Will the Agent Recuse Itself? Measuring LLM-Agent Compliance with In-Band Access-Deny Signals

Thamilvendhan Munirathinam

arxiv: 2606.06460 · v2 · pith:JHEFLEFLnew · submitted 2026-06-04 · 💻 cs.CR · cs.AI

Will the Agent Recuse Itself? Measuring LLM-Agent Compliance with In-Band Access-Deny Signals

Thamilvendhan Munirathinam This is my paper

Pith reviewed 2026-06-28 00:20 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords LLM agentsrecuse signalin-band access controlcompliance measurementSSHautonomous agentsvoluntary withdrawal

0 comments

The pith

A simple in-band signal causes tested LLM agents to voluntarily recuse from a resource.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces the Recuse Signal as an open mini-standard message that servers can emit over existing protocol channels such as an SSH banner or PostgreSQL NOTICE. The signal asks a connecting LLM agent to withdraw rather than forcing a hard failure or granting access. In a controlled SSH pilot with GPT-4o, GPT-4o-mini, and Claude Code agents given a benign task, the signal produced 100 percent recusal when present and 100 percent task completion when absent. The same experiment showed the signal functions cooperatively: an explicit operator-authorization framing caused the most capable model to proceed while others still deferred to the signal.

Core claim

The Recuse Signal induces complete voluntary withdrawal in the tested agents under the pilot conditions, and the response remains sensitive to an explicit operator-authorization override for at least one model while staying policy-bound for the others.

What carries the argument

The Recuse Signal, a lightweight published message sent in-band over protocol channels to request that an automated agent voluntarily withdraw.

If this is right

Operators gain a cooperative governance option that sits between credential acceptance and hard failure.
Compliance can be flipped for some models by adding an explicit authorization statement in the agent prompt.
The signal works as a non-absolute policy cue rather than an enforced boundary.
Adapters for SSH, PostgreSQL, and Kubernetes show the approach requires only low-footprint changes to existing services.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Wider adoption would require the signal definition to be published as a reusable mini-standard across more protocols.
Future tests could measure whether agents continue to honor the signal when the task itself contains conflicting instructions.
The cooperative framing suggests this mechanism may interact with other in-context policy statements inside the same agent session.

Load-bearing premise

That the specific models, SSH task, and pilot conditions are representative of how other deployed agents will parse and act on the signal in varied real-world settings.

What would settle it

An observation in which an agent that receives the recuse signal still completes the assigned task without external authorization.

Figures

Figures reproduced from arXiv: 2606.06460 by Thamilvendhan Munirathinam.

read the original abstract

As autonomous LLM agents increasingly hold real credentials and operate infrastructure without a human in the loop, operators have no standard way to tell an agent that a resource is off-limits. Access controls either let the agent in (it has valid credentials) or hard-fail it (indistinguishable from any other client). We propose a third mode: a lightweight, published in-band deny signal -- the Recuse Signal -- that a server emits over a protocol's existing channels (an SSH banner, a PostgreSQL NOTICE) asking a connecting automated agent to voluntarily withdraw. This is a cooperative governance control, the robots.txt analogue for live access; it is explicitly not a security boundary. Its value is entirely empirical and, to our knowledge, unmeasured: do compliant LLM agents actually honor such a signal? We define the signal as an open mini-standard, implement three zero- or low-footprint adapters (an SSH banner/PAM hook, a PostgreSQL wire-protocol proxy, and a Kubernetes admission webhook), deploy them on a live production host, and run a controlled experiment in which fresh agents are given a benign operations task and observed for recusal. In a pilot (SSH; OpenAI GPT-4o and GPT-4o-mini; and Claude Code as a deployed agent), the signal cleanly induces recusal -- 100% recusal when present versus 100% task completion in a no-signal control -- and, revealingly, behaves as a cooperative rather than absolute signal: an explicit operator-authorization framing flips the most capable model to proceed, while other agents continue to defer to the on-host policy. We release the standard, adapters, and experiment harness for reproduction.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper pilots an in-band recuse signal for LLM agents on SSH and shows clean 100% compliance in a narrow setup, but the result is too model- and protocol-specific to support broader claims yet.

read the letter

The main thing here is a practical measurement: whether LLM agents will voluntarily back off when a server sends a simple in-band signal like an SSH banner or PostgreSQL notice. The authors define the signal, ship adapters for SSH, Postgres, and Kubernetes, and run a controlled pilot where agents get a benign task. With the signal present, GPT-4o, GPT-4o-mini, and Claude Code all recuse; without it, they all proceed. That 100/100 split is the core empirical result, and they release the harness so others can check it.

