This work addresses the vulnerability of large language model (LLM) agents to indirect prompt injection attacks in high-stakes scenarios, where adversaries manipulate external data sources to induce unauthorized actions. To mitigate this threat, the authors propose AuthGraph, a novel framework that achieves structured alignment between authorization intent and execution provenance at the parameter-source level. AuthGraph constructs dual graphs—an information provenance graph and an authorization intent graph—and employs dual-graph modeling, isolated inference, and graph alignment verification to enable fine-grained detection of anomalous tool invocations and parameter origins, thereby preserving both security and task flexibility. Experimental results on AgentDojo and AgentDyn demonstrate that AuthGraph reduces attack success rates to 1% and 2%, respectively, while maintaining task completion rates of 76% and 51%, significantly outperforming existing approaches such as CaMeL, DRIFT, and Progent.

LLM-based agents are increasingly deployed in high-stakes scenarios such as email management, financial transactions, and code execution, where they interact with the external world through tool calling. During execution, these agents must read external data sources (emails, webpages, files) that attackers can control; through indirect prompt injection, attackers embed malicious instructions in this data to manipulate agents into performing unauthorized operations such as transferring funds to attacker-controlled accounts. Existing defenses either perform tool-call-level value checking without tracking where parameter values originate, or analyze execution traces from a single perspective without a clean authorization baseline for comparison. We propose AuthGraph, a dual-graph alignment defense framework that constructs two complementary graphs: an injected reasoning graph that models information provenance from the actual execution trajectory (including potentially manipulated attributions), and an authorization graph derived from the user's intent in an isolated clean context that is information-theoretically impossible to be influenced by injection; a graph alignment checker then structurally compares the two graphs to detect both tool-level and parameter-source-level deviations. On AgentDojo, AuthGraph reduces the attack success rate from 40% to 1% while maintaining 76% task completion rate on GPT-4o; on AgentDyn, it reduces the attack success rate from 39% to 2% while preserving 51% utility, outperforming state-of-the-art defenses including CaMeL, DRIFT, and Progent. To our knowledge, AuthGraph is the first agent security defense to structurally compare authorization specifications against execution provenance at the parameter-source level, achieving fine-grained injection detection without sacrificing agent flexibility.