Great Questions at the Conversational AI event

Great Questions at the Conversational AI event

Last night David, Arjun, and myself hosted another event at VCNest focused on Conversational AI.

I kicked off the event with a quick definition of conversational AI, and some level-setting ecosystem diagrams. We then dropped into tech with Arjun presenting a demo of Langflow, Astha, and Infobip

I then did a quick run through a presentation I gave at Google a few weeks before, which showed Matchwise for context and then into an architecture for the Agentic Economy (shown below).

And then the audience starting asking questions...

While most of the questions I'd heard before and was prepared to answer, one question threw me and I'm not sure I gave the most complete answer:

How does the Agentic Profile prevent an agent from being hacked through prompts and then affecting other agents in a bad way?

I believe this question came from a containerization perspective and might have been rooted from the slide above that showed Mike's agent in the same area as the Matchwise service.

Let's break this down:

  • The Agentic Profile, DIDs, and A2A are not containerization technology such as Kubernetes or Docker.
  • For containerization, it's not good practice to mix trusted code (such as what you've written) with code from other people (such as a third party agent).
  • Matchwise follows the above pattern and only has in-house agents in our containers.
  • Matchwise, with the support of DID documents, will soon support third-party agents which operate in their own containers.
  • Agents in general, because they are new tech and a lot of novices are creating them, are suffering from security problems that other mature development communities have a better handle on.

Diving into the last point... For example a Node.js server that accesses a SQL database and makes outbound HTTPS request to other third party services has a lot of rope to manage, but those developers know to avoid SQL injection attacks, use mature user authentication tech, host on a containerized platform like Lambda, and to sanitize results from third party services. Anyone can write horrible Node.js services and self-host them on a server they configured, but mature engineers know better.

Agents with dynamic tools = (massively) larger attack surface

A2A and MCP bring great power, and even greater responsibility. Letting a model dynamically choose a tool from a large palette increases the attack surface by the number of tools in the palette X the amount of data each tool has access to X data access permissions (e.g. read, write, update, or even delete!) That is a very large surface area and best practices and security tech is still evolving.

Saying this space is nascent is an understatement.

Where does the Agentic Profile fit in?

The Agentic Profile is a small amount of glue between DIDs, A2A, and MCP which makes discovery of user/business/gov scoped agents possible, makes authentication universal and highly secure, and paves the way for the Agentic Economy.

If you have any questions or ideas, please connect with Mike Prince on LinkedIn.