The Authorization-Execution Gap Is a Major Safety and Security Problem in Open-World Agents

TL;DR

The paper highlights the Authorization-Execution Gap as a critical safety and security issue in open-world agents, emphasizing the need for source-oriented diagnosis and real-time integrity checks during execution.

Contribution

It identifies three structural sources of the Authorization-Execution Gap and advocates for dynamic, process-level defenses over static, outcome-based measures.

Findings

AEG causes significant safety and security risks in open-world agents.

Structural sources of AEG include delegation incompleteness, channel corruption, and fragmentation.

Real-time integrity checks can help diagnose and mitigate AEG during execution.

Abstract

This position paper argues that the Authorization-Execution Gap (AEG) is a major safety and security problem in open-world agents. The AEG is the divergence between what a principal intends to authorize and what an open-world agent ultimately executes. Because such agents act autonomously across tools, persistent state, and multi-agent handoffs, even small instances of authorization divergence can cause harm that is difficult or impossible to undo. We argue that many observed agent failures can be traced to three structural sources of AEG: delegation-level incompleteness, channel-level corruption, and composition-level fragmentation. The same observed failure may arise from any of these sources. Without identifying the source, a defense targeting the symptom alone cannot address the underlying cause. Agent safety and security should therefore emphasize source-oriented diagnosis and defense. Because the structural sources of AEG arise dynamically during execution, this approach necessarily requires authorization integrity checks applied during execution, rather than relying solely on one-shot upfront filtering or post-hoc audit. For NeurIPS, the implication is that papers on open-world agents should report not only outcome-level metrics such as task success or attack resistance, but also process-level evidence showing where AEG was detected, constrained, and attributed to a structural source during execution.