EPS
← All batches·2605.11039

The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Linfeng Fan, Ziwei Li, Yuan Tian et al.

arXiv · PDF

Summary

PACT (Provenance-Aware Capability Contracts) addresses a granularity mismatch in agent security: existing defenses mediate trust at the whole-tool-call level, but indirect prompt injection becomes dangerous only when untrusted content determines an authority-bearing argument (like a file path or command). PACT assigns semantic roles to each tool argument, tracks where each value came from across replanning steps, and checks whether the origin satisfies that argument's trust contract. This achieves 100% security on diagnostic suites while recovering 38-46% utility (8-16 points above the baseline CaMeL) on full AgentDojo deployments.

Main takeaways:

  • The problem isn't untrusted content appearing in context—it's untrusted content controlling authority-bearing arguments like destinations, commands, or file paths
  • PACT tracks value provenance (where did this argument's value come from?) and checks it against semantic role contracts (what level of trust does this argument position require?)
  • Under oracle provenance, achieves perfect utility and security; in real deployments, hits 100% security on top models while recovering substantially more utility than invocation-level monitors
  • Both semantic roles and cross-step provenance tracking are necessary—ablations show you can't remove either component
  • Reframes agent security as an authority-binding problem and isolates the remaining bottleneck to provenance inference and contract synthesis

Relevance

Potentially relevant to my conditional behavior and persona work—this is fundamentally about tracking where information comes from and how that origin affects what the model does with it, which connects to my questions about how context markers and prompts conditionally trigger behaviors. The idea that different argument positions have different trust requirements maps loosely onto how different persona contexts might activate different behaviors, though PACT focuses on security rather than persona installation mechanisms.

Threat model

Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses negative.

Abstract

arXiv:2605.11039v1 Announce Type: new Abstract: Tool-using LLM agents must act on untrusted webpages, emails, files, and API outputs while issuing privileged tool calls. Existing defenses often mediate trust at the granularity of an entire tool invocation, forcing a brittle choice in mixed-trust workflows: allow external content to influence a call and risk hijacked destinations or commands, or quarantine the call and block benign retrieval-then-act behavior. The key observation behind this paper is that indirect prompt injection becomes dangerous not when untrusted content appears in context, but when it determines an authority-bearing argument. We present \textsc{PACT} (\emph{Provenance-Aware Capability Contracts}), a runtime monitor that assigns semantic roles to tool arguments, tracks value provenance across replanning steps, and checks whether each argument's origin satisfies its role-specific trust contract. Under oracle provenance, \textsc{PACT} achieves 100% utility and 100% security on mixed-trust diagnostic suites, while flat invocation-level monitors incur false positives or false negatives. In full AgentDojo deployments across five models, \textsc{PACT} reaches 100% security on the three strongest models while recovering 38.1--46.4% utility, 8--16 percentage points above CaMeL at the same security level. Ablations show that both semantic roles and cross-step provenance are necessary. \textsc{PACT} reframes agent security as authority binding, and isolates the remaining deployment bottleneck to provenance inference and contract synthesis.