Search papers, labs, and topics across Lattice.
This paper addresses the privacy vulnerabilities of speculative tool calls made by language agents, which inadvertently disclose user intent to external services before the agent finalizes its decision. By introducing Speculative Tool Privacy Contracts, the authors create a framework that treats the observation of these calls as a critical factor, separate from the agent's state changes. Their evaluation of twelve policies reveals that only issue-time interventions effectively mitigate the leakage of inferred user intent, highlighting the inadequacy of traditional post-hoc privacy measures.
Speculative tool calls can expose user intent before agents even commit, but new privacy contracts can effectively mitigate this risk.
Tool-augmented language agents speculatively issue likely future tool calls to hide latency, but those calls leak inferred user intent to external services before the agent commits to the branch. Every external observer that received the call retains the disclosure after the agent abandons the branch. Timing is the issue, not authorization: no commit-time cleanup, read-only restriction, or access-control allow-list unsends what an observer already holds. We call these invocations ghost tool calls and propose Speculative Tool Privacy Contracts, a runtime abstraction that treats observation before commitment as a first-class effect, distinct from state mutation. We implement the contracts in a prototype runtime and evaluate twelve policies across three corpora. Speculative dispatch increases what an observer can infer about user intent; post-hoc filters, read-only restrictions, and access-control allow-lists leave that inference intact; only issue-time policies that change or suppress the speculative call's argument or destination projection before dispatch reduce it.
