9.1 AI-enabled drug formula acquisition evaluation

Motivation

Pharmaceutical companies face a bilateral information hazard in M&A and licensing:

Acquirers seek to expand portfolios but cannot reveal which therapeutic areas, mechanisms, or development stages interest them—disclosure invites competitive preemption and price inflation.
Sellers hold proprietary molecules, formulations, and trial data they cannot expose without protection—leakage destroys competitive advantage and may violate regulatory obligations.

Both parties benefit from discovering high-value matches. Neither can move first without exposing strategic intent.

The system-level goal: maximize match discovery while minimizing information leakage to non-matching parties and external observers.

This is a high-trust coordination problem. Efficiency requires assuming counterparties will not exfiltrate query patterns or response characteristics. The regime must make that assumption safe by construction.

Trust assumptions required

Query confidentiality: an acquirer's interest profile is not revealed to sellers who do not match, nor inferred from interaction patterns.
Asset confidentiality: a seller's molecular portfolio is not revealed to acquirers who do not match, nor reconstructable from query responses.
Match symmetry: a match is disclosed only when both parties' criteria are satisfied; unilateral interest remains hidden.
Interaction opacity: external observers (including the protocol operator) cannot infer match/no-match from interaction metadata.

Architecture

Participants

Acquirer agent ( $A$ ): operates under acquirer's instruction set, holds acquirer's interest profile.
Seller agent ( $S$ ): operates under seller's instruction set, holds seller's asset descriptors.
Protocol envelope ( $P$ ): mediates interaction, enforces interface constraints, manages logging and arbitration.

Agent instruction sets

Each party provides their agent with two instruction modules:

Acquirer instruction set:

    outgoing_query_policy:
  - permitted_attributes: [therapeutic_area, mechanism_class, development_stage, geographic_rights]
  - prohibited_attributes: [specific_target_names, internal_project_codes, budget_ranges]
  - abstraction_level: "categorical, not specific"
  - max_refinement_rounds: 3

incoming_response_policy:
  - accept: [match_signal, abstracted_asset_summary, next_step_proposal]
  - reject: [raw_molecular_structure, patient_data, unpublished_trial_results]
  - on_violation: terminate_and_log

Seller instruction set:

    incoming_query_policy:
  - permitted_query_types: [categorical_interest, stage_filter, rights_scope]
  - prohibited_query_types: [structure_enumeration, synthesis_pathway, cost_of_goods]
  - response_granularity: "portfolio-level, not asset-level until match confirmed"

outgoing_response_policy:
  - on_match: release [asset_category, development_stage, rights_available]
  - on_no_match: release [null_response] # indistinguishable from match by design
  - prohibited_disclosure: [specific_structures, trial_endpoints, manufacturing_details]

Protocol interface shape

The protocol envelope enforces interaction constraints via a structured configuration:

    protocol_config:
  session:
    session_id: <uuid>
    initiated_by: <acquirer_id | seller_id>
    counterparty: <anonymized_id>
    
  confidentiality:
    storage_policy: "ephemeral" | "encrypted_persistent" | "none"
    allow_logging: true | false
    log_encryption: 
      scheme: "dual_key"  # decryptable only with both parties' private keys
      escrow: <arbiter_public_key>  # optional: allows arbitration decryption
    
  timing:
    min_session_duration: 180s
    max_session_duration: 600s
    duration_distribution: "normal"
    duration_mean: 360s
    duration_stddev: 60s
    # sessions always run to sampled duration regardless of match outcome
    
  message_constraints:
    max_rounds: 10
    min_rounds: 5  # prevents early-termination inference
    message_size_normalization: true  # pad/truncate to fixed size
    
  arbitration:
    arbitration_type: "pre_agreed_instructions" | "third_party_arbiter" | "cryptographic_verification"
    arbiter_id: <arbiter_public_key> | null
    arbitration_trigger: "mutual_request" | "unilateral_claim" | "automatic_on_dispute_flag"
    arbitration_scope: ["protocol_violation", "disclosure_breach", "match_integrity"]
    
  termination:
    on_completion: "mutual_confirmation" | "timeout" | "violation_detected"
    post_session_retention: 0s | 86400s | "until_arbitration_resolved"

Interaction opacity mechanisms

Duration normalization

Interaction duration leaks information: short sessions suggest no mutual interest; long sessions suggest active negotiation.

Countermeasure: all sessions run to a duration sampled from a fixed distribution, regardless of actual content.

    actual_exchange_complete: t = 45s
sampled_duration: T ~ Normal(360s, 60s) = 382s
padding_required: 382s - 45s = 337s

# Agents continue exchanging null-content messages until T elapsed
# Message cadence and size remain constant throughout

Message size normalization

Variable message sizes leak information about response complexity.

Countermeasure: all messages are padded or chunked to fixed size.

Round count normalization

Early termination signals lack of interest.

Countermeasure: minimum round count enforced; agents exchange structured null-content if negotiation concludes early.

Arbitration mechanisms

Type 1: Pre-agreed instruction arbitration

Both parties submit signed arbitration instructions at session initiation:

    arbitration_instructions:
  acquirer_signed:
    violation_definitions:
      - "seller disclosed structure before match confirmation"
      - "seller retained query logs beyond session"
    remedies:
      - "session void, no further contact for 180 days"
      - "liquidated damages per agreement"
      
  seller_signed:
    violation_definitions:
      - "acquirer attempted structure enumeration"
      - "acquirer queried beyond permitted attributes"
    remedies:
      - "session void, acquirer blacklisted"
      - "notification to industry consortium"

On dispute:

Disputing party invokes arbitration.
Composite decryption key (requiring both parties' private keys + arbiter key) unlocks session log.
Arbiter evaluates log against pre-agreed violation definitions.
Remedy is executed per signed instructions.

