system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

Argument-level provenance stops injection where whole-call defenses fail

A May 2026 paper argues indirect injection only turns dangerous when untrusted data binds an authority-bearing argument. PACT checks provenance per argument, recovering utility at full security.

2026-07-03 // 7 min affects: llm-agents, agentdojo, tool-using-agents

What is this?

On May 11, 2026, researchers from Renmin University of China, KAUST, Dongbei University of Finance and Economics and USTC published The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck. Its central claim reframes how we think about indirect prompt injection: the danger is not that untrusted text appears in an agent’s context, but that untrusted text is allowed to determine an authority-bearing argument of a privileged tool call.

Indirect prompt injection is the case where an agent reads third-party data — a web page, an email, a retrieved file, an API response — and that data carries instructions the attacker wants executed. The user’s task is legitimate; the data channel is not. The paper’s contribution is to locate the security boundary more precisely than prior work, and to build a runtime monitor around that boundary.

How it works

The paper’s starting observation is a granularity mismatch. Most existing defenses mediate trust at the level of a whole tool invocation — they decide to allow or block an entire call. Consider an agent asked to summarize a web page and email the summary to a fixed recipient. The page is supposed to determine the email body; that is the task. It must never determine the recipient. A flat policy over a call like send_email(recipient, body) cannot express that distinction. Block the call whenever any argument depends on the page and you destroy the benign retrieve-then-act workflow; allow it and an injected instruction can redirect the recipient to an attacker.

The authors’ answer is PACT (Provenance-Aware Capability Contracts), a runtime monitor that moves enforcement inside the tool call. Each tool gets an argument-level contract that assigns semantic roles — target, command, credential, content — to its arguments. As the agent runs, PACT tracks where each value came from across replanning steps, and before every invocation it checks whether an argument’s origin satisfies the trust requirement its role demands. External data is permitted to fill a content field such as a summary or report body, but blocked from binding an authority-bearing field such as a recipient, URL, shell command, database query, file path or credential. Crucially, PACT is not a detector for malicious-looking strings — it is a structural constraint on what untrusted data is allowed to control, so it holds even when hostile text is not perfectly identified.

The reported results support the framing. Under oracle provenance on mixed-trust diagnostic suites, PACT reaches 100% utility and 100% security, while flat invocation-level monitors incur false positives, false negatives, or both. In full AgentDojo deployments across five models with automatic provenance inference, PACT hits 100% security on the three strongest models while recovering 38.1–46.4% utility, 8–16 points above the CaMeL baseline at the same security level. Ablations show both ingredients are load-bearing: remove semantic roles and benign utility collapses; remove cross-step provenance and security fails.

Why it matters

The practical lesson is about where to draw trust boundaries. Whole-call defenses force a brittle either/or between security and usefulness precisely because a single tool call often mixes trusted and untrusted arguments. Reframing injection as authority binding dissolves that tradeoff in principle. PACT also names its own remaining weak spot honestly: the deployment gap concentrates in provenance inference and contract synthesis — deciding each argument’s role and tracing its origin correctly — rather than in the enforcement policy itself. That is a more tractable target than “make the model ignore hostile text.”

Defenses

Concrete takeaways you can apply now:

  • Move the trust decision below the tool call. Ask not “did untrusted data influence this call?” but “which argument did it influence, and is that role allowed to carry external data?” Let external content fill content-bearing fields while forbidding it from binding recipients, commands, paths, queries or credentials.
  • Classify tool arguments by authority. For every tool your agent can call, label which arguments direct authority (where an action goes, what runs) versus which merely carry content. This inventory is the prerequisite for argument-level enforcement.
  • Track provenance across replanning, not just one step. Injection often lands several tool calls before the dangerous action. Enforcement that only inspects the immediate call misses laundered values; carry origin labels through the whole chain.
  • Treat this as complementary, not a silver bullet. Argument-role contracts constrain authority binding even when a malicious string slips through, but they do not stop harmful content inside a legitimately external content field, nor errors in role assignment. Layer them with content filtering, information-flow control and system-level access policies.

Status

The work is a research preprint (arXiv 2605.11039, submitted May 11, 2026), evaluated on the open AgentDojo benchmark and compared against CaMeL and information-flow baselines. It is a defensive method, not a disclosed product vulnerability: there is no CVE and no patch to apply. The reported numbers are the authors’ own and await independent replication.

Sources