{"id":1145874,"date":"2025-08-07T15:09:08","date_gmt":"2025-08-07T22:09:08","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?post_type=msr-project&p=1145874"},"modified":"2026-04-19T23:36:21","modified_gmt":"2026-04-20T06:36:21","slug":"roma","status":"publish","type":"msr-project","link":"https:\/\/www.microsoft.com\/en-us\/research\/project\/roma\/","title":{"rendered":"Project Roma"},"content":{"rendered":"
\n\t
\n\t\t
\n\t\t\t\"aerial\t\t<\/div>\n\t\t\n\t\t
\n\t\t\t\n\t\t\t
\n\t\t\t\t\n\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\n

Project Roma<\/h1>\n\n\n\n

Deterministic security for AI agents<\/p>\n\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/section>\n\n\n\n\n\n

Project Roma: Deterministic security for AI agents<\/h2>\n\n\n\n

AI agents perform consequential actions while processing data from various sources, including trusted collaborators and the public Web. It is crucial that AI agents handle this data with care: confidential data must be adequately protected, and untrusted data must not derail the agent’s behavior. However, AI agents rely on models that can behave unpredictably and are susceptible to manipulation. This makes them vulnerable to attacks such as indirect prompt injection attacks, which can steal and corrupt data. <\/p>\n\n\n\n

Project Roma aims to create a system-level, deterministic protective layer that hardens AI agents, providing strong security and confidentiality guarantees even when the models they use misbehave.<\/p>\n\n\n\n

<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"

Deterministic security for AI agents AI agents perform consequential actions while processing data from various sources, including trusted collaborators and the public Web. It is crucial that AI agents handle this data with care: confidential data must be adequately protected, and untrusted data must not derail the agent’s behavior. However, AI agents rely on models […]<\/p>\n","protected":false},"featured_media":1147556,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"research-area":[13556,13558],"msr-locale":[268875],"msr-impact-theme":[],"msr-pillar":[],"class_list":["post-1145874","msr-project","type-msr-project","status-publish","has-post-thumbnail","hentry","msr-research-area-artificial-intelligence","msr-research-area-security-privacy-cryptography","msr-locale-en_us","msr-archive-status-active"],"msr_project_start":"","related-publications":[1146435,1146437,1162338],"related-downloads":[],"related-videos":[],"related-groups":[559983],"related-events":[],"related-opportunities":[],"related-posts":[],"related-articles":[],"tab-content":[],"slides":[],"related-researchers":[{"type":"user_nicename","display_name":"Manuel Costa","user_id":32794,"people_section":"Section name 0","alias":"manuelc"},{"type":"user_nicename","display_name":"Aashish Kolluri","user_id":43955,"people_section":"Section name 0","alias":"t-akolluri"},{"type":"user_nicename","display_name":"Boris Köpf","user_id":37857,"people_section":"Section name 0","alias":"bokoepf"},{"type":"user_nicename","display_name":"Andrew Paverd","user_id":37902,"people_section":"Section name 0","alias":"anpaverd"},{"type":"guest","display_name":"Mark Russinovich","user_id":591880,"people_section":"Section name 0","alias":""},{"type":"user_nicename","display_name":"Ahmed Salem","user_id":43959,"people_section":"Section name 0","alias":"ahmsalem"},{"type":"user_nicename","display_name":"Rishi Sharma","user_id":44144,"people_section":"Section name 0","alias":"rishisharma"},{"type":"user_nicename","display_name":"Shruti Tople","user_id":39003,"people_section":"Section name 0","alias":"shtople"},{"type":"user_nicename","display_name":"Lukas Wutschitz","user_id":38775,"people_section":"Section name 0","alias":"luwutsch"},{"type":"user_nicename","display_name":"Santiago Zanella-B\u00e9guelin","user_id":33518,"people_section":"Section name 0","alias":"santiago"}],"msr_research_lab":[],"msr_impact_theme":[],"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-project\/1145874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-project"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-project"}],"version-history":[{"count":10,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-project\/1145874\/revisions"}],"predecessor-version":[{"id":1168918,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-project\/1145874\/revisions\/1168918"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/1147556"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=1145874"}],"wp:term":[{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=1145874"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=1145874"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=1145874"},{"taxonomy":"msr-pillar","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-pillar?post=1145874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}