SoK: Trust-Authorization Mismatch in LLM Agent Interactions

TL;DR

This paper systematically reviews the security challenges of LLM agents, highlighting the trust-authorization mismatch caused by the shift from static permissions to dynamic trust states, and proposes a formal framework to address these issues.

Contribution

It introduces the Belief-Intention-Permission framework to analyze agent security and maps existing threats and defenses within this formal lens.

Findings

Identifies trust-authorization mismatch as a core security challenge.

Maps existing attacks and defenses using the B-I-P framework.

Highlights gaps and proposes a shift to risk-adaptive authorization.

Abstract

Large Language Models (LLMs) are evolving into autonomous agents capable of executing complex workflows via standardized protocols (e.g., MCP). However, this paradigm shifts control from deterministic code to probabilistic inference, creating a fundamental Trust-Authorization Mismatch: static permissions are structurally decoupled from the agent's fluctuating runtime trustworthiness. In this Systematization of Knowledge (SoK), we survey more than 200 representative papers to categorize the emerging landscape of agent security. We propose the Belief-Intention-Permission (B-I-P) framework as a unifying formal lens. By decomposing agent execution into three distinct stages-Belief Formation, Intent Generation, and Permission Grant-we demonstrate that diverse threats, from prompt injection to tool poisoning, share a common root cause: the desynchronization between dynamic trust states and static authorization boundaries. Using the B-I-P lens, we systematically map existing attacks and defenses and identify critical gaps where current mechanisms fail to bridge this mismatch. Finally, we outline a research agenda for shifting from static Role-Based Access Control (RBAC) to dynamic, risk-adaptive authorization.