Go to ICML 2026 Workshop AIWILD homepageDynamic Capability Scoping for Enterprise AI Agents: A Synthetic Dataset and Three-Source Permission Architecture
Keywords: AI agent security, LLM agents, Capability-based security, Least privilege, Synthetic datasets, Access control, Agent permissions, AI safety, Indirect prompt injection, AI control
TL;DR: A synthetic dataset with an open generation pipeline, plus a 3-layer security architecture for task-based capability scoping of deceptive or compromised AI agents in enterprise environments.
Abstract: Enterprise AI agents are typically granted static credential sets at configuration time, holding every tool the role might need for every task they perform. This persistent over-privilege expands the attack surface. We argue that capability scoping must follow a dynamic least-privilege principle and be treated as a prevention mechanism before a detection one. A credential that does not exist in an agent's context cannot be misused regardless of the agent's reasoning or evasion sophistication. We outline a three-source architecture instantiating this principle: role-based ceilings, a task-context classifier, and policy-derived combination prohibitions creating a layered proactive defense against LLM agent misalignment and misuse cases. The architecture supports both enforcing and observe-only deployment; the latter records agent permission requests inconsistent with task context, producing a behavioral signal usable in misalignment research.
As a first step toward evaluating this architecture, we
contribute a synthetic dataset of 600 enterprise task prompts grounded
in a multi-department company policy, labeled with minimum required
permissions across a 15-permission tool-based taxonomy designed to map directly to
deployable credentials or enforceable guardrails. The dataset is constructed via a two-pass pipeline that separates prompt generation from permission labeling to avoid circularity, and is validated against a 60-record human-reviewed sample (Cohen's $\kappa = 0.967$ post-adjudication). Iterating between dataset and policy reduced ceiling violations from 46 to 3, a 93\% reduction. This doesn't prove architectural performance but shows that synthetic prompt generation can drive policy refinement when the two are developed together. The dataset, environment specification, and generation pipeline are released to support evaluation of dynamic scoping mechanisms by the broader community.
Track: Regular Paper (9 pages)
Email Sharing: We authorize the sharing of all author emails with Program Chairs.
Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.
Submission Number: 60
Loading