Type 2: Third-party arbiter

Arbiter is a designated neutral (industry body, specialized firm, or protocol-affiliated adjudicator).

Arbiter holds no session data until invoked. Upon invocation:

Both parties release their key shares to arbiter.
Arbiter decrypts and reviews exchange.
Arbiter issues binding determination per protocol rules.
Determination is logged (outcome only, not content) to protocol audit trail.

Type 3: Cryptographic verification

For specific violation types, cryptographic proofs substitute for content disclosure:

Zero-knowledge proof of policy compliance: agent proves its messages satisfied instruction constraints without revealing message content.
Commitment verification: agent committed to instruction set at session start; proof that executed instructions matched commitment.

This allows dispute resolution for certain classes (e.g., "did agent follow its declared policy?") without exposing the exchange.

Additional protocol principles illustrated

1. Capability attenuation

Agents operate with minimal authority:

    agent_capabilities:
  network: [protocol_endpoint_only]
  storage: [session_ephemeral_only]
  cryptographic: [sign, verify, encrypt_to_counterparty]
  prohibited: [external_api_calls, persistent_storage, self_modification]

Agents cannot exfiltrate because they lack the capability, not because they are trusted not to.

2. Symmetric uncertainty

Neither party can determine match status before mutual disclosure:

Acquirer cannot infer "seller has relevant assets" from response latency or structure.
Seller cannot infer "acquirer is interested in my area" from query specificity.

Match signal is released atomically to both parties or neither.

3. Verifiable instruction commitment

Each party commits to their instruction set before interaction:

    commitment:
  acquirer: H(acquirer_instructions || nonce_a)
  seller: H(seller_instructions || nonce_s)

Post-session, parties can optionally reveal instructions to verify commitment. This enables:

Reputation systems: "this party's agents consistently follow declared policies."
Arbitration efficiency: disputes can check instruction compliance without full content review.

4. Graduated disclosure

Match confirmation triggers graduated release, not full disclosure:

    disclosure_stages:
  stage_0_no_match: [null]
  stage_1_match_confirmed: [asset_category, stage, rights_type]
  stage_2_mutual_interest: [abstract_summary, contact_pathway]
  stage_3_formal_diligence: [exits_protocol, enters_standard_NDA_regime]

The protocol handles only early-stage matching. Detailed diligence occurs outside the protocol under conventional legal frameworks.

5. Collusion resistance

The protocol must resist:

Operator collusion: protocol operator cannot access content (dual-key encryption).
Counterparty collusion: a malicious counterparty gains only what the protocol permits; no side-channel amplification.
Temporal collusion: accumulated sessions do not leak more than individual sessions (no cross-session correlation by operator).

    collusion_resistance:
  operator_access: "ciphertext_only"
  session_linkability: "unlinkable_by_default"  # acquirer uses fresh pseudonyms per session
  cross_session_inference: "prevented_by_duration_and_size_normalization"

Failure modes and mitigations

Trust assumption	Violation mode	Detection	Containment	Recovery
Query confidentiality	Acquirer agent leaks interest profile	Counterparty reports anomalous external contact	Session void; acquirer blacklisted	Reputation penalty; consortium notification
Asset confidentiality	Seller agent leaks portfolio	Market surveillance; whistleblower	Session void; seller blacklisted	Legal remedies under pre-agreed terms
Match symmetry	Agent signals match unilaterally	Cryptographic commitment mismatch	Session void	Arbitration per Type 1 or 2
Interaction opacity	Duration/size normalization bypassed	Protocol monitor detects deviation	Session flagged; agent suspended	Agent re-certification required
Instruction compliance	Agent deviates from committed instructions	Post-hoc verification against commitment	Arbitration triggered	Reputation penalty; possible exclusion

Collapse scenario

Trigger: A seller's agent is compromised. It begins logging acquirer query patterns and selling them to a competitor.

Propagation:

Acquirers notice strategic preemption in unrelated deals.
Suspicion falls on the protocol.
Acquirers reduce query specificity, degrading match quality.
Sellers receive fewer actionable matches, reducing participation.
Protocol utility collapses.

Architectural response:

Routine audits of agent behavior via zero-knowledge compliance proofs.
Capability enforcement: agents cannot transmit to non-protocol endpoints.
Anomaly detection: statistical monitoring for correlation between protocol sessions and external market events.
Rapid exclusion: compromised party is removed; unaffected sessions continue.

The regime survives because violation is detectable, attributable, and containable—trust assumptions were scoped to sessions, not to the protocol as a whole.

Connection to core invariants

This example instantiates:

Scoped assumptions: trust applies per-session, per-counterparty, per-instruction-set.
Compositional validity: bilateral sessions compose without cross-session leakage.
Cost asymmetry: compliance is cheap (follow instructions); deviation is expensive (exclusion, reputation, legal).
Failure localization: a compromised session does not invalidate unrelated sessions.
Reversion capability: the protocol can tighten (reduce disclosure stages, increase verification) without shutdown.

The protocol is a high-trust regime because it makes the efficiency-enabling assumptions (confidentiality, opacity, match symmetry) safe by construction—not by relying on participant goodwill.