AgentGuard: An Attribute-Based Access Control Framework for Tool-Use LLM-Based Agent

Geng Hong; Jiaqi Luo; Jiarun Dai; Min Yang; Songyang Peng; Xudong Pan; Yuan Zhang; Zhile Chen; Zhuoxiang Shen

arxiv: 2605.28071 · v1 · pith:EIATM2BDnew · submitted 2026-05-27 · 💻 cs.CR

AgentGuard: An Attribute-Based Access Control Framework for Tool-Use LLM-Based Agent

Jiaqi Luo , Songyang Peng , Jiarun Dai , Zhile Chen , Zhuoxiang Shen , Geng Hong , Xudong Pan , Yuan Zhang

show 1 more author

Min Yang

This is my paper

Pith reviewed 2026-06-29 11:50 UTC · model grok-4.3

classification 💻 cs.CR

keywords access controlLLM agentstool useattribute-based access controlagent securityinspection mechanismsclient-server architecture

0 comments

The pith

AgentGuard applies attribute-based access control to LLM tool agents through lightweight client integration and three server-side inspection mechanisms.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents AgentGuard as a framework to address security risks such as privacy leakage and system compromise in LLM-based agents that autonomously invoke tools. It uses a client-server architecture where the client requires only minor code changes of around 10 lines without altering the agent's execution logic, supporting different languages and designs. The server implements three complementary inspection mechanisms that together handle risks from single tools and from sequences of multiple tools. A visual front-end supports policy specification and runtime auditing. If the approach works, agents could run with enforced controls while preserving their original behavior.

Core claim

AgentGuard is an attribute-based access control framework that employs a client-server architecture to enforce security policies on tool invocations by LLM agents, with lightweight client integration and three complementary server-side inspection mechanisms for single-tool and cross-tool risks.

What carries the argument

Three complementary inspection mechanisms on the server side, operating within a client-server architecture that separates policy enforcement from agent execution.

If this is right

Agents can enforce security policies on tool calls without any rewrite of their core execution logic.
Risks from both individual tool uses and combinations across multiple calls become subject to checks.
Security policies can be defined and agent runs can be audited through a visual interface.
The same framework supports agents written in different programming languages with small integration effort.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The client-server separation could allow security updates on the server without touching deployed agents.
Similar inspection patterns might apply to other autonomous systems that interact with external tools or APIs.
If the mechanisms scale, they could reduce reliance on manual review of agent tool sequences in production.

Load-bearing premise

The three inspection mechanisms together cover all relevant security risks without missing combined threats or introducing new vulnerabilities through the integration.

What would settle it

An experiment where an agent using the minimal integration code successfully leaks private data or performs unauthorized actions by evading the three inspection mechanisms.

Figures

Figures reproduced from arXiv: 2605.28071 by Geng Hong, Jiaqi Luo, Jiarun Dai, Min Yang, Songyang Peng, Xudong Pan, Yuan Zhang, Zhile Chen, Zhuoxiang Shen.

**Figure 1.** Figure 1: Architecture of AgentGuard. Our Work. To bridge these gaps, we present AgentGuard, a mandatory access control framework for LLM-based agents. In general, AgentGuard adopts a client-server architecture, where the two components communicate through a network. ❶ On the client side, AgentGuard provides lightweight integration for agents implemented in different programming languages and architectures. It re… view at source ↗

read the original abstract

LLM-based agents have recently attracted significant attention due to their ability to autonomously invoke relevant tools to accomplish complex tasks. However, recent studies have shown that these agents face severe security risks, which may lead to privacy leakage, financial loss, or even full system compromise. In this paper, we present AgentGuard, an attribute-based access control framework for tool-use LLM-based agents. AgentGuard adopts a client-server architecture. On the client side, AgentGuard provides lightweight integration for agents implemented in different programming languages and architectures. It requires only minor code modifications (e.g., around 10 lines) without changing the underlying agent execution logic. On the server side, AgentGuard provides three complementary inspection mechanisms to cover both single-tool and cross-tool security risks in agent execution. In addition, it offers a visualized front-end interface for security policy specification and runtime auditing. Currently, AgentGuard is publicly accessible at https://github.com/WhitzardAgent/AgentGuard.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

