{"paper":{"title":"Securing AI Agents with Information-Flow Control","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Aashish Kolluri, Ahmed Salem, Andrew Paverd, Boris K\\\"opf, Lukas Wutschitz, Manuel Costa, Mark Russinovich, Santiago Zanella-B\\'eguelin, Shruti Tople","submitted_at":"2025-05-29T16:50:41Z","abstract_excerpt":"As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control (IFC) to provide security guarantees for AI agents. We present a formal model to reason about the security and expressiveness of agent planners. Using this model, we characterize the class of properties enforceable by dynamic taint-tracking and construct a taxonomy of tasks to evaluate security and utility trade-offs of planner designs. Informed by this exploration, we present Fides, a planner"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Fides enables us to complete a broad range of tasks with security guarantees.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The formal model of agent planners and the taxonomy of tasks accurately capture real-world security and utility trade-offs.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Fides is an IFC-based planner that uses dynamic taint-tracking and novel hiding primitives to enforce security policies on AI agents with measurable task utility.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"0fd9a257f067f3f5c355522bdc80929d837430b96535f236f9ef06ef00431249"},"source":{"id":"2505.23643","kind":"arxiv","version":2},"verdict":{"id":"3390cd10-73d3-4a0a-a20b-a9d766f3cf2b","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T11:50:59.663951Z","strongest_claim":"Fides enables us to complete a broad range of tasks with security guarantees.","one_line_summary":"Fides is an IFC-based planner that uses dynamic taint-tracking and novel hiding primitives to enforce security policies on AI agents with measurable task utility.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The formal model of agent planners and the taxonomy of tasks accurately capture real-world security and utility trade-offs.","pith_extraction_headline":"Fides applies information-flow control to AI agent planners to enforce security policies against prompt injection while preserving task utility."},"references":{"count":50,"sample":[{"doi":"","year":2025,"title":"Get my drift? catching llm task drift with activation deltas","work_id":"5d2032b0-d97c-478f-80d9-33c36aafee31","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2025,"title":"Guidance: A guidance language for controlling large language models","work_id":"ee65f69d-7029-4bd2-bc06-d04f5b9b6c6c","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Computer Use (beta)","work_id":"12fb0611-dffd-4a06-9f4e-887ec59c46f1","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Ahsan Ayub and Subhabrata Majumdar","work_id":"522adc92-59e8-4925-99a2-af24467c9d9c","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"AI agents with formal security guarantees","work_id":"5757efd8-254e-478b-bcb1-a4918294d897","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":50,"snapshot_sha256":"b1cc49b9ae3deccd75cf92781bd7f04bb2893ae018dd463d528feb27bbd8248a","internal_anchors":0},"formal_canon":{"evidence_count":1,"snapshot_sha256":"b31e176abe782fc0c2350e92dd221c6500edfdb58ad35d2ec7264a2f2a561391"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}