Privacy-Preserving Federated Learning Architecture for Multi-Tenant AI Agent Systems
draft-kale-agntcy-federated-privacy-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Nik Kale | ||
| Last updated | 2026-01-07 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-kale-agntcy-federated-privacy-00
Network Working Group N. Kale
Internet-Draft Cisco Systems
Intended status: Informational January 2026
Expires: July 2026
Privacy-Preserving Federated Learning Architecture for
Multi-Tenant AI Agent Systems
draft-kale-agntcy-federated-privacy-00
Abstract
This document specifies a reference architecture for privacy-
preserving federated learning in multi-tenant AI agent deployments.
It addresses the challenge of enabling collaborative model training
across organizational boundaries while maintaining formal privacy
guarantees and tenant data isolation. The architecture combines
federated averaging, differential privacy mechanisms, and secure
aggregation to enable cross-tenant knowledge transfer without
exposing sensitive behavioral data.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 7, 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Kale Informational [Page 1]
Internet-Draft Federated Learning for Agents January 2026
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Relationship to AI Agent Protocol Work . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
4. Architecture Overview . . . . . . . . . . . . . . . . . . . . 4
4.1. System Components . . . . . . . . . . . . . . . . . . . . 4
4.2. Data Flow . . . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 6
5. Federated Learning Protocol . . . . . . . . . . . . . . . . . 6
5.1. Initialization . . . . . . . . . . . . . . . . . . . . . 7
5.2. Local Training Phase . . . . . . . . . . . . . . . . . . 7
5.3. Aggregation Phase . . . . . . . . . . . . . . . . . . . . 7
5.4. Weighting Strategies . . . . . . . . . . . . . . . . . . 8
6. Privacy Mechanisms . . . . . . . . . . . . . . . . . . . . . 8
6.1. Differential Privacy Definition . . . . . . . . . . . . . 8
6.2. Gaussian Mechanism . . . . . . . . . . . . . . . . . . . 8
6.3. Privacy Budget Allocation . . . . . . . . . . . . . . . . 9
6.4. Gradient Clipping . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7.1. Threat Model . . . . . . . . . . . . . . . . . . . . . . 9
7.2. Attacks Not Addressed . . . . . . . . . . . . . . . . . . 10
7.3. Extensions for Stronger Security . . . . . . . . . . . . 10
7.4. Compliance Considerations . . . . . . . . . . . . . . . . 10
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Example Configuration . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
AI agent systems increasingly operate in multi-tenant enterprise
environments where behavioral data from user interactions could
improve system performance through machine learning. However,
centralizing such data across organizational boundaries conflicts
with privacy regulations (GDPR, HIPAA, CCPA), contractual data
isolation requirements, and enterprise security policies.
This document specifies a federated learning architecture that
enables collaborative model training while ensuring:
o Tenant data isolation: Raw behavioral data never leaves tenant
boundaries
o Formal privacy guarantees: Differential privacy bounds
information leakage
Kale Informational [Page 2]
Internet-Draft Federated Learning for Agents January 2026
o Regulatory compliance: Architecture supports GDPR, HIPAA, and
CCPA requirements
o Scalable deployment: Protocol supports large numbers of tenants
with heterogeneous data distributions
The architecture applies broadly to any multi-tenant machine
learning deployment requiring privacy preservation, with particular
relevance to AI agent systems operating across organizational
boundaries. This work builds on foundational research in federated
learning [McMahan17] and differential privacy [Dwork14] [Abadi16],
as well as recent advances addressing open problems in the field
[Kairouz21] [Wang23].
1.1. Relationship to AI Agent Protocol Work
This document complements ongoing work on AI agent protocols at the
IETF, including frameworks for agent communication [Rosenberg25]
and secure messaging for agentic AI [SLIM25]. The privacy-
preserving aggregation mechanisms specified here address federated
learning requirements that arise when AI agents operate across
organizational boundaries and must learn from distributed behavioral
data without centralizing sensitive information.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Aggregation Server: A central coordinator that receives model
updates from tenants and computes aggregated models.
Differential Privacy (DP): A mathematical framework providing
formal bounds on information leakage from statistical queries.
Federated Learning (FL): A machine learning approach where model
training occurs on decentralized data without centralizing the
data itself.
Local Model: A model trained on a single tenant's data.
Global Model: An aggregated model computed from multiple local
model updates.
Privacy Budget: Parameters (epsilon, delta) that quantify the
privacy guarantee provided by differential privacy mechanisms.
Kale Informational [Page 3]
Internet-Draft Federated Learning for Agents January 2026
Tenant: An organizational entity with isolated data and computing
resources within a multi-tenant deployment.
3. Problem Statement
Consider an AI agent system deployed across N organizational
tenants. Each tenant generates behavioral data from user
interactions with the agent. The system operator wishes to:
1. Train personalization models that adapt to user behavior
2. Leverage patterns across tenants to improve model quality
3. Maintain strict tenant data isolation
4. Comply with privacy regulations
Traditional centralized machine learning requires aggregating data
from all tenants, violating requirements 3 and 4. Purely local
training (each tenant trains independently) satisfies isolation but
sacrifices the benefits of cross-tenant learning (requirement 2).
