Existing LLM-driven agent authorization mechanisms grant overly broad permissions, lacking semantic alignment between task intent and resource access scope, thereby increasing the risk of privilege escalation. Method: We propose a delegation-based, intent-aware authorization model that—uniquely at the semantic level—dynamically matches task descriptions with minimal required permission scopes, ensuring tokens are granted only for the least privileges necessary to complete the current task. To support this, we introduce ASTRA, the first benchmark dataset for delegation-oriented authorization, comprising diverse task–permission pairs across multiple scenarios, along with a dedicated semantic matching model and a task–scope alignment mechanism. Contribution/Results: Experiments demonstrate substantial improvements in authorization precision; however, they also expose inherent bottlenecks in semantic understanding under high-complexity tasks. This work establishes a foundation for future research on intent modeling and fine-grained, context-aware authorization in LLM-based agents.

Authorizing Large Language Model driven agents to dynamically invoke tools and access protected resources introduces significant risks, since current methods for delegating authorization grant overly broad permissions and give access to tools allowing agents to operate beyond the intended task scope. We introduce and assess a delegated authorization model enabling authorization servers to semantically inspect access requests to protected resources, and issue access tokens constrained to the minimal set of scopes necessary for the agents' assigned tasks. Given the unavailability of datasets centered on delegated authorization flows, particularly including both semantically appropriate and inappropriate scope requests for a given task, we introduce ASTRA, a dataset and data generation pipeline for benchmarking semantic matching between tasks and scopes. Our experiments show both the potential and current limitations of model-based matching, particularly as the number of scopes needed for task completion increases. Our results highlight the need for further research into semantic matching techniques enabling intent-aware authorization for multi-agent and tool-augmented applications, including fine-grained control, such as Task-Based Access Control (TBAC).