@prefix : . @prefix schema: . @prefix owl: . @prefix prov: . @prefix dcterms: . @prefix skos: . @prefix acl: . @prefix foaf: . a schema:CreativeWork, schema:Article ; schema:name "Agent Containment and Linked Data Identity Meshup"@en ; schema:headline "Contain agents with deterministic boundaries and govern them with hyperlink-based identity"@en ; schema:description """A document collection combining Tomasz Tunguz's Jonathan Jaffe office-hours framing of the agentic enterprise, Anthropic's containment engineering lessons, and OpenLink self-sovereign identity patterns for agent identity, profiles, authentication, authorization, and data-space operations."""@en ; schema:abstract """The core thesis is that agent safety and enterprise adoption converge on the same architecture: containment caps blast radius, while linked-data identity and profile documents make delegation, authentication, authorization, and data-space read/write permissions machine-computable across loosely coupled systems."""@en ; schema:inLanguage "en"@en ; schema:dateCreated "2026-05-29"@en ; schema:isBasedOn , , , , ; schema:citation , , , , ; schema:about , , , , , , , , ; schema:hasPart , , , , , ; prov:wasGeneratedBy , . a schema:ArticleSection ; schema:name "Fundamental Thesis"@en ; schema:text """Agentic security should be treated as a loose-coupled systems problem. Model defenses reduce likelihood, containment reduces blast radius, and linked-data identity plus ABAC decides what an authenticated agent may read or write in named data spaces."""@en ; schema:isPartOf . a schema:ArticleSection ; schema:name "Source Synthesis"@en ; schema:text """The Tunguz/Jaffe framing treats agentic enterprise security as machine-speed defense and oversight. Anthropic shows why containment must be deterministic at environment, network, filesystem, and tool boundaries. OpenLink's YouID, NetID-TLS, and Web logic articles show how hyperlink-denoted identities and profile documents make claims computable at Web scale."""@en ; schema:isPartOf . a schema:ArticleSection ; schema:name "Citations"@en ; schema:text "Prompt source documents cited by this meshup."@en ; schema:citation , , , , ; schema:isPartOf . a schema:Article ; schema:name "How we contain Claude across products"@en ; schema:url ; schema:publisher ; schema:datePublished "2026-05-25"@en ; schema:about , , , , , . a schema:BlogPosting ; schema:name "Securing the Agentic Enterprise"@en ; schema:url ; schema:author ; schema:about , , ; schema:description """Office-hours framing for enterprise security when defenders and attackers both operate with AI agents, emphasizing automated defense, systems thinking, and machine-speed trust decisions."""@en . a schema:Article ; schema:name "YouID and Self-Sovereign Identity using Decentralized Public Key Infrastructure"@en ; schema:url ; schema:author ; schema:about , , . a schema:Article ; schema:name "Self-Sovereign Identity using NetID-TLS via a YouID-Generated Profile Document"@en ; schema:url ; schema:author ; schema:about , , . a schema:Article ; schema:name "Web, Logic, Sentences, and the Magic of Being You!"@en ; schema:url ; schema:author ; schema:about , , . a schema:HowTo ; schema:name "How to govern contained agents with linked-data identity"@en ; schema:description "A loose-coupled implementation path for agent identity, profiles, authentication, ABAC authorization, and data-space operations."@en ; schema:step , , , , ; schema:isPartOf . a schema:FAQPage ; schema:name "FAQ"@en ; schema:mainEntity , , , , , , , , , ; schema:isPartOf . a schema:DefinedTermSet ; schema:name "Glossary"@en ; schema:hasDefinedTerm , , , , , , , , , ; schema:isPartOf . a schema:Role ; schema:name "Delegated Agent Principal"@en ; schema:roleName "Agent acting on behalf of a user"@en ; schema:agent ; schema:recipient ; schema:about . a schema:Service ; schema:name "Policy Decision Point"@en ; schema:serviceType "ABAC decision service"@en ; schema:about , . a schema:Service ; schema:name "Policy Enforcement Point"@en ; schema:serviceType "Runtime and data-space guard"@en ; schema:about , , . schema:about . schema:about . schema:about . schema:about . schema:about . schema:about . schema:isPartOf . schema:isPartOf . schema:target . a schema:DefinedTerm, skos:Concept ; schema:name "Containment"@en ; schema:description """A deterministic boundary that limits what an agent can reach, execute, mount, read, write, or exfiltrate even when prompts and classifiers fail."""@en ; skos:prefLabel "Containment"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Agent Identity"@en ; schema:description """A hyperlink-denoted principal for an agent or agent session, separate from but linkable to the human user on whose behalf it acts."""