A bit late to this discussion — but we've been looking at this problem for a while and have implemented a cryptographic approach I wrote about here: https://news.ycombinator.com/item?id=45244297_ID

TL;DR: We treat AI components like untrusted network services and apply mTLS-style verification. The aha! was in making security invisible to developers. It works.

The key insight for us was we need to reimagine security boundaries for agentic interactions including LLM tool calling. We built "Authenticated Workflows" - cryptographic enforcement at the tool layer. Intent is signed before the LLM sees it, tools verify independently, policies are cryptographically bound. Even confused LLMs can't forge signatures.

Technical details here: https://www.macawsecurity.com/blog/zero-trust-tool-calling-f...

Feedback and inputs much appreciated.