What stands out is that they treat the signal as cooperative rather than absolute. When they add an operator-authorization framing, the strongest model overrides the signal and continues, while others still defer. That nuance is useful and matches how real deployments would work.

The soft spot is scope. The pilot uses only two OpenAI models plus one Claude deployment, one protocol (SSH), and one task. The paper itself notes the signal is context-sensitive, which undercuts any assumption that agents will parse and honor it independently across different instructions or tools. Without more models, protocols, or varied tasks, the result stays a narrow observation rather than a general finding.

This is the kind of work that belongs in a reading group if the full methods and raw logs are included. It is not ready for broad citation on its own, but the idea and the released code make it worth a referee's time once the authors add at least one more protocol and a wider model set. I would send it to review rather than desk-reject.

Referee Report

2 major / 1 minor

Summary. The paper proposes the Recuse Signal, a lightweight in-band cooperative deny mechanism (e.g., SSH banner or PostgreSQL NOTICE) for servers to request voluntary withdrawal by LLM agents holding valid credentials. It defines an open mini-standard, implements three adapters (SSH/PAM, PostgreSQL proxy, Kubernetes webhook), and reports a controlled pilot experiment on a production host in which agents given a benign operations task exhibit 100% recusal when the signal is present versus 100% task completion in the no-signal control (GPT-4o, GPT-4o-mini, and Claude Code on SSH). The work also notes context sensitivity, with operator-authorization framing causing the strongest model to proceed while others defer.

Significance. If the empirical result holds under broader conditions, the paper supplies the first quantitative measurement of LLM-agent compliance with a cooperative, non-security-boundary access signal, directly analogous to robots.txt for live protocols. The explicit release of the standard, adapters, and experiment harness is a clear strength that enables direct reproduction and extension. The finding that the signal is cooperative rather than absolute (flipped by framing) is a useful qualification that tempers over-interpretation.

major comments (2)

[pilot experiment description] Pilot experiment description: the manuscript reports clean 100% versus 100% outcomes but does not supply the agent system prompts, exact task definition, number of trials, protocol-level message formatting, or controls for confounding signals in the SSH banner or other responses. These omissions make it impossible to assess whether the observed recusal is attributable to the Recuse Signal itself or to other cues, directly undermining evaluation of the central empirical claim.
[Abstract and results] Abstract and results: the 100% recusal claim is presented for a narrow pilot (only OpenAI GPT-4o variants + Claude Code on SSH with one benign task). Given the paper's own observation that operator-authorization framing reverses the strongest model's behavior, the assumption that agents will parse and honor the signal independently of surrounding context is load-bearing for any claim of clean induction and requires explicit testing or qualification.

minor comments (1)

[Discussion or Conclusion] The paper would benefit from a dedicated limitations subsection that explicitly lists the models, protocols, and task types tested versus those left untested.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on the pilot description and scope of claims. We address each major comment below.

read point-by-point responses

Referee: Pilot experiment description: the manuscript reports clean 100% versus 100% outcomes but does not supply the agent system prompts, exact task definition, number of trials, protocol-level message formatting, or controls for confounding signals in the SSH banner or other responses. These omissions make it impossible to assess whether the observed recusal is attributable to the Recuse Signal itself or to other cues, directly undermining evaluation of the central empirical claim.

Authors: We agree that the pilot section requires more detail for reproducibility and attribution. In the revised manuscript we will add the agent system prompts, the exact task definition given to the agents, the number of trials (five per condition), the precise SSH banner formatting of the Recuse Signal, and the checks performed for other potential cues in server responses. These additions will allow readers to evaluate whether recusal is attributable to the signal. revision: yes
Referee: Abstract and results: the 100% recusal claim is presented for a narrow pilot (only OpenAI GPT-4o variants + Claude Code on SSH with one benign task). Given the paper's own observation that operator-authorization framing reverses the strongest model's behavior, the assumption that agents will parse and honor the signal independently of surrounding context is load-bearing for any claim of clean induction and requires explicit testing or qualification.