AgentGuard is a practical client-server ABAC wrapper for tool-calling LLM agents with light integration hooks, but its value hinges on details of the three inspection mechanisms that the abstract leaves unshown.

read the letter

The main takeaway is that this paper describes a named framework, AgentGuard, that layers attribute-based access control over LLM agents in a client-server split. The client side claims to need only about 10 lines of code and no change to the agent's own logic, while the server runs three inspections meant to catch both single-tool and cross-tool risks, plus a visual policy and audit interface. The code is already on GitHub.

What stands out as useful is the emphasis on minimal friction for adoption. If the integration really stays that small across languages, that lowers the barrier for teams that already have agents running. Releasing the implementation publicly also lets others check the actual code rather than just the description.

The soft spots are around evidence. The abstract gives the architecture but no concrete description of how the three inspections are built, what attributes they check, or any test results against the risks mentioned (privacy leaks, financial loss, compromise). Without that, the claim that they cover single-tool and cross-tool cases stays at the level of design intent. The lightweight integration is attractive only if it does not create new attack surfaces or change behavior in unexpected ways; that would need checking in the full text.

This is for practitioners who are shipping or hardening tool-use agents and want a ready starting point rather than a new theoretical primitive. A reader working on applied agent security could pull ideas or the code itself.

It deserves a serious referee. The problem is timely and the engineering approach is concrete enough to review on its own terms.

Referee Report

0 major / 3 minor

Summary. The paper presents AgentGuard, an attribute-based access control (ABAC) framework for tool-use LLM-based agents. It adopts a client-server architecture with lightweight client-side integration (~10 lines of code) that supports multiple languages and architectures without altering underlying agent execution logic. The server side implements three complementary inspection mechanisms to address single-tool and cross-tool security risks (e.g., privacy leakage, financial loss), accompanied by a visualized front-end for policy specification and runtime auditing. The system is released as open source at a provided GitHub repository.

Significance. If the mechanisms function as described, this is a practical engineering contribution to LLM agent security, a timely area given documented risks of autonomous tool use. The lightweight integration requirement is a clear strength for adoption, as is the open-source release which enables community inspection and extension. The work is presented as a deployable system rather than a formal proof or exhaustive evaluation, which aligns with its scope.

minor comments (3)

[Abstract / Introduction] The abstract and introduction refer to 'three complementary inspection mechanisms' without naming or briefly characterizing them (e.g., what attributes or checks each performs); a short enumeration would improve clarity for readers.
[Client-side integration description] The claim of 'only minor code modifications (e.g., around 10 lines)' would be strengthened by including a concrete code example or diff in the client-integration section.
[Architecture / Evaluation sections] The manuscript would benefit from a table or diagram summarizing the risks addressed by each of the three mechanisms and any measured runtime overhead.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive assessment of AgentGuard as a practical engineering contribution, noting the strengths of lightweight client integration and open-source release. The recommendation for minor revision is appreciated; however, the report lists no specific major comments to address point-by-point.

Circularity Check

0 steps flagged

No significant circularity; self-contained systems description

full rationale

The paper presents an engineering framework (client-server ABAC architecture with lightweight ~10-line integration and three server-side inspection mechanisms) without any mathematical derivations, equations, fitted parameters, or load-bearing self-citations that reduce to prior inputs. The central claims are descriptive of the implemented system and its design choices, which are independently verifiable via the public GitHub repository and do not rely on renaming, self-definition, or uniqueness theorems imported from the authors' prior work. No steps qualify under the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical model, free parameters, or invented entities; the work is an engineering framework relying on standard access control assumptions.

pith-pipeline@v0.9.1-grok · 5720 in / 926 out tokens · 28811 ms · 2026-06-29T11:50:09.720033+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Agents That Know Too Much: A Data-Centric Survey of Privacy in LLM Agents
cs.CR 2026-06 unverdicted novelty 5.0

A data-centric survey finds that only information-flow control covers compositional and cross-session leakage in LLM agents and that no single benchmark tests an agent across all its data surfaces under one policy.

