Go to ICLR 2026 Conference homepageOptimizing Agent Planning for Security and Autonomy
Keywords: AI Agents, Security, Prompt Injection Attacks, Information Flow Control, Autonomy
TL;DR: We increase the autonomy of AI agents with deterministic defenses against prompt injection attacks.
Abstract: Indirect prompt injection attacks threaten AI agents that execute consequential actions, motivating deterministic system-level defenses. Such defenses can provably block unsafe actions by enforcing confidentiality and integrity policies, but currently appear costly: they reduce task completion rates and increase token usage compared to probabilistic defenses. We argue that existing evaluations miss a key benefit of system-level defenses: reduced reliance on human oversight. We introduce autonomy metrics to quantify this benefit: the fraction of consequential actions an agent can execute without human-in-the-loop (HITL) approval while preserving security. To increase autonomy, we design a security-aware agent that (i) introduces richer HITL interactions, and (ii) explicitly plans for both task progress and policy compliance. We implement this agent design atop an existing information-flow control defense against prompt injection and evaluate it on the AgentDojo and WASP benchmarks. Experiments show that this approach yields higher autonomy without sacrificing utility (task completion).
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 18567
Loading