PE
Protocol Explorer
PIC

PIC — AI Agent Orchestration

An AI agent acting on behalf of a human user calls an external tool. In traditional agent designs, the agent holds its own credentials and the tool sees the agent as the actor — the classic confused deputy setup, where prompt injection or a malicious tool call can use the agent's ambient privileges. PIC inverts this: the agent is an EXECUTOR within Alice's transaction, not an independent actor. PCA_0 carries Alice as p_0 and her authority set as ops_0. When the agent calls a tool, it submits a PoC for a STRICTLY narrower scope (only what this specific tool call needs); the CAT mints PCA_1 bound to the tool. The tool executes under Alice's authority, restricted to the agent-requested subset. The agent has no privileges of its own — confused deputy is structurally impossible. References pic-spec.md §6.7 and §7.2.

draft-pic-spec-00
Alice (User)Federation BridgeAI AgentCAT (Trust Plane)Search Tool1Authenticate → PCA_02002"summarize my 2024 files"3POST /poc (request narrow s…4PCA_1 (signed, scoped to to…5POST /search + PCA_16200 OK (under Alice's autho…
POST https://fed.example.com/pic/bootstrap200

Alice authenticates and the Federation Bridge issues PCA_0 bound to the AI Agent as E_0. The crucial design point: PCA_0.p_0 is alice@example.com, NOT the agent. The agent is the EXECUTOR (the one allowed to use this authority), but the AUTHORITY belongs to Alice. ops includes only what Alice has consented for this session: read her files, call the search API.

executor.binding identifies the agent by deployment-specific identity (model_id + tenant + environment). Two parallel agents serving different users would each get their own PCA_0 — never share.

ops_0 is the OUTER bound for this entire agent session. Anything the agent does — directly or via tools — must fit inside this set.

constraints.exp = 1800s (30 min) is conservative for agent sessions; many deployments use 5–15 min and refresh PCA_0 from a fresh user authentication when needed.

If Alice has not consented to call:search_api, the Federation Bridge MUST not include it in ops_0. Consent shapes ops_0 at issuance — there is no later 'expand scope' mechanism.

1 / 6
speed

Step 1: Authenticate → PCA_0

Request / response
POSThttps://fed.example.com/pic/bootstrap
Content-Type?

application/json

AuthorizationOAuth?

Bearer <alice's OIDC ID Token>

Body
{
  "credential_type": "oidc_id_token",
  "credential": "<id_token>",
  "executor_attestation": {
    "type": "model_identity",
    "model_id": "agent-7d-v3",
    "deployment": "tenant-acme/prod"
  }
}
PCA_0 (bound to AI Agent as E_0)pca+cose
Header
{
"alg":"EdDSA",
"kid":"fed-bridge-kid-01",
"typ"?:"pca+cose"
}
Payload
{
"hop":0,
"p_0":"alice@example.com",
"ops":[
"read:files/*",
"call:search_api"
],
"executor":{
"binding":"agent:7d-v3:prod"
},
"provenance":null,
"constraints":{
"temporal":
}
}
sig: PCA_0_FED_SIG