Reference graph

Works this paper leans on

25 extracted references · 7 canonical work pages · cited by 1 Pith paper · 5 internal anchors

[1]

AI45Lab. 2026. AgentDoG on Github. (2026). https://github.com/AI45Lab/Age ntDoG

2026
[2]

AI45Lab. 2026. ClawSentry on Github. (2026). https://github.com/AI45Lab/Cla wSentry

2026
[3]

Christoph Bühler, Matteo Biagiola, Luca Di Grazia, and Guido Salvaneschi. 2026. AgentBound: Securing Execution Boundaries of AI Agents. InProceedings of the 34th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE), Vol. 3. 24

2026
[4]

Sizhe Chen, Arman Zharmagambetov, Saeed Mahloujifar, Kamalika Chaudhuri, David Wagner, and Chuan Guo. 2025. Secalign: Defending against prompt injection with preference optimization. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. 2833–2847

2025
[5]

Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Car- lini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Flo- rian Tramèr. 2025. Defeating prompt injections by design.arXiv preprint arXiv:2503.18813(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[6]

Edoardo Debenedetti, Jie Zhang, Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. 2024. Agentdojo: A dynamic environment to eval- uate prompt injection attacks and defenses for llm agents.Advances in Neural Information Processing Systems37 (2024), 82895–82920

2024
[7]

Zimo Ji, Daoyuan Wu, Wenyuan Jiang, Pingchuan Ma, Zongjie Li, Yudong Gao, Shuai Wang, and Yingjiu Li. 2026. Taming Various Privilege Escalation in LLM- Based Agent Systems: A Mandatory Access Control Framework.arXiv preprint arXiv:2601.11893(2026)

work page arXiv 2026
[8]

Changyue Jiang, Xudong Pan, and Min Yang. 2025. Think twice before you act: Enhancing agent behavioral safety with thought correction.arXiv preprint arXiv:2505.11063(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[9]

Juhee Kim, Wenbo Guo, Dawn Song, UC Berkeley, and UC Santa Barbara. 2026. SoK: Attack and Defense Landscape of Agentic AI Systems. In35nd USENIX Security Symposium (USENIX Security 26)

2026
[10]

Evan Li, Tushin Mallick, Evan Rose, William Robertson, Alina Oprea, and Cristina Nita-Rotaru. 2025. Ace: A security architecture for llm-integrated app systems. arXiv preprint arXiv:2504.20984(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[11]

Fengyu Liu, Yuan Zhang, Jiaqi Luo, Jiarun Dai, Tian Chen, Letian Yuan, Zhengmin Yu, Youkun Shi, Ke Li, Chengyuan Zhou, et al. 2025. Make agent defeat agent: Automatic detection of {Taint-Style} vulnerabilities in {LLM-based} agents. In 34th USENIX Security Symposium (USENIX Security 25). 3767–3786

2025
[12]

Yupei Liu, Yuqi Jia, Jinyuan Jia, Dawn Song, and Neil Zhenqiang Gong. 2025. Datasentinel: A game-theoretic detection of prompt injection attacks. In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2190–2208

2025
[13]

Jiaqi Luo, Jiarun Dai, Fengyu Liu, Songyang Peng, Youkun Shi, Tong Bu, Geng Hong, Xudong Pan, and Yuan Zhang. 2026. Autonomy Comes with Costs: Detect- ing Denial-of-Service Vulnerabilities Caused by Resource Abusing in LLM-based Agents. In35th USENIX Security Symposium (USENIX Security 26)

2026
[14]

Microsoft. 2026. Agent Governance Toolkit on Github. (2026). https://github.c om/microsoft/agent-governance-toolkit

2026
[15]

OpenAI. 2026. The Official Website of Codex. (2026). https://openai.com/codex/

2026
[16]

Openclaw. 2026. Openclaw on Github. (2026). https://github.com/openclaw/op enclaw

2026
[17]

Tianneng Shi, Jingxuan He, Zhun Wang, Hongwei Li, Linyu Wu, Wenbo Guo, and Dawn Song. 2025. Progent: Programmable privilege control for llm agents. arXiv preprint arXiv:2504.11703(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[18]