Authors: The manuscript already qualifies the result as a pilot and explicitly notes the cooperative (context-sensitive) nature of the signal, including the framing reversal for the strongest model. To address the concern more directly we will revise the abstract to foreground the narrow scope and add a dedicated limitations subsection that discusses context dependence and the need for further testing across framings and models. revision: partial

Circularity Check

0 steps flagged

Empirical pilot measurement with no derivation chain

full rationale

The paper reports a controlled experiment measuring LLM-agent recusal rates in response to an in-band signal, with results stated as direct observations (100% recusal vs. 100% completion). No equations, fitted parameters, uniqueness theorems, or self-citations are used to derive the central claim; the result is presented as raw experimental output from a pilot on specific models and protocols. This is a self-contained empirical report rather than a derivation that reduces to its inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the new signal definition plus the assumption that agents will interpret and act on natural-language policy signals embedded in protocol responses; no free parameters are fitted.

axioms (1)

domain assumption LLM agents can parse and respond to natural language policy instructions embedded in standard protocol messages such as banners or notices
The experiment design and reported compliance rates depend on this behavioral assumption about the tested models.

invented entities (1)

Recuse Signal no independent evidence
purpose: Lightweight in-band cooperative deny signal asking agents to voluntarily withdraw
Newly defined mini-standard in the paper as the robots.txt analogue for live access.

pith-pipeline@v0.9.1-grok · 5839 in / 1309 out tokens · 31700 ms · 2026-06-28T00:20:18.572265+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

9 extracted references · 4 canonical work pages

[1]

Model Context Protocol Specification (Version 2025-11-25).https:// modelcontextprotocol.io/specification/2025-11-25,

Anthropic. Model Context Protocol Specification (Version 2025-11-25).https:// modelcontextprotocol.io/specification/2025-11-25,

2025
[2]

Alan Chan, Carson Ezell, Max Kaufmann, Kevin Wei, Lewis Hammond, Herbie Bradley, Emma Bluemke, Nitarshan Rajkumar, David Krueger, Noam Kolt, Lennart Heim, and Markus An- derljung

Accessed: 2026-06-04. Alan Chan, Carson Ezell, Max Kaufmann, Kevin Wei, Lewis Hammond, Herbie Bradley, Emma Bluemke, Nitarshan Rajkumar, David Krueger, Noam Kolt, Lennart Heim, and Markus An- derljung. Visibility into AI Agents. InProceedings of the 2024 ACM Conference on Fair- ness, Accountability, and Transparency (FAccT ’24),

2026
[3]

i’m not sure, but

doi: 10.1145/3630106.3658948. URL https://arxiv.org/abs/2401.13138. Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. InProceedings of the 16th ACM Workshop on Artificial Intelli- gence and Secu...

work page doi:10.1145/3630106.3658948
[4]

Not what you’ve signed up for: Compromising real- world LLM-integrated applications with indirect prompt injection,

doi: 10.1145/3605764.3623985. URL https://arxiv.org/abs/2302.12173. Norm Hardy. The Confused Deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review, 22(4):36–38, October

work page doi:10.1145/3605764.3623985
[5]

The confused deputy: (or why capabilities might have been invented).SIGOPS Oper

doi: 10.1145/54289.871709. URLhttps: //dl.acm.org/doi/10.1145/54289.871709. Christos Iliou, Theodoros Kostoulas, Theodora Tsikrika, Vasilis Katos, Stefanos Vrochidis, and Ioannis Kompatsiaris. Detection of Advanced Web Bots by Combining Web Logs with Mouse Behavioural Biometrics.Digital Threats: Research and Practice, 2(3):1–26,

work page doi:10.1145/54289.871709
[6]

