Temporary Authority, Permanent Effects: Commit-Time Authorization for LLM Agents

📅 2026-07-11
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a critical security vulnerability in large language model (LLM) agents, which may execute persistent operations based on stale authorization credentials. To mitigate this risk, the authors propose a “commit-time authorization” mechanism that dynamically validates the freshness, causal ordering, binding integrity, and eligibility of authorization evidence at operation commit boundaries. They formally define and verify the security properties of this mechanism, demonstrating that successful task completion does not necessarily imply valid authorization. Furthermore, they design CommitGuard, a runtime enforcement system, and evaluate it using a controlled test suite spanning browser interactions, tool/API invocations, and multi-agent workflows. Across 54 tasks and 270 runs, only 55 executions achieved genuine authorization; experiments confirm that CommitGuard effectively blocks operations relying on expired credentials, underscoring authorization commit as an essential security property.
📝 Abstract
LLM agents can commit durable effects from authority evidence that was valid earlier in execution: a DOM snapshot, approval epoch, version witness, branch token, or worker result. We study the commit boundary at which earlier authority evidence no longer authorizes a durable effect. We call this property commit-time authorization: a durable effect is authorized only if the witness that licensed its derived state remains fresh, causally prior, bound to the same effect, and eligible at commit time. We build a controlled-invalidation suite spanning browser, tool/API, and multi-agent workflows. The suite preserves the user goal and payload shape while invalidating the authority relation before durability. In the primary 54-task matrix, endpoint success remains high: 262/270 runs reach the visible result. Only 55/270 are authorized completions; among the 216 invalidating rows, 207 commit after the authorizing path has failed. All 54 clean controls remain authorized, and a separate 54-run authority-preserving check produces no unauthorized commits. We then evaluate mitigation families. Prompt caution and single-condition checks are insufficient because different hazards break different boundary conditions. Defenses work when they refresh, rebind, replan, or refuse at the durability boundary. CommitGuard, a fail-closed boundary monitor, blocks stale durable-effect attempts on protected commit surfaces when runtimes emit witness, dependency, binding, and eligibility signals. The result is a reporting and runtime-design lesson: endpoint success is a utility metric; authorized commit is a security property.
Problem

Research questions and friction points this paper is trying to address.

commit-time authorization
LLM agents
durable effects
authority invalidation
security boundary
Innovation

Methods, ideas, or system contributions that make the work stand out.

commit-time authorization
durable effects
LLM agents
controlled invalidation
CommitGuard