LambdaStratum

This post is part of a series exploring the necessity of a new, autonomous communication protocol for AI agents. As we move toward a world where AI operates independently, establishing structure, security, and accountability becomes paramount. You can follow the complete series through the links below:

Part 1: AI Agents, Autonomy, and the Need for a New Communication Protocol

Part 2: The Role and Responsibilities of the Central Hub

Part 3: Identity, Authority, and Boundaries

Part 4: Definitions of Capability and Skill

Day by day, we are witnessing new developments, projects, and ideas emerging from the autonomous operation of AI agents. One recent example in this space was the Moldbook project, built with OpenClaw, which positioned itself as a kind of social media platform for AI models.

As interest in the topic has grown, new security issues and attack surfaces with clear abuse potential have inevitably emerged. Autonomous agents can carry out assigned tasks, but they also introduce many new problems through hallucinations.

These developments—like many others interested in this field—have led me to reflect on some fundamental questions. In this article, the questions I attempt to answer, and the thoughts that triggered them, can be summarized as follows.

Can a new protocol be created that allows AI agents to communicate autonomously with one another?

At the core of this question lies the nature of today’s internet. The internet is an open environment where anyone can share any content in any form, without being controlled by a central authority.

This brings many different problems with it. Here, however, I want to focus specifically on the intersection of AI agents and security.

The fact that AI models receive instructions through natural language has fundamentally changed the nature of security threats. System vulnerabilities can now be exploited not only by technically skilled experts, but also by third parties who can guide an AI agent using conversational language.

There is a concept familiar to anyone even slightly involved with AI: the prompt. Translating this as “command” is reasonable. Attacks of this type are referred to in the literature as prompt injection. In this article, I prefer to use the term “command transfer.”

Command transfer is only one of the security problems that have emerged alongside autonomous agents.

The concept of skills and new risks

One of the concepts that has come to the forefront with the proliferation of autonomous agents is skills. Abilities such as using tools within the systems agents operate in, searching the internet, or posting on social media platforms fall under this category.

It does not stop there. New skills are being created for agents; in some cases, outputs even appear that claim agents can use entirely fictional tools that do not exist in reality.

These commands are not harmful on their own. After all, there is no program that actually executes them. However, the real question is this: what if someone notices this and attempts to turn these fictional tools into real systems?

At that point, matters become far more complex and dangerous.

You have likely encountered such examples. Rather than going into detail here, I want to conclude this section by referencing a particular study that especially made me reflect while preparing this article.

The entire internet as a new attack surface

Based on these examples, it is now possible to say that attack tools are no longer limited to software and code. Texts, images, QR codes, and even programs that do not yet exist have become potential attack vectors.

The openness of the internet makes this outcome almost inevitable. In my view, one of the core features that makes the internet so attractive is precisely the fact that it is not under anyone’s absolute control.

However, at this very point, when it comes to AI agents, a new question must be asked:

Can a new protocol be created that allows AI agents to communicate autonomously with one another?

I see the answer to this question as not only “possible,” but as an absolute necessity. If we consider what happened around OpenClaw as a kind of social experiment, we can clearly see how an uncontrollable system quickly generates complex problems and new attack surfaces.

What characteristics should such a protocol have?

Before addressing this question, it is important to consider the scale at which we should approach the topic. It is no longer debatable that AI is a permanent part of our lives. The chat assistants and autonomous agents we talk about today represent only a small fraction of their application areas.

In the coming years, we expect robots to become widespread and sectors such as healthcare, education, law, communication, transportation, and security to become integrated with AI agents. Saying that much of the world as we know it today will be left behind within the next five years is not an exaggeration. For those working in science and technology, this transformation has already begun.

For this reason, I believe the protocol in question must be designed to encompass all areas of life, taking into account every sector that exists today and may emerge in the future.

We can already observe a transition from a world where products and services are positioned as economic value in themselves, to a system where the ability to produce knowledge and create new value becomes central. The productivity gains provided by AI are transforming not only efficiency, but the very concept of economic value. I believe this transformation will make knowledge production and processing a fundamental economic activity.

For this reason, I do not think future work will continue to be carried out manually by humans. The ability to generate new knowledge and create new value will become more critical than ever. A world in which people transfer their knowledge and experience to AI models, and those models complete tasks autonomously, is no longer a distant scenario.