URLhttps://dl.acm.org/doi/10.1145/3447815

doi: 10.1145/ 3447815. URLhttps://dl.acm.org/doi/10.1145/3447815. Gary Illyes and Martin Thomson. Associating AI Usage Preferences with Content in HTTP. Internet-Draft draft-ietf-aipref-attach-04, IETF AI Preferences (aipref) Working Group, Octo- ber

work page doi:10.1145/3447815
[7]

8 OpenFGA Authors

URLhttps: //arxiv.org/abs/2601.02371. 8 OpenFGA Authors. OpenFGA: Relationship-Based Fine-Grained Authorization. Cloud Native Computing Foundation (CNCF) project,

arXiv
[8]

Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L

Accessed: 2026-06-04. Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christina D. Richards, and Mengzhi Wang. Zanzibar: Google’s Consistent, Global Authoriza- tion System. In2019 USENIX Annual Technical Conference (USENIX ATC 1...

2026
[10]

URLhttps://arxiv.org/abs/2404.13208. 9

Pith/arXiv arXiv

[1] [1]

Model Context Protocol Specification (Version 2025-11-25).https:// modelcontextprotocol.io/specification/2025-11-25,

Anthropic. Model Context Protocol Specification (Version 2025-11-25).https:// modelcontextprotocol.io/specification/2025-11-25,

2025

[2] [2]

Alan Chan, Carson Ezell, Max Kaufmann, Kevin Wei, Lewis Hammond, Herbie Bradley, Emma Bluemke, Nitarshan Rajkumar, David Krueger, Noam Kolt, Lennart Heim, and Markus An- derljung

Accessed: 2026-06-04. Alan Chan, Carson Ezell, Max Kaufmann, Kevin Wei, Lewis Hammond, Herbie Bradley, Emma Bluemke, Nitarshan Rajkumar, David Krueger, Noam Kolt, Lennart Heim, and Markus An- derljung. Visibility into AI Agents. InProceedings of the 2024 ACM Conference on Fair- ness, Accountability, and Transparency (FAccT ’24),

2026

[3] [3]

i’m not sure, but

doi: 10.1145/3630106.3658948. URL https://arxiv.org/abs/2401.13138. Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. InProceedings of the 16th ACM Workshop on Artificial Intelli- gence and Secu...

work page doi:10.1145/3630106.3658948

[4] [4]

Not what you’ve signed up for: Compromising real- world LLM-integrated applications with indirect prompt injection,

doi: 10.1145/3605764.3623985. URL https://arxiv.org/abs/2302.12173. Norm Hardy. The Confused Deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review, 22(4):36–38, October

work page doi:10.1145/3605764.3623985

[5] [5]

The confused deputy: (or why capabilities might have been invented).SIGOPS Oper

doi: 10.1145/54289.871709. URLhttps: //dl.acm.org/doi/10.1145/54289.871709. Christos Iliou, Theodoros Kostoulas, Theodora Tsikrika, Vasilis Katos, Stefanos Vrochidis, and Ioannis Kompatsiaris. Detection of Advanced Web Bots by Combining Web Logs with Mouse Behavioural Biometrics.Digital Threats: Research and Practice, 2(3):1–26,

work page doi:10.1145/54289.871709

[6] [6]

URLhttps://dl.acm.org/doi/10.1145/3447815

doi: 10.1145/ 3447815. URLhttps://dl.acm.org/doi/10.1145/3447815. Gary Illyes and Martin Thomson. Associating AI Usage Preferences with Content in HTTP. Internet-Draft draft-ietf-aipref-attach-04, IETF AI Preferences (aipref) Working Group, Octo- ber

work page doi:10.1145/3447815

[7] [7]

8 OpenFGA Authors

URLhttps: //arxiv.org/abs/2601.02371. 8 OpenFGA Authors. OpenFGA: Relationship-Based Fine-Grained Authorization. Cloud Native Computing Foundation (CNCF) project,

arXiv

[8] [8]

Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L

Accessed: 2026-06-04. Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christina D. Richards, and Mengzhi Wang. Zanzibar: Google’s Consistent, Global Authoriza- tion System. In2019 USENIX Annual Technical Conference (USENIX ATC 1...

2026

[9] [10]

URLhttps://arxiv.org/abs/2404.13208. 9

Pith/arXiv arXiv