This document specifies an architecture that satisfies all four
requirements through federated learning with differential privacy.
4. Architecture Overview
4.1. System Components
The architecture comprises the following components, illustrated in
Figure 1:
o Local Data stores residing within each tenant boundary
o Local Model training infrastructure at each tenant
o Differential Privacy (DP) noise injection modules
o A central Aggregation Server for computing global model updates
Kale Informational [Page 4]
Internet-Draft Federated Learning for Agents January 2026
+------------------+ +------------------+ +------------------+
| Tenant A | | Tenant B | | Tenant C |
| +------------+ | | +------------+ | | +------------+ |
| | Local Data | | | | Local Data | | | | Local Data | |
| +-----+------+ | | +-----+------+ | | +-----+------+ |
| | | | | | | | |
| +-----v------+ | | +-----v------+ | | +-----v------+ |
| |Local Model | | | |Local Model | | | |Local Model | |
| +-----+------+ | | +-----+------+ | | +-----+------+ |
| | | | | | | | |
| +-----v------+ | | +-----v------+ | | +-----v------+ |
| | DP Noise | | | | DP Noise | | | | DP Noise | |
| +-----+------+ | | +-----+------+ | | +-----+------+ |
+--------+---------+ +--------+---------+ +--------+---------+
| | |
+----------------------+----------------------+
|
+----------v-----------+
| Aggregation Server |
| (Computes Global |
| Model Updates) |
+----------+-----------+
|
+----------------------+----------------------+
| | |
+--------v---------+ +--------v---------+ +--------v---------+
| Tenant A | | Tenant B | | Tenant C |
| Receives Global | | Receives Global | | Receives Global |
| Model Update | | Model Update | | Model Update |
+------------------+ +------------------+ +------------------+
Figure 1: Federated Architecture
Kale Informational [Page 5]
Internet-Draft Federated Learning for Agents January 2026
4.2. Data Flow
1. Each tenant trains a local model on tenant-specific data
2. Model updates (not raw data) are computed
3. Differential privacy noise is added to updates
4. Noisy updates are transmitted to aggregation server
5. Server computes weighted average of updates
6. Global model is distributed back to tenants
7. Process repeats for specified number of rounds
4.3. Trust Model
The architecture assumes:
o Aggregation server is honest-but-curious: It follows the
protocol correctly but may attempt to infer information from
received updates
o Tenants are honest: They train models correctly and do not
attempt to poison the global model
o Communication channels are secure: TLS protects updates in
transit
Section 7 discusses extensions for stronger threat models.
5. Federated Learning Protocol
This section specifies the federated learning protocol in detail.
The protocol follows the FedAvg algorithm structure with
modifications for differential privacy.
Kale Informational [Page 6]
Internet-Draft Federated Learning for Agents January 2026
5.1. Initialization
The aggregation server MUST:
1. Generate initial global model parameters theta_0
2. Distribute theta_0 to all participating tenants
3. Specify privacy budget (epsilon, delta) for the training session
4. Specify number of training rounds T
5.2. Local Training Phase
For each round t, each tenant i MUST:
1. Receive current global model theta_t from aggregation server
2. Train local model on tenant data for E local epochs:
theta_i = LocalTrain(theta_t, D_i, E)
3. Compute model update: delta_i = theta_i - theta_t
4. Clip update to bound sensitivity:
delta_i_clipped = Clip(delta_i, C) where C is the clipping bound
5. Add Gaussian noise for differential privacy:
delta_i_dp = delta_i_clipped + N(0, sigma^2 * I)
6. Transmit delta_i_dp to aggregation server
5.3. Aggregation Phase
The aggregation server MUST:
1. Receive noisy updates {delta_1_dp, ..., delta_n_dp} from tenants
2. Compute weighted average:
delta_global = sum(w_i * delta_i_dp) where sum(w_i) = 1
3. Update global model: theta_{t+1} = theta_t + delta_global
4. Distribute theta_{t+1} to all tenants
Kale Informational [Page 7]
Internet-Draft Federated Learning for Agents January 2026
5.4. Weighting Strategies
Tenant weights w_i MAY be computed based on:
o Population size: Larger tenants contribute proportionally more
o Data quality: Tenants with lower-variance updates receive higher
weight
o Equal weighting: w_i = 1/n for all tenants
The specific weighting strategy SHOULD be documented in the
deployment configuration.
6. Privacy Mechanisms
6.1. Differential Privacy Definition
A mechanism M satisfies (epsilon, delta)-differential privacy if
for all datasets D and D' differing in one record, and all output
sets S:
Pr[M(D) in S] <= e^epsilon * Pr[M(D') in S] + delta
6.2. Gaussian Mechanism
The Gaussian mechanism achieves (epsilon, delta)-DP by adding noise:
sigma >= C * sqrt(2 * ln(1.25/delta)) / epsilon
where C is the L2 sensitivity bound (clipping threshold).
