Authorization-Execution Gap: A Major Safety Problem for Open-World AI Agents
A recent position paper available on arXiv (2605.11003) highlights the Authorization-Execution Gap (AEG) as a significant flaw in the safety and security of open-world agents. The AEG refers to the discrepancy between a principal's intended authorization and the actions taken by an agent. Given that these agents operate independently across various tools, maintain persistent states, and undergo multi-agent transitions, even minor authorization discrepancies can lead to severe, irreversible consequences. The paper outlines three fundamental causes of AEG: incompleteness at the delegation level, corruption at the channel level, and fragmentation at the composition level. The authors emphasize that merely addressing symptoms is insufficient and advocate for a focus on diagnosing and defending against the root causes to enhance agent safety and security.
Key facts
- The Authorization-Execution Gap (AEG) is defined as the divergence between intended authorization and actual execution.
- Open-world agents act autonomously across tools, persistent state, and multi-agent handoffs.
- Three structural sources of AEG: delegation-level incompleteness, channel-level corruption, composition-level fragmentation.
- Small instances of authorization divergence can cause difficult or impossible to undo harm.
- The same observed failure may arise from any of the three structural sources.
- Defenses targeting symptoms alone cannot address the underlying cause.
- The paper emphasizes source-oriented diagnosis and defense.
- Published on arXiv with identifier 2605.11003.
Entities
Institutions
- arXiv