger external effects, or publish data. A data space should distinguish read, append, update, delete, export, and named graph mutation permissions.
### [Where should policy enforcement happen?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q9)
Enforcement should happen at multiple edges: the agent runtime, filesystem mounts, network egress proxy, tool gateway, API gateway, database endpoint, WebDAV store, and RDF named graph. The same decision model should be reused across those edges.
### [What is the practical first step for an enterprise?](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23q10)
Start by minting resolvable agent and session IRIs, publishing minimal agent profile documents, and placing a policy enforcement point in front of one governed data space. Then expand from read-only access to controlled writes.
## Glossary
- [Containment](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23containment): A deterministic boundary that limits what an agent can reach, execute, mount, read, write, or exfiltrate even when prompts and classifiers fail.
- [Agent Identity](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23agent-identity): A hyperlink-denoted principal for an agent or agent session, separate from but linkable to the human user on whose behalf it acts.
- [Agent Profile Document](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23agent-profile-document): A machine-readable Web document that describes an agent, its controller, profile claims, public keys, delegated authority, and policy attributes.
- [Authentication](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23authentication): The protocol step that proves a user, agent, or delegated runtime controls a credential bound to a denoting hyperlink.
- [Authorization](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23authorization): The policy decision that determines which read or write operations an authenticated principal may perform against a data space.
- [Attribute-Based Access Control](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23attribute-based-access-control): Fine-grained authorization based on attributes of principals, resources, operations, environment, purpose, provenance, and delegation.
- [Data Spaces](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23data-spaces): Named, governed stores of documents, graphs, files, APIs, and databases where agent read and write operations occur.
- [Prompt Injection](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23prompt-injection): An attack where instructions in user text, tool output, files, or external content steer an agent toward unsafe behavior.
- [Persistent Memory Poisoning](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23persistent-memory-poisoning): A persistence risk where malicious instructions survive in memories, project files, or state directories and reload across sessions.
- [Multi-Agent Trust Escalation](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Flinkeddata.uriburner.com%2Fabout%2Fid%2Fentity%2Fhttps%2Fanthropic.com%2Fengineering%2Fhow-we-contain-claude%23multi-agent-trust-escalation): A multi-agent failure mode where lower-trust content becomes higher-trust because it is relayed through another agent.
## SPARQL
[Run entity type summary](https://linkeddata.uriburner.com/sparql?query=PREFIX%20schema%3A%20%3Chttp%3A%2F%2Fschema.org%2F%3E%0ASELECT%20%3Ftype%20(SAMPLE(%3Fs)%20AS%20%3Fsample)%20(COUNT(*)%20AS%20%3Fcount)%0AFROM%20%3Chttps%3A%2F%2Flinkeddata.uriburner.com%2FDAV%2Fdemos%2Fdaas%2Fagent-containment-linked-data-identity-meshup-gpt5-1.ttl%3E%0AWHERE%20%7B%20%3Fs%20a%20%3Ftype%20%7D%0AGROUP%20BY%20%3Ftype%0AORDER%20BY%20DESC(%3Fcount)&format=text%2Fx-html%2Btr&timeout=0&debug=on&run=+Run+Query+)
```sparql
PREFIX schema:
SELECT ?type (SAMPLE(?s) AS ?sample) (COUNT(*) AS ?count)
FROM
WHERE { ?s a ?type }
GROUP BY ?type
ORDER BY DESC(?count)
```
## Provenance
Generated on 2026-05-29 using [kg-generator](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fgithub.com%2FOpenLinkSoftware%2Fai-agent-skills%2Ftree%2Fmain%2Fkg-generator%23this) and [rdf-infographic-skill](https://linkeddata.uriburner.com/describe/?url=https%3A%2F%2Fgithub.com%2FOpenLinkSoftware%2Fai-agent-skills%2Ftree%2Fmain%2Frdf-infographic-skill%23this). Resolver pattern: `https://linkeddata.uriburner.com/describe/?url={encodedIRI}`. Named graph target: `https://linkeddata.uriburner.com/DAV/demos/daas/agent-containment-linked-data-identity-meshup-gpt5-1.ttl`.