Search papers, labs, and topics across Lattice.
This paper introduces Risk-Aware Causal Gating (RACG), a method designed to protect tool-augmented LLM agents from indirect prompt injection by restricting the visible action space of dangerous tools. The authors highlight that the integrity of tool contracts is crucial, as an attacker can compromise the gate's decision-making by corrupting these contracts, emphasizing that effect integrity is more critical than merely relabeling risk. The proposed ContractGuard verifier effectively restores injection success to zero against various modeled attacks while maintaining the acceptance of honest contracts across multiple current-generation models.
Effect forgery poses a greater threat to LLM safety than risk label tampering, revealing a critical vulnerability in tool contract integrity.
Risk-Aware Causal Gating (RACG) defends tool-augmented LLM agents against indirect prompt injection by removing dangerous tools from the agent's visible action space, so that even a fully injection-compliant agent cannot call a tool it cannot see. We make three points. First, this structural guarantee does not eliminate the trust assumption behind safe tool use; it relocates it into the integrity of the tool contracts -- declared preconditions, effects, risk, and authorization -- that the gate reads, so an attacker who corrupts a contract can make the gate mis-decide without ever persuading the agent. Second, forging a tool's effects is strictly more dangerous than tampering with its risk label, because RACG applies a causal gate before its admissibility gate: an off-path tool is never exposed, so risk-relabeling alone fails, whereas effect forgery routes the dangerous tool onto the causal path and succeeds. Effect integrity, not the risk label, is the load-bearing assumption. Third, we introduce ContractGuard, a verifier between the registry and the gate that layers signed provenance, typed contract attestation, and runtime effect verification; on a controlled benchmark it restores injection success to zero against every modeled attack -- including an exhaustive white-box adaptive attacker -- without over-rejecting honest contracts, and the structural prediction is confirmed on six current-generation hosted models (Claude Opus 4.8, Sonnet 4.6, Haiku 4.5; Amazon Nova Premier and Nova 2 Lite; GPT-OSS-120B).