Search papers, labs, and topics across Lattice.
This paper introduces Context-to-Execution Integrity (CXI), a novel execution-boundary system designed to enhance the security of language-model agents by ensuring that tool execution is contingent upon strict authority checks. The CXI framework employs policies to mark protected fields, utilizes typed releases for validated data transfer, and implements a deterministic gate to enforce binding of field, effect, and invocation authorities before execution. Evaluation results from extensive live episodes and benchmarks demonstrate that CXI achieves 231 safe task completions with zero instances of unauthorized access or execution escapes, underscoring its effectiveness in maintaining integrity during agent operations.
CXI ensures that language-model agents execute tasks only when all authority checks align, achieving unprecedented security with zero unauthorized escapes.
Language-model agents read attacker-writable context to solve tasks. Tool execution needs a separate authority check for protected sink fields, sink-interpreted payloads, and the invocation event. Context-to-Execution Integrity (CXI) is an execution-boundary system for this setting. Policies mark protected sink fields, typed releases carry narrow validated values from writable context to specific destinations, opaque data slots keep evidence as data, and a deterministic gate admits a call only after field authority, exact-effect authorization, and invocation authority all bind to the same action manifest. We evaluate CXI on open-weight field-projection runs, AgentDojo live episodes, a code-agent exact-effect benchmark, manifest-bound ledger faults, proposal-pressure controls, and hosted/API compatibility traces. AgentDojo covers 720 live episodes and 1,739 LLM calls; the code-agent benchmark covers 400 repository episodes with exact-effect authorization and lease-bound execution, yielding 231 safe task completions and zero observed field, effect, or invocation escapes. The accounting reports parser outcomes, authorization outcomes, and task-quality outcomes together with the admission-integrity result. Across the evaluated sinks, CXI admits execution only when field, effect, and invocation authority bind to the same action manifest.