Towards secure, autonomous agents with information-flow control (IFC)
Skip to main content
Skip to main content
Source
Signal blog<br>Official Microsoft Blog<br>Microsoft On The Issues<br>Asia<br>Canada<br>Europe, Middle East and Africa<br>Latin America<br>The Code of Us<br>Conexiones
What's new today
AI
Innovation
Digital Transformation
Sustainability
Security
Work & Life
Diversity & Inclusion
Unlocked
Microsoft 365<br>Azure<br>Copilot<br>Windows<br>Surface<br>XBOX<br>Deals<br>Small Business<br>Support
Windows Apps<br>Outlook<br>OneDrive<br>Microsoft Teams<br>OneNote<br>Microsoft Edge<br>Moving from Skype to Teams
Computers<br>Shop XBOX<br>Accessories<br>VR & mixed reality<br>Certified Refurbished<br>Trade-in for cash
XBOX Game Pass Ultimate<br>PC Game Pass<br>XBOX games<br>PC games
Microsoft AI<br>Microsoft Security<br>Dynamics 365<br>Microsoft 365 for business<br>Microsoft Power Platform<br>Windows 365<br>Small Business<br>Digital Sovereignty
Azure<br>Microsoft Developer<br>Microsoft Learn<br>Support for AI marketplace apps<br>Microsoft Tech Community<br>Microsoft Marketplace<br>Software companies<br>Visual Studio
Microsoft Rewards<br>Free downloads & security<br>Education<br>Gift cards<br>Licensing<br>Unlocked stories
View Sitemap
Search articles
Deep Dive
Share
in
Information-flow control: Moving toward secure, autonomous agents
Information-flow control: Moving toward secure, autonomous agents
A deterministic security system, information-flow control (IFC) offers a promising path towards secure and autonomous agents.
By Santiago Zanella-BéguelinPrincipal Researcher, Microsoft, Shruti ToplePrincipal Researcher, Microsoft, Mark RussinovichAzure CTO & Technical Fellow, Microsoft, Aashish KolluriSenior Researcher, Microsoft, Boris KöpfSenior Principal Researcher, Microsoft, and Manuel CostaVP & Distinguished Engineer, Microsoft
When agents can take high-stakes actions like sending an email, sharing a business document, or opening a pull request, a single misstep has the potential to leak confidential data or hand control to an attacker that may then invoke tools that break security or cause damage. Today, we often manage that risk by putting a human in the loop to approve consequential actions. This scales poorly, erodes vigilance, and takes away the very autonomy that makes agents useful.
We lean on humans as a safeguard because the models driving agents behave stochastically, make mistakes, and could be steered by malicious content smuggled in through prompt injection. Despite progress in model alignment, contextual awareness, and content safety classifiers, security can’t depend solely on probabilistic mitigations. A good rule of thumb to keep in mind when designing an agentic system is that anything that an agent can do in response to a user prompt can also be accomplished by a model’s mistake or by an attacker with a prompt injection.
Anything that an agent can do in response to a user prompt can also be accomplished by a model’s mistake or by an attacker with a prompt injection.
A promising path towards secure and autonomous agents is through information-flow control (IFC) , a deterministic security system built on three simple steps:
Label data. Every piece of data that an agent ingests carries labels for integrity (for example, trusted or untrusted) and confidentiality (for example, public, confidential, or a read-access list such as {Alice, Bob, Charlie}).
Propagate labels. As data flows into the agent loop and derivative results are produced, labels travel with them. Derived data is labelled conservatively with the least upper bound of its sources: a result influenced by an untrusted input stays untrusted, and a result based on two documents is readable only by principals who could read both source documents.
Check before acting. Before each tool call, a policy engine inspects the relevant labels and decides whether to allow the action, block it, or ask a human to review it.
This turns a probabilistic system into one with guarantees you can audit. Because the policy engine relies on labels that an attacker can’t manipulate and is independent of the model’s judgement, it can enforce policies deterministically. The policy “untrusted data can never influence a consequential action” closes off prompt injection . The policy “data can only egress to destinations compatible with its confidentiality label” closes off data exfiltration . The user is consulted only when it genuinely matters—for example, when an action risks revealing information to someone who didn’t previously have access to it. The UI dialogs shown to the user can also be made more effective, highlighting the origin of untrusted data or what data is being shared more broadly and with whom.
In our past research, we showed how IFC can reduce the need for human intervention, increasing autonomy while offering deterministic security guarantees. In this post, we focus on how IFC can be integrated into real agentic systems based on GitHub Copilot CLI, the Microsoft Agent Framework, and the Model Context Protocol (MCP). We begin with two...