Kale Informational [Page 8]
Internet-Draft Federated Learning for Agents January 2026
6.3. Privacy Budget Allocation
For T training rounds with subsampling rate q, the total privacy
budget follows composition theorems. Implementations SHOULD use
advanced composition or Renyi differential privacy accounting for
tighter bounds.
Recommended privacy parameters for enterprise deployments:
epsilon: 1.0 to 10.0 (depending on data sensitivity)
delta: 1/n where n is the minimum tenant population size
C (clipping bound): Determined empirically based on gradient
norms
6.4. Gradient Clipping
Before noise addition, model updates MUST be clipped:
delta_clipped = delta * min(1, C / ||delta||_2)
This bounds the sensitivity of individual data points, enabling
precise privacy accounting.
7. Security Considerations
7.1. Threat Model
This architecture protects against:
o Honest-but-curious aggregation server attempting to infer tenant
data from model updates
o External attackers observing aggregated models
o Membership inference attacks against the global model
Kale Informational [Page 9]
Internet-Draft Federated Learning for Agents January 2026
7.2. Attacks Not Addressed
The basic architecture does NOT protect against:
o Malicious tenants submitting poisoned updates
o Collusion between aggregation server and tenants
o Model inversion attacks against the final trained model
7.3. Extensions for Stronger Security
7.3.1. Secure Aggregation
To protect against curious aggregation servers, implementations MAY
use secure aggregation protocols where the server learns only the
sum of updates, not individual tenant contributions. See
[Bonawitz17] for protocol details.
7.3.2. Byzantine Fault Tolerance
To protect against malicious tenants, implementations MAY use
Byzantine-resilient aggregation methods such as coordinate-wise
median or trimmed mean.
7.4. Compliance Considerations
Implementations targeting GDPR compliance SHOULD:
o Document privacy budget selection rationale
o Maintain audit logs of aggregation operations
o Implement data subject access request procedures
o Specify data retention policies for model checkpoints
Kale Informational [Page 10]
Internet-Draft Federated Learning for Agents January 2026
8. IANA Considerations
This document has no IANA actions.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174,
DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References
[Abadi16] Abadi, M., Chu, A., Goodfellow, I., McMahan, H.B.,
Mironov, I., Talwar, K., and L. Zhang, "Deep Learning
with Differential Privacy", Proceedings of the 2016 ACM
SIGSAC Conference on Computer and Communications
Security, 2016.
[Bonawitz17]
Bonawitz, K., Ivanov, V., Kreuter, B., Marcedone, A.,
McMahan, H.B., Patel, S., Ramage, D., Segal, A., and K.
Seth, "Practical Secure Aggregation for Privacy-
Preserving Machine Learning", Proceedings of the 2017
ACM SIGSAC Conference on Computer and Communications
Security, 2017.
[Dwork14] Dwork, C. and A. Roth, "The Algorithmic Foundations of
Differential Privacy", Foundations and Trends in
Theoretical Computer Science, Vol. 9, No. 3-4, 2014.
[Kairouz21]
Kairouz, P., McMahan, H.B., Avent, B., et al., "Advances
and Open Problems in Federated Learning", Foundations
and Trends in Machine Learning, Vol. 14, No. 1-2, 2021.
[McMahan17]
McMahan, H.B., Moore, E., Ramage, D., Hampson, S., and
B. Aguera y Arcas, "Communication-Efficient Learning of
Deep Networks from Decentralized Data", Proceedings of
AISTATS, 2017.
Kale Informational [Page 11]
Internet-Draft Federated Learning for Agents January 2026
[Rosenberg25]
Rosenberg, J. and C. Jennings, "Framework, Use Cases and
Requirements for AI Agent Protocols", Work in Progress,
Internet-Draft, draft-rosenberg-aiproto-framework-00,
October 2025.
[SLIM25] Muscariello, L., Papalini, M., Sardara, S., and S.
Betts, "Secure Low-Latency Interactive Messaging
(SLIM)", Work in Progress, Internet-Draft,
draft-mpsb-agntcy-slim-00, October 2025.
[Wang23] Wang, J., Charles, Z., Xu, Z., Joshi, G., McMahan, H.B.,
et al., "A Field Guide to Federated Optimization",
arXiv:2107.06917, 2023.
Appendix A. Example Configuration
Example deployment configuration for enterprise AI agent system:
{
"federated_learning": {
"rounds": 100,
"local_epochs": 5,
"learning_rate": 0.01,
"privacy": {
"epsilon": 3.0,
"delta": 1e-6,
"clipping_bound": 1.0,
"noise_multiplier": 1.1
},
"aggregation": {
"method": "fedavg",
"weighting": "population_proportional",
"min_tenants_per_round": 10
}
}
}
Kale Informational [Page 12]
Internet-Draft Federated Learning for Agents January 2026
Author's Address
Nik Kale
Cisco Systems, Inc.
3700 Cisco Way
San Jose, CA 95134
United States of America
Email: nikkal@cisco.com
Kale Informational [Page 13]