Search papers, labs, and topics across Lattice.
This paper introduces C-Trace, a runtime compliance verification framework designed to ensure AI agents adhere to GDPR regulations during operation. By formalizing key GDPR requirements as policy predicates and employing a runtime monitor to intercept and reject non-compliant actions, C-Trace effectively mitigates the risk of regulatory violations. The evaluation demonstrates that C-Trace maintains a low attack success rate and minimizes false positives, outperforming existing compliance testing methods under various noise conditions.
C-Trace keeps AI agents compliant with GDPR in real-time, achieving less than 12% attack success even under adversarial conditions.
AI agents now handle personal data through tool use, function calls, and multi turn dialogue, which can create obligations under the General Data Protection Regulation (GDPR). Current testing practices mainly rely on offline red teaming or static prompt review, but they do not guarantee at runtime that agent behavior follows regulatory rules. We propose C-Trace (Compliance Trace based Runtime Agent Conformance Enforcement), a verification framework that: (i) expresses a subset of GDPR requirements, including consent, purpose limitation, data minimization, and the right to erasure, as formal policy predicates over agent execution traces; (ii) uses a runtime monitor that intercepts every tool invocation and model output and rejects non-compliant actions; and (iii) tests the agent with attack dialogues, including DSPy generated prompts and verbatim prompts from red teaming corpora, that try to induce violations. We evaluate the framework on four case studies reframed to GDPR. Under 10 percent per-category extractor noise, including drop-out and over-typing, the monitor keeps the attack success rate at less than or equal to 12 percent, below the baselines we compare against, and false positives at less than or equal to 16 percent, and reaches 0 percent ASR under perfect extraction.