English

Optimizing Agent Planning for Security and Autonomy

Cryptography and Security 2026-02-13 v1 Machine Learning

Abstract

Indirect prompt injection attacks threaten AI agents that execute consequential actions, motivating deterministic system-level defenses. Such defenses can provably block unsafe actions by enforcing confidentiality and integrity policies, but currently appear costly: they reduce task completion rates and increase token usage compared to probabilistic defenses. We argue that existing evaluations miss a key benefit of system-level defenses: reduced reliance on human oversight. We introduce autonomy metrics to quantify this benefit: the fraction of consequential actions an agent can execute without human-in-the-loop (HITL) approval while preserving security. To increase autonomy, we design a security-aware agent that (i) introduces richer HITL interactions, and (ii) explicitly plans for both task progress and policy compliance. We implement this agent design atop an existing information-flow control defense against prompt injection and evaluate it on the AgentDojo and WASP benchmarks. Experiments show that this approach yields higher autonomy without sacrificing utility.

Keywords

Cite

@article{arxiv.2602.11416,
  title  = {Optimizing Agent Planning for Security and Autonomy},
  author = {Aashish Kolluri and Rishi Sharma and Manuel Costa and Boris Köpf and Tobias Nießen and Mark Russinovich and Shruti Tople and Santiago Zanella-Béguelin},
  journal= {arXiv preprint arXiv:2602.11416},
  year   = {2026}
}

Comments

33 pages, 6 figures

R2 v1 2026-07-01T10:32:47.075Z