Paper Detail

An AI Agent Execution Environment to Safeguard User Data

Robert Stanley, Avi Verma, Lillian Tsai, Konstantinos Kallas, Sam Kumar

Browse

Workflow Queues

arxiv Score 7.3

Published 2026-04-21 · First seen 2026-04-22

General AI

Open paper source

Abstract

AI agents promise to serve as general-purpose personal assistants for their users, which requires them to have access to private user data (e.g., personal and financial information). This poses a serious risk to security and privacy. Adversaries may attack the AI model (e.g., via prompt injection) to exfiltrate user data. Furthermore, sharing private data with an AI agent requires users to trust a potentially unscrupulous or compromised AI model provider with their private data. This paper presents GAAP (Guaranteed Accounting for Agent Privacy), an execution environment for AI agents that guarantees confidentiality for private user data. Through dynamic and directed user prompts, GAAP collects permission specifications from users describing how their private data may be shared, and GAAP enforces that the agent's disclosures of private user data, including disclosures to the AI model and its provider, comply with these specifications. Crucially, GAAP provides this guarantee deterministically, without trusting the agent with private user data, and without requiring any AI model or the user prompt to be free of attacks. GAAP enforces the user's permission specification by tracking how the AI agent accesses and uses private user data. It augments Information Flow Control with novel persistent data stores and annotations that enable it to track the flow of private information both across execution steps within a single task, and also over multiple tasks separated in time. Our evaluation confirms that GAAP blocks all data disclosure attacks, including those that make other state-of-the-art systems disclose private user data to untrusted parties, without a significant impact on agent utility.

Workflow Status

Review status
pending
Role
unreviewed
Read priority
soon
Vote
Not set.
Saved
no
Collections
Not filed yet.
Next action
Not filled yet.

Reading Brief

No structured notes yet. Add `summary_sections`, `why_relevant`, `claim_impact`, or `next_action` in `papers.jsonl` to enrich this view.

Why It Surfaced

No ranking explanation is available yet.

Tags

No tags.

Similar Papers

Gym-Anything: Turn any Software into an Agent Environment 2026-04-07 · Score 8.8 General AI Learning to Retrieve from Agent Trajectories 2026-03-30 · Score 21.0 General AI AI-Generated Smells: An Analysis of Code and Architecture in LLM and Agent-Driven Development 2026-05-04 · Score 14.2 General AI A Compound AI Agent for Conversational Grant Discovery 2026-05-04 · Score 11.4 Research Track B · General AI Efficient Agent Evaluation via Diversity-Guided User Simulation 2026-04-23 · Score 11.5 General AI

BibTeX

@article{stanley2026ai,
  title = {An AI Agent Execution Environment to Safeguard User Data},
  author = {Robert Stanley and Avi Verma and Lillian Tsai and Konstantinos Kallas and Sam Kumar},
  year = {2026},
  abstract = {AI agents promise to serve as general-purpose personal assistants for their users, which requires them to have access to private user data (e.g., personal and financial information). This poses a serious risk to security and privacy. Adversaries may attack the AI model (e.g., via prompt injection) to exfiltrate user data. Furthermore, sharing private data with an AI agent requires users to trust a potentially unscrupulous or compromised AI model provider with their private data. This paper prese},
  url = {https://arxiv.org/abs/2604.19657},
  keywords = {cs.CR, cs.AI, cs.OS},
  eprint = {2604.19657},
  archiveprefix = {arXiv},
}

Metadata

{}