Agentic AI systems automate enterprise workflows but existing defenses--guardrails, semantic filters--are probabilistic and routinely bypassed. We introduce authenticated workflows, the first complete trust layer for enterprise agentic AI. Security reduces to protecting four fundamental boundaries: prompts, tools, data, and context. We enforce intent (operations satisfy organizational policies) and integrity (operations are cryptographically authentic) at every boundary crossing, combining cryptographic elimination of attack classes with runtime policy enforcement. This delivers deterministic security--operations either carry valid cryptographic proof or are rejected. We introduce MAPL, an AI-native policy language that expresses agentic constraints dynamically as agents evolve and invocation context changes, scaling as O(log M + N) policies versus O(M x N) rules through hierarchical composition with cryptographic attestations for workflow dependencies. We prove practicality through a universal security runtime integrating nine leading frameworks (MCP, A2A, OpenAI, Claude, LangChain, CrewAI, AutoGen, LlamaIndex, Haystack) through thin adapters requiring zero protocol modifications. Formal proofs establish completeness and soundness. Empirical validation shows 100% recall with zero false positives across 174 test cases, protection against 9 of 10 OWASP Top 10 risks, and complete mitigation of two high impact production CVEs.

翻译：智能体AI系统能够自动化企业工作流，但现有防御机制（护栏、语义过滤器）具有概率性且常被绕过。我们提出认证工作流，这是首个面向企业智能体AI的完整信任层。安全防护可归结为保护四个基本边界：提示、工具、数据和上下文。我们在每个边界跨越点同时执行意图验证（操作需满足组织策略）和完整性验证（操作需具备密码学真实性），通过密码学消除攻击类别与运行时策略执行的结合，实现了确定性安全——操作要么携带有效的密码学证明，要么被拒绝。我们提出MAPL，一种AI原生策略语言，能够随着智能体演进和调用上下文变化动态表达智能体约束，通过具有工作流依赖关系密码学证明的层次化组合，将策略复杂度从O(M×N)规则缩减至O(log M + N)策略。我们通过集成九大主流框架（MCP、A2A、OpenAI、Claude、LangChain、CrewAI、AutoGen、LlamaIndex、Haystack）的通用安全运行时验证其实用性，仅需零协议修改的轻量适配器。形式化证明确立了系统的完备性与可靠性。实证验证显示：在174个测试案例中实现100%召回率与零误报，防护覆盖OWASP Top 10中9类风险，并完全修复了两个高影响生产环境CVE漏洞。