Search papers, labs, and topics across Lattice.
This survey critically examines the privacy challenges faced by large language model (LLM) agents as they interact with sensitive data across various sources and workflows. By organizing the literature around the data an agent accesses rather than by specific attack types, the authors identify key privacy risks, governance mechanisms, and gaps in existing benchmarks. Notably, they find that while information-flow control addresses significant leakage risks, no current benchmark effectively evaluates an agent's performance under a unified privacy policy, highlighting a critical area for future research.
Privacy risks in LLM agents are more pervasive than previously understood, with no existing benchmark adequately addressing their complex data interactions under a single privacy policy.
Large language model agents increasingly query databases, search document collections, call external APIs, remember past interactions, and act on a user's behalf. As they move from answering questions to operating over sensitive data, privacy becomes harder to enforce. An agent touches many data sources, runs multi-step workflows, keeps state across sessions, and acts with delegated permissions. Sensitive information can therefore leak not only through its final answer but through the queries it issues, the intermediate results it handles, the memory it writes, and the messages it exchanges with other agents. We survey the privacy of LLM agents from a data-centric view, organizing the field around the data an agent touches rather than by attack type, and we use data agent as shorthand for an LLM agent that works with data. Research on these risks is active but scattered across retrieval-augmented generation, text-to-SQL interfaces, agent memory, prompt injection, access control, and contextual privacy. This survey brings that work together: we taxonomize the data sources an agent touches, the privacy risks each source creates, and the governance mechanisms that address them; we map the benchmarks used to measure these risks and identify what is missing; and we set out the open problems. Two findings recur: among governance mechanisms only information-flow control covers both compositional and cross-session inference leakage, the two least-protected risks; and no benchmark drives an agent across its data surfaces under one privacy policy, the instrument the field most lacks. Our goal is a reference that situates the scattered literature and gives future work a common framing.