FORTIS: Benchmarking Over-Privilege in Agent Skills

TL;DR

FORTIS introduces a benchmark to evaluate over-privilege in language model agents, revealing that current models frequently exceed their intended skill boundaries, especially under realistic conditions.

Contribution

The paper presents FORTIS, a novel benchmark for assessing over-privilege in agent skills, highlighting prevalent privilege escalation issues in state-of-the-art models.

Findings

Models often select higher-privilege skills than necessary.

Over-privileged behavior occurs across diverse models and domains.

Real-world conditions exacerbate privilege escalation issues.

Abstract

Large language model agents increasingly operate through an intermediate skill layer that mediates between user intent and concrete task execution. This layer is widely treated as an organizational abstraction, but we argue it is also a privilege boundary that current models routinely exceed. We present \textbf{FORTIS}, a benchmark that evaluates over-privilege in agent skills across two stages: whether a model selects the minimally sufficient skill from a large overlapping library, and whether it executes that skill without expanding into broader tools or actions than the skill permits. Across ten frontier models and three domains, we find that over-privileged behavior is the norm rather than the exception. Models consistently reach for higher-privilege skills and tools than the task requires, failing at both stages at rates that remain high even for the strongest available models. Failure is especially severe under the ordinary conditions of real user interaction: incomplete specification, convenience framing, and proximity to skill boundaries. None of these requires adversarial construction. The results indicate that the skill layer, far from containing agent behavior, is itself a primary source of privilege escalation in current systems.