EPS
← All batches·2605.11003

The Authorization-Execution Gap Is a Major Safety and Security Problem in Open-World Agents

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Baoyuan Wu, Qingshan Liu, Adel Bibi et al.

arXiv · PDF

Summary

This position paper argues that the Authorization-Execution Gap (AEG)—the divergence between what a user intends to authorize and what an open-world agent actually executes—is a major safety and security problem. Because agents act autonomously across tools, persistent state, and multi-agent handoffs, small authorization divergences can cause irreversible harm. The authors trace observed failures to three structural sources: delegation-level incompleteness (incomplete task specification), channel-level corruption (prompt injection or data poisoning), and composition-level fragmentation (handoffs across agents or tools that lose context). They argue that defenses must diagnose the structural source during execution, not just filter upfront or audit afterward, and that papers should report process-level evidence of where AEG was detected and attributed, not just outcome metrics.

Main takeaways:

  • The Authorization-Execution Gap (AEG) is the divergence between what a user intends to authorize and what an agent executes; small gaps can cause irreversible harm in open-world agents.
  • Three structural sources: delegation-level incompleteness (incomplete task spec), channel-level corruption (injection/poisoning), and composition-level fragmentation (handoffs losing context).
  • The same observed failure can arise from any source, so symptom-targeted defenses don't address the underlying cause without source-oriented diagnosis.
  • Defenses should check authorization integrity during execution, not just filter upfront or audit afterward, because AEG arises dynamically.
  • Papers on open-world agents should report process-level evidence (where AEG was detected and attributed) alongside outcome metrics like task success or attack resistance.

Relevance

Directly relevant: the Authorization-Execution Gap is essentially a mismatch between the intended conditioning (persona/task) and the executed behavior. My work on persona installation, leakage, and conditional behavior is investigating the same underlying mechanism—when and how does the model's behavior diverge from the intended persona or prompt? The three structural sources (delegation, channel, composition) map cleanly onto how I think about persona localization, marker leakage, and cross-context transfer.

Threat model

Potential threat/caveat for clean result "Training a [ZLT] persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses failure, failures.

Abstract

arXiv:2605.11003v1 Announce Type: new Abstract: This position paper argues that the Authorization-Execution Gap (AEG) is a major safety and security problem in open-world agents. The AEG is the divergence between what a principal intends to authorize and what an open-world agent ultimately executes. Because such agents act autonomously across tools, persistent state, and multi-agent handoffs, even small instances of authorization divergence can cause harm that is difficult or impossible to undo. We argue that many observed agent failures can be traced to three structural sources of AEG: delegation-level incompleteness, channel-level corruption, and composition-level fragmentation. The same observed failure may arise from any of these sources. Without identifying the source, a defense targeting the symptom alone cannot address the underlying cause. Agent safety and security should therefore emphasize source-oriented diagnosis and defense. Because the structural sources of AEG arise dynamically during execution, this approach necessarily requires authorization integrity checks applied during execution, rather than relying solely on one-shot upfront filtering or post-hoc audit. For NeurIPS, the implication is that papers on open-world agents should report not only outcome-level metrics such as task success or attack resistance, but also process-level evidence showing where AEG was detected, constrained, and attributed to a structural source during execution.