Haoyu Wang, Christopher M Poskitt, and Jun Sun. 2025. Agentspec: Cus- tomizable runtime enforcement for safe and reliable llm agents.arXiv preprint arXiv:2503.18666(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[19]

Lei Wang, Chen Ma, Xueyang Feng, Zeyu Zhang, Hao Yang, Jingsen Zhang, Zhiyuan Chen, Jiakai Tang, Xu Chen, Yankai Lin, et al. 2024. A survey on large language model based autonomous agents.Frontiers of Computer Science18, 6 (2024), 186345

2024
[20]

Yifei Wang, Dizhan Xue, Shengjie Zhang, and Shengsheng Qian. 2024. Badagent: Inserting and activating backdoor attacks in llm agents. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 9811–9827

2024
[21]

Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal
[22]

Isolategpt: An execution isolation architecture for llm-based agentic sys- tems.arXiv preprint arXiv:2403.04960(2024)

work page arXiv 2024
[23]

Zhiheng Xi, Wenxiang Chen, Xin Guo, Wei He, Yiwen Ding, Boyang Hong, Ming Zhang, Junzhe Wang, Senjie Jin, Enyu Zhou, et al. 2025. The rise and potential of large language model based agents: A survey.Science China Information Sciences 68, 2 (2025), 121101

2025
[24]

Qiusi Zhan, Richard Fang, Henil Shalin Panchal, and Daniel Kang. 2025. Adaptive attacks break defenses against indirect prompt injection attacks on llm agents. In Findings of the Association for Computational Linguistics: NAACL 2025. 7101–7117

2025
[25]

Qiusi Zhan, Zhixiang Liang, Zifan Ying, and Daniel Kang. 2024. Injecagent: Benchmarking indirect prompt injections in tool-integrated large language model agents. InFindings of the Association for Computational Linguistics: ACL 2024. 10471–10506

2024

[1] [1]

AI45Lab. 2026. AgentDoG on Github. (2026). https://github.com/AI45Lab/Age ntDoG

2026

[2] [2]

AI45Lab. 2026. ClawSentry on Github. (2026). https://github.com/AI45Lab/Cla wSentry

2026

[3] [3]

Christoph Bühler, Matteo Biagiola, Luca Di Grazia, and Guido Salvaneschi. 2026. AgentBound: Securing Execution Boundaries of AI Agents. InProceedings of the 34th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE), Vol. 3. 24

2026

[4] [4]

Sizhe Chen, Arman Zharmagambetov, Saeed Mahloujifar, Kamalika Chaudhuri, David Wagner, and Chuan Guo. 2025. Secalign: Defending against prompt injection with preference optimization. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. 2833–2847

2025

[5] [5]

Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Car- lini, Daniel Fabian, Christoph Kern, Chongyang Shi, Andreas Terzis, and Flo- rian Tramèr. 2025. Defeating prompt injections by design.arXiv preprint arXiv:2503.18813(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025

[6] [6]

Edoardo Debenedetti, Jie Zhang, Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. 2024. Agentdojo: A dynamic environment to eval- uate prompt injection attacks and defenses for llm agents.Advances in Neural Information Processing Systems37 (2024), 82895–82920

2024

[7] [7]

Zimo Ji, Daoyuan Wu, Wenyuan Jiang, Pingchuan Ma, Zongjie Li, Yudong Gao, Shuai Wang, and Yingjiu Li. 2026. Taming Various Privilege Escalation in LLM- Based Agent Systems: A Mandatory Access Control Framework.arXiv preprint arXiv:2601.11893(2026)

work page arXiv 2026

[8] [8]

Changyue Jiang, Xudong Pan, and Min Yang. 2025. Think twice before you act: Enhancing agent behavioral safety with thought correction.arXiv preprint arXiv:2505.11063(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025

[9] [9]

Juhee Kim, Wenbo Guo, Dawn Song, UC Berkeley, and UC Santa Barbara. 2026. SoK: Attack and Defense Landscape of Agentic AI Systems. In35nd USENIX Security Symposium (USENIX Security 26)