@en ; skos:prefLabel "Agent Identity"@en . a schema:DefinedTerm, skos:Concept ; schema:name "Agent Profile Document"@en ; schema:description """A machine-readable Web document that describes an agent, its controller, profile claims, public keys, delegated authority, and policy attributes."""@en ; skos:prefLabel "Agent Profile Document"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Authentication"@en ; schema:description """The protocol step that proves a user, agent, or delegated runtime controls a credential bound to a denoting hyperlink."""@en ; skos:prefLabel "Authentication"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Authorization"@en ; schema:description """The policy decision that determines which read or write operations an authenticated principal may perform against a data space."""@en ; skos:prefLabel "Authorization"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Attribute-Based Access Control"@en ; schema:description """Fine-grained authorization based on attributes of principals, resources, operations, environment, purpose, provenance, and delegation."""@en ; skos:prefLabel "Attribute-Based Access Control"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Data Spaces"@en ; schema:description """Named, governed stores of documents, graphs, files, APIs, and databases where agent read and write operations occur."""@en ; skos:prefLabel "Data Spaces"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Prompt Injection"@en ; schema:description """An attack where instructions in user text, tool output, files, or external content steer an agent toward unsafe behavior."""@en ; skos:prefLabel "Prompt Injection"@en ; owl:sameAs . a schema:DefinedTerm, skos:Concept ; schema:name "Persistent Memory Poisoning"@en ; schema:description """A persistence risk where malicious instructions survive in memories, project files, or state directories and reload across sessions."""@en ; skos:prefLabel "Persistent Memory Poisoning"@en . a schema:DefinedTerm, skos:Concept ; schema:name "Multi-Agent Trust Escalation"@en ; schema:description """A multi-agent failure mode where lower-trust content becomes higher-trust because it is relayed through another agent."""@en ; skos:prefLabel "Multi-Agent Trust Escalation"@en . a schema:HowToStep ; schema:position "1"@en ; schema:name "Mint agent and session IRIs"@en ; schema:text """Create persistent IRIs for durable agents and ephemeral IRIs for sessions or runtimes. Keep both dereferenceable."""@en ; schema:isPartOf . a schema:HowToStep ; schema:position "2"@en ; schema:name "Publish an agent profile"@en ; schema:text """Describe the agent, controller, user delegation, public keys, permitted tools, data-space claims, and on-behalf-of relationships using RDF or JSON-LD."""@en ; schema:isPartOf . a schema:HowToStep ; schema:position "3"@en ; schema:name "Bind authentication to the profile"@en ; schema:text """Use OAuth, WebID-TLS, NetID-TLS, or a comparable protocol to prove credential control and reconcile the credential with the profile document."""@en ; schema:isPartOf . a schema:HowToStep ; schema:position "4"@en ; schema:name "Evaluate ABAC before read/write"@en ; schema:text """Call a policy decision point with agent, user, resource, operation, purpose, sensitivity, provenance, and environment attributes."""@en ; schema:isPartOf . a schema:HowToStep ; schema:position "5"@en ; schema:name "Enforce at the runtime and data-space edge"@en ; schema:text """Use sandboxes, VMs, egress proxies, filesystem mounts, named graph ACLs, and API gateways as policy enforcement points."""@en ; schema:isPartOf . a schema:Question ; schema:name "What is the fundamental thesis?"@en ; schema:text "What is the fundamental thesis?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: What is the fundamental thesis?"@en ; schema:text """Agent safety cannot rely only on model behavior or approval prompts. It needs deterministic containment plus hyperlink-based identity, profile-driven delegation, standards-based authentication, ABAC authorization, and explicit read/write boundaries around data spaces."""@en . a schema:Question ; schema:name "How does this remedy Anthropic's agent identity problem?"@en ; schema:text "How does this remedy Anthropic's agent identity problem?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: How does this remedy Anthropic's agent identity problem?"@en ; schema:text """It separates principal identity from delegated authority. The agent can have a resolvable identity while the profile states who it represents, why it is acting, which credentials it may use, and which operations policies permit."""