PlanTwin: Privacy-Preserving Planning Abstractions for Cloud-Assisted LLM Agents

TL;DR

PlanTwin introduces a privacy-preserving architecture that creates abstract digital twins of local environments, enabling cloud-assisted planning without exposing sensitive raw data, balancing privacy and planning utility.

Contribution

It proposes a novel schema-constrained digital twin approach and formal privacy-utility trade-offs for secure cloud-assisted planning in agent systems.

Findings

Achieves full sensitive-item non-disclosure (SND=1.0).

Maintains high planning quality with less than 2.2% utility loss.

Demonstrates effectiveness across 60 tasks and 10 domains.

Abstract

Cloud-hosted large language models (LLMs) have become the de facto planners in agentic systems, coordinating tools and guiding execution over local environments. In many deployments, however, the environment being planned over is private, containing source code, files, credentials, and metadata that cannot be exposed to the cloud. Existing solutions address adjacent concerns, such as execution isolation, access control, or confidential inference, but they do not control what cloud planners observe during planning: within the permitted scope, \textit{raw environment state is still exposed}. We introduce PlanTwin, a privacy-preserving architecture for cloud-assisted planning without exposing raw local context. The key idea is to project the real environment into a \textit{planning-oriented digital twin}: a schema-constrained and de-identified abstract graph that preserves planning-relevant structure while removing reconstructable details. The cloud planner operates solely on this sanitized twin through a bounded capability interface, while a local gatekeeper enforces safety policies and cumulative disclosure budgets. We further formalize the privacy-utility trade-off as a capability granularity problem, define architectural privacy goals using $(k,\delta)$-anonymity and $\epsilon$-unlinkability, and mitigate compositional leakage through multi-turn disclosure control. We implement PlanTwin as middleware between local agents and cloud planners and evaluate it on 60 agentic tasks across ten domains with four cloud planners. PlanTwin achieves full sensitive-item non-disclosure (SND = 1.0) while maintaining planning quality close to full-context systems: three of four planners achieve PQS $> 0.79$, and the full pipeline incurs less than 2.2\% utility loss.