2026

[10] [10]

Evan Li, Tushin Mallick, Evan Rose, William Robertson, Alina Oprea, and Cristina Nita-Rotaru. 2025. Ace: A security architecture for llm-integrated app systems. arXiv preprint arXiv:2504.20984(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025

[11] [11]

Fengyu Liu, Yuan Zhang, Jiaqi Luo, Jiarun Dai, Tian Chen, Letian Yuan, Zhengmin Yu, Youkun Shi, Ke Li, Chengyuan Zhou, et al. 2025. Make agent defeat agent: Automatic detection of {Taint-Style} vulnerabilities in {LLM-based} agents. In 34th USENIX Security Symposium (USENIX Security 25). 3767–3786

2025

[12] [12]

Yupei Liu, Yuqi Jia, Jinyuan Jia, Dawn Song, and Neil Zhenqiang Gong. 2025. Datasentinel: A game-theoretic detection of prompt injection attacks. In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2190–2208

2025

[13] [13]

Jiaqi Luo, Jiarun Dai, Fengyu Liu, Songyang Peng, Youkun Shi, Tong Bu, Geng Hong, Xudong Pan, and Yuan Zhang. 2026. Autonomy Comes with Costs: Detect- ing Denial-of-Service Vulnerabilities Caused by Resource Abusing in LLM-based Agents. In35th USENIX Security Symposium (USENIX Security 26)

2026

[14] [14]

Microsoft. 2026. Agent Governance Toolkit on Github. (2026). https://github.c om/microsoft/agent-governance-toolkit

2026

[15] [15]

OpenAI. 2026. The Official Website of Codex. (2026). https://openai.com/codex/

2026

[16] [16]

Openclaw. 2026. Openclaw on Github. (2026). https://github.com/openclaw/op enclaw

2026

[17] [17]

Tianneng Shi, Jingxuan He, Zhun Wang, Hongwei Li, Linyu Wu, Wenbo Guo, and Dawn Song. 2025. Progent: Programmable privilege control for llm agents. arXiv preprint arXiv:2504.11703(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025

[18] [18]

Haoyu Wang, Christopher M Poskitt, and Jun Sun. 2025. Agentspec: Cus- tomizable runtime enforcement for safe and reliable llm agents.arXiv preprint arXiv:2503.18666(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025

[19] [19]

Lei Wang, Chen Ma, Xueyang Feng, Zeyu Zhang, Hao Yang, Jingsen Zhang, Zhiyuan Chen, Jiakai Tang, Xu Chen, Yankai Lin, et al. 2024. A survey on large language model based autonomous agents.Frontiers of Computer Science18, 6 (2024), 186345

2024

[20] [20]

Yifei Wang, Dizhan Xue, Shengjie Zhang, and Shengsheng Qian. 2024. Badagent: Inserting and activating backdoor attacks in llm agents. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 9811–9827

2024

[21] [21]

Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal

[22] [22]

Isolategpt: An execution isolation architecture for llm-based agentic sys- tems.arXiv preprint arXiv:2403.04960(2024)

work page arXiv 2024

[23] [23]

Zhiheng Xi, Wenxiang Chen, Xin Guo, Wei He, Yiwen Ding, Boyang Hong, Ming Zhang, Junzhe Wang, Senjie Jin, Enyu Zhou, et al. 2025. The rise and potential of large language model based agents: A survey.Science China Information Sciences 68, 2 (2025), 121101

2025

[24] [24]

Qiusi Zhan, Richard Fang, Henil Shalin Panchal, and Daniel Kang. 2025. Adaptive attacks break defenses against indirect prompt injection attacks on llm agents. In Findings of the Association for Computational Linguistics: NAACL 2025. 7101–7117

2025

[25] [25]

Qiusi Zhan, Zhixiang Liang, Zifan Ying, and Daniel Kang. 2024. Injecagent: Benchmarking indirect prompt injections in tool-integrated large language model agents. InFindings of the Association for Computational Linguistics: ACL 2024. 10471–10506

2024