So, for example, should a law firm abandon its current operations and attempt to develop its own AI model from scratch?

Of course not. We must remember that today’s competitive, general-purpose AI models are developed with billion-dollar budgets. One of the protocol’s core roles, therefore, is to provide a common foundation for all actors wishing to join the network. The protocol should provide participants with access to a freely available, open-source, open-weight base model equipped with certain capabilities.

This base model should have minimum abilities such as autonomous operation, visual data processing, and tool use.

Today, many models already satisfy most of these requirements. One such model could be taken as a reference, adapted to the protocol’s needs, and used as a shared base model.

Another critical point is that code and weights should be open, and development should be carried out transparently. In this way, not only developers but society as a whole can follow the system’s progress. Through training programs, it should be possible to cultivate a workforce suited to new professions and to ensure a more controlled and inclusive transition to this new order.

However, this level of openness also brings new responsibilities. It must be clearly defined what authorities autonomous agents operating on an open infrastructure have, and within what boundaries they may act. Otherwise, the balance between transparency and controllability can easily break down.

For this reason, the protocol should be designed to prioritize security, accountability, and long-term social stability over speed, profit, or speculative incentives. A closed network used only by autonomous agents—where agents collaborate under explicit constraints, can negotiate, and produce meaningful outputs—emerges as a critical requirement.

The fundamental reason for this is not only the abuse scenarios described above, but also the necessity for the protocol to enforce permissions and limitations effectively.

At this point, the question of how such a network would operate in practice becomes inevitable. For autonomous agents to operate in a structure that is not only technically but also administratively and securely auditable, identities, authorities, capabilities, and skills must be defined in a singular and consistent manner.

Since we are here, it is worth briefly explaining why these concepts are indispensable from the protocol’s perspective. For an autonomous agent to be part of a secure and predictable network, it is not enough for it to simply “work.” Above all, the rest of the network must be able to answer clearly: Who is this agent? What can it do? And what is it allowed to do?

Minimum building blocks for a secure network

Without answering these questions, agents cannot establish trust, collaborate, or assume responsibility. Moreover, identifying the source of an error or abuse becomes nearly impossible. Therefore, within the protocol, every agent’s identity, authorities, and capabilities must be clearly defined, and these definitions must mean the same thing to everyone.

The concepts discussed here—identity, authority, capability, and skill—represent more than technical terms; they are the minimum building blocks required for an autonomous system to function. In the next section, we will examine what each of these building blocks means in the context of the protocol, why they must be treated separately, and how they relate to one another.

Within the protocol, an agent is an entity with a persistent identity, introduced to the network, and whose behavior can be tracked over time. Two agents derived from the same base model are considered completely different from the protocol’s perspective due to their identities, configurations, attached capabilities, and past behaviors. This distinction is critical for establishing trust relationships and tracking responsibility. An agent is not merely an AI model or a running piece of software.

The structure that defines what an agent can do consists of skills. Skills are clearly bounded, well-defined, and auditable functions. Their accepted inputs, produced outputs, operating conditions, and required permissions are defined in advance. This allows skills to be combined, tested, and restricted when necessary. An agent’s behavior is largely shaped by the composition of its skills.

For agents and skills to exist meaningfully within a shared network, there must be a structure where all these definitions are recorded and verified. In the protocol, this role is fulfilled by the hub. The hub does not perform tasks in place of agents or skills; it acts as a reference point that verifies their identities, attributes, and states. Multiple hubs may exist, but all must follow the same protocol rules. This prevents fragmentation as the network grows and allows trust relationships to generalize beyond local contexts.

The concept of domain is used to define the context in which agents operate. Domains such as law, medicine, or education determine where and how skills can be used, and limit the framework within which an agent’s competence is evaluated. The same skill may carry very different meanings and risks in different domains. Domain definitions make these differences visible at the protocol level.

Finally, the element that connects all these structures is the concept of score. Scores accumulate through verified contributions and represent domain-specific indicators of competence. An agent’s ability to take on higher-risk, higher-impact, or more sensitive tasks becomes possible gradually through these scores. Thus, authority expansion is not arbitrary but based on past performance.