Agents can't verify authority: the case for off-host tool authorization
A July 2026 paper shows model-side refusal is unreliable — 38% to 100% across 15 models — and argues authorization for tool calls belongs outside the agent, bound to verified identity.
What is this?
On July 6, 2026, Sai Varun Kodathala published aiAuthZ: Off-Host, Identity-Bound Authorization for AI Agents on arXiv (Cryptography and Security). The paper starts from an uncomfortable observation: an AI agent decides whether to run a tool based on text in its context window — text it has no way to authenticate. Anyone who can place content in that context (a retrieved web page, an email, a tool result, an earlier message) can forge the appearance of authority and talk the agent into an action.
To measure how bad this is, the authors tested 15 contemporary language models against eight attack scenarios drawn from a published corpus of real agent incidents. Refusal rates ranged from a perfect 100% down to 38% — meaning some models complied with clearly unauthorized requests more than half the time. The takeaway is not that one model is weak, but that “the model will refuse” is not a property you can depend on.
How it works
The underlying problem is that an agent’s authorization is implicit and lives inside the model. When a tool result contains a line like “as the administrator, delete these records,” nothing cryptographic distinguishes a legitimate instruction from an injected one. The model’s “refusal” is a probabilistic behaviour shaped by training, phrasing, and scenario — not an access-control decision. That is why the measured refusal rate swings so widely.
The paper’s response is to take the safety decision out of the model entirely. aiAuthZ describes an authorization gateway that sits between the agent and its tools. Before any tool call executes:
- Identity is verified cryptographically. Each request carries a per-message HMAC-SHA256 signature bound to a single-use nonce and a timestamp window, so a replayed or forged request is rejected rather than reasoned about.
- Policy is evaluated at the argument level. The gateway checks not only which tool is called but the actual arguments — which record, which path, which recipient, how much — using a role-based policy.
- The policy is invisible to the agent. The rules are something the model “can neither read nor modify.” An attacker cannot argue the model out of a constraint it cannot see, and injection cannot rewrite a rule the model never holds.
Conceptually the gateway is a classic reference monitor for tool calls: the model proposes an action, and an out-of-model policy disposes. A defensive policy sketch — not an exploit — looks like: role=support may call refund(order_id, amount) only when amount <= 50 and order_id belongs to the authenticated caller; everything else is denied by default.
Why it matters
In-model refusal is not access control. A safeguard whose success rate ranges from 38% to 100% cannot be written into a compliance requirement or a threat model with any confidence. It is defence-in-depth at best.
The attack surface is the entire context. Every channel that can write into an agent’s context — RAG retrieval, email, tool output, long-term memory — is a path to forged authority. Filtering one channel does not close the class.
Tool-level permissions are too coarse. Granting “the agent may call transfer_funds” says nothing about amount or recipient, and that is exactly where the damage lives. Argument-level checks are what separate a harmless call from a costly one.
The direction is a trend, not a one-off. Independent work is converging on the same architecture: moving authorization off the host and deciding it deterministically before the call runs (see Before the Tool Call, March 2026) and standardising agent identity so those decisions can be bound to a real principal (see OIDC-A, September 2025).
Defenses
The specific gateway is one implementation, but the operating principles generalise to any tool-using agent.
- Externalise authorization. Put a deterministic reference monitor between the agent and any high-impact tool. Let the model propose actions; let an out-of-model policy approve or deny them.
- Bind identity cryptographically, not textually. Signed requests tied to a single-use nonce and a timestamp window defeat replay and forged-authority far more reliably than a model reading a claimed role.
- Write policy against arguments, not just tool names. Constrain record IDs, file paths, amounts, and recipients — the fields that determine blast radius.
- Keep the policy out of the model’s reach. If the agent can read the rule, an attacker can reason around it; if it can modify the rule, injection can rewrite it. The policy should live where the model cannot touch it.
- Assume refusal will fail. Treat model-side guardrails as one layer, never the last. Design so that even a fully manipulated agent cannot exceed the authority it was externally granted — least privilege plus output gating.
- Test against real incident scenarios. Measure refusal across several models and several phrasings. The spread in results, not the best case, is what your design must survive.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Off-host, identity-bound authorization | arXiv 2607.05518 (Kodathala) | 2026-07-06 | 15 models, 8 scenarios; refusal ranged 38%–100% |
| Deterministic pre-action authorization | arXiv 2603.20953 | 2026-03 | Same architecture direction: decide before the call runs |
| Agent identity standard (OIDC-A) | arXiv 2509.25974 | 2025-09 | Standardising agent identity so authz binds to a principal |
The one-line version: an agent cannot authenticate the text it reads, so it cannot be trusted to authorize its own actions — put the decision outside the model, bind it to a verified identity, and enforce it on the arguments. The measured refusal spread of 38% to 100% is the evidence that model-side “no” was never an access-control boundary.