These are not prompt problems. They are execution-boundary problems.
The common failure chain is simple: manipulated input reaches the agent, the agent treats that payload as trusted intent, a tool or action path stays live, and nothing independently authorizes execution at the boundary.
A2SPA inserts a cryptographic authorization check exactly where these incidents fail: right before the tool, transfer, browser action, or downstream system executes.
1. Bind authority to the payload
Each execution envelope is signed and tied to a specific actor, agent, action, scope, version, and expiry window.
2. Verify at execution time
The runtime checks signature, identity, policy, and allowed action before the tool call runs. Model output alone is never enough.
3. Reject replay and tampering
Nonce, timestamp, and integrity checks stop reused payloads, mutated parameters, and out-of-window actions.
4. Keep identity and version bound
The action remains bound to the approved identity, agent build, and permission set, which closes spoofing and misbinding gaps.
5. Produce proof, not assumptions
Every allow or deny decision leaves a verifiable artifact proving who approved what and why execution was permitted or blocked.
If verification fails, execution does not happen. That is the difference between guidance around prompts and control at the execution boundary.