@en . a schema:Question ; schema:name "Why are data spaces central?"@en ; schema:text "Why are data spaces central?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: Why are data spaces central?"@en ; schema:text """Most agent risk becomes concrete at data boundaries: reading secrets, writing production state, deleting files, uploading to approved APIs, or poisoning persistent context. Data spaces provide the named resources over which ABAC can make precise decisions."""@en . a schema:Question ; schema:name "Why is containment still needed if authentication is strong?"@en ; schema:text "Why is containment still needed if authentication is strong?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: Why is containment still needed if authentication is strong?"@en ; schema:text """Authentication proves who or what is acting. It does not guarantee that the agent's prompt context, tool output, memory, or workflow intent is safe. Containment limits what authenticated code can reach when higher-level controls fail."""@en . a schema:Question ; schema:name "What should an agent profile document contain?"@en ; schema:text "What should an agent profile document contain?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: What should an agent profile document contain?"@en ; schema:text """It should describe the agent IRI, controller, acting user, on-behalf-of relationship, public keys or credential references, allowed tools, intended purposes, data-space claims, policy attributes, and provenance in machine-computable RDF or JSON-LD."""@en . a schema:Question ; schema:name "How do OAuth, WebID-TLS, and NetID-TLS fit together?"@en ; schema:text "How do OAuth, WebID-TLS, and NetID-TLS fit together?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: How do OAuth, WebID-TLS, and NetID-TLS fit together?"@en ; schema:text """They are authentication options, not competing authorization models. OAuth can carry delegated token grants, while WebID-TLS or NetID-TLS can bind certificate-controlled keys to profile documents. ABAC consumes the authenticated identity and profile facts."""@en . a schema:Question ; schema:name "What does ABAC add beyond role-based access control?"@en ; schema:text "What does ABAC add beyond role-based access control?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: What does ABAC add beyond role-based access control?"@en ; schema:text """ABAC can evaluate attributes of the agent, user, resource, operation, purpose, provenance, environment, and delegation. That makes it better suited to agent workflows that cross tools, files, graphs, APIs, and organizational boundaries."""@en . a schema:Question ; schema:name "How should write operations differ from read operations?"@en ; schema:text "How should write operations differ from read operations?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: How should write operations differ from read operations?"@en ; schema:text """Write operations need stricter policy because they can mutate state, poison future context, trigger external effects, or publish data. A data space should distinguish read, append, update, delete, export, and named graph mutation permissions."""@en . a schema:Question ; schema:name "Where should policy enforcement happen?"@en ; schema:text "Where should policy enforcement happen?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: Where should policy enforcement happen?"@en ; schema:text """Enforcement should happen at multiple edges: the agent runtime, filesystem mounts, network egress proxy, tool gateway, API gateway, database endpoint, WebDAV store, and RDF named graph. The same decision model should be reused across those edges."""@en . a schema:Question ; schema:name "What is the practical first step for an enterprise?"@en ; schema:text "What is the practical first step for an enterprise?"@en ; schema:acceptedAnswer . a schema:Answer ; schema:name "Answer: What is the practical first step for an enterprise?"@en ; schema:text """Start by minting resolvable agent and session IRIs, publishing minimal agent profile documents, and placing a policy enforcement point in front of one governed data space. Then expand from read-only access to controlled writes."""@en . a schema:Organization ; schema:name "Anthropic"@en ; schema:url . a schema:Organization ; schema:name "OpenLink Software"@en ; schema:url . a schema:Person ; schema:name "Tomasz Tunguz"@en ; schema:url . a schema:Person ; schema:name "Jonathan Jaffe"@en . a schema:Person ; schema:name "Kingsley Uyi Idehen"@en ; schema:affiliation . a schema:SoftwareApplication ; schema:name "kg-generator skill"@en ; schema:url . a schema:SoftwareApplication ; schema:name "rdf-infographic-skill"@en ; schema:url .