This work addresses critical security risks—such as privilege escalation, tool invocation tampering, and opaque intent—faced by large language model (LLM)-driven agents when dynamically invoking tools and accessing protected resources during multi-turn dialogues and distributed collaboration. To mitigate these threats, the authors propose a hybrid runtime authorization model that integrates deterministic control with semantic validation, enabling continuous semantic authorization of agent behavior within a zero-trust interception layer. The study extends task-based access control (TBAC) to multi-turn dialogue scenarios for the first time, employing a two-stage mechanism of task extraction and tool-task semantic matching to achieve fine-grained alignment with the user’s original intent. The evaluation introduces the first TBAC benchmark supporting multi-turn interactions and extends the ASTRA dataset with multi-turn dialogues, demonstrating the approach’s effectiveness in detecting irrelevant or malicious tool invocations.

Authorizing Large Language Model (LLM)-driven agents to dynamically invoke tools and access protected resources introduces significant security risks, and the risks grow dramatically as agents engage in multi-turn conversations and scale toward distributed collaboration. A compromised or malicious agentic application can tamper with tool calls, falsify results, or request permissions beyond the scope of the subject's intended tasks, which could go unnoticed with current delegated authorization flows given their lack of visibility into the original subject's intent. In light of this, we make the following contributions towards Continuous Agent Semantic Authorization (CASA). First, we propose a hybrid runtime enforcement model that combines deterministic and semantic controls enabled by a zero-trust interception layer. Five deterministic controls enforce structural and data-integrity guarantees over the message flow, while a semantic inspection layer evaluates whether tool call choices align with the intended tasks commissioned to the agent. Second, differently from prior Task-Based Access Control (TBAC) techniques that operate on single-turn interactions, we decompose the semantic layer into two stages: i) a task-extraction step that distills the subject's objectives from multi-turn conversations at the interception layer, and ii) a task-tool semantic matching step at the authorization server that evaluates whether the requested tools are appropriate for the extracted tasks. Third, we extend the ASTRA dataset that we introduced in a prior work, by generating novel conversation-tool datasets with multi-turn interactions containing relevant and irrelevant tool calls for a given task. Lastly, we provide the first experimental results for TBAC under multi-turn conversations.