Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents

TL;DR

This paper introduces the Open Agent Passport (OAP), a deterministic, policy-based authorization system that intercepts and evaluates tool calls in AI agents before execution, significantly improving security and compliance.

Contribution

It presents the OAP framework as an open standard for pre-action authorization, enabling real-time enforcement and cryptographic auditing of tool calls in autonomous AI agents.

Findings

OAP enforces authorization decisions in median 53 ms

Adversarial tests show 0% success rate under restrictive policies

OAP effectively prevents social engineering attacks in live tests

Abstract

AI agents today have passwords but no permission slips. They execute tool calls (fund transfers, database queries, shell commands, sub-agent delegation) with no standard mechanism to enforce authorization before the action executes. Current safety architectures rely on model alignment (probabilistic, training-time) and post-hoc evaluation (retrospective, batch). Neither provides deterministic, policy-based enforcement at the individual tool call level. We characterize this gap as the pre-action authorization problem and present the Open Agent Passport (OAP), an open specification and reference implementation that intercepts tool calls synchronously before execution, evaluates them against a declarative policy, and produces a cryptographically signed audit record. OAP enforces authorization decisions in a measured median of 53 ms (N=1,000). In a live adversarial testbed (4,437 authorization decisions across 1,151 sessions, $5,000 bounty), social engineering succeeded against the model 74.6% of the time under a permissive policy; under a restrictive OAP policy, a comparable population of attackers achieved a 0% success rate across 879 attempts. We distinguish pre-action authorization from sandboxed execution (contains blast radius but does not prevent unauthorized actions) and model-based screening (probabilistic), and show they are complementary. The same infrastructure that enforces security constraints (spending limits, capability scoping) also enforces quality gates, operational contracts, and compliance controls. The specification is released under Apache 2.0 (DOI: 10.5281/zenodo.18901596).