{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2025:7PZFUWQOSDFCUEL5PBDZBOGS53","short_pith_number":"pith:7PZFUWQO","schema_version":"1.0","canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","source":{"kind":"arxiv","id":"2504.11703","version":3},"attestation_state":"computed","paper":{"title":"Progent: Securing AI Agents with Privilege Control","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Dawn Song, Hongwei Li, Jingxuan He, Linyu Wu, Tianneng Shi, Wenbo Guo, Zhun Wang","submitted_at":"2025-04-16T01:58:40Z","abstract_excerpt":"AI agents interact with external environments through tool calls, exposing them to attacks like indirect prompt injection that can trigger unauthorized actions. Securing these agents is challenging: they behave autonomously and probabilistically, security requirements evolve depending on the user's task and execution state, and there is an inherent tradeofff between security and utility.\n  In this work, we introduce Progent, a novel framework that secures AI agents via privilege control. Progent represents privilege as a security policy consisting of symbolic rules over tool names and argument"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2504.11703","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"1a37f4ddb131c3b9853b287250dcf0241b2432cb4fced885e02ea51cab7f8c59","abstract_canon_sha256":"c82339ac3d48c83c2b8667eb8cd0452b3780c947d1ee8c9b777f15241f093e7e"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:39:18.129996Z","signature_b64":"s+3i90Q2InUsuNOw/XCB5x9bVmP53yF+A93x5sydAe2rLakWN80ItAA7WUUbT6iR6Q1dkwojvGLTYgEhLeeLAA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","last_reissued_at":"2026-05-17T23:39:18.129227Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:39:18.129227Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Progent: Securing AI Agents with Privilege Control","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Dawn Song, Hongwei Li, Jingxuan He, Linyu Wu, Tianneng Shi, Wenbo Guo, Zhun Wang","submitted_at":"2025-04-16T01:58:40Z","abstract_excerpt":"AI agents interact with external environments through tool calls, exposing them to attacks like indirect prompt injection that can trigger unauthorized actions. Securing these agents is challenging: they behave autonomously and probabilistically, security requirements evolve depending on the user's task and execution state, and there is an inherent tradeofff between security and utility.\n  In this work, we introduce Progent, a novel framework that secures AI agents via privilege control. Progent represents privilege as a security policy consisting of symbolic rules over tool names and argument"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2504.11703","kind":"arxiv","version":3},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2504.11703","created_at":"2026-05-17T23:39:18.129345+00:00"},{"alias_kind":"arxiv_version","alias_value":"2504.11703v3","created_at":"2026-05-17T23:39:18.129345+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.11703","created_at":"2026-05-17T23:39:18.129345+00:00"},{"alias_kind":"pith_short_12","alias_value":"7PZFUWQOSDFC","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"7PZFUWQOSDFCUEL5","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"7PZFUWQO","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":25,"internal_anchor_count":25,"sample":[{"citing_arxiv_id":"2605.21694","citing_title":"PocketAgents: A Manifest-Driven Library of Autonomous Defense Agents","ref_index":21,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19192","citing_title":"Hallucination as Exploit: Evidence-Carrying Multimodal Agents","ref_index":19,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18991","citing_title":"Agent Security is a Systems Problem","ref_index":67,"is_internal_anchor":true},{"citing_arxiv_id":"2605.16471","citing_title":"From AI-Generated Content to Agentic Action: Security and Safety Threats in Generative AI","ref_index":119,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19192","citing_title":"Hallucination as Exploit: Evidence-Carrying Multimodal Agents","ref_index":19,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18991","citing_title":"Agent Security is a Systems Problem","ref_index":67,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14859","citing_title":"Do Coding Agents Understand Least-Privilege Authorization?","ref_index":17,"is_internal_anchor":true},{"citing_arxiv_id":"2602.03117","citing_title":"AgentDyn: Are Your Agent Security Defenses Deployable in Real-World Dynamic Environments?","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2602.16708","citing_title":"Formal Policy Enforcement for Real-World Agentic Systems","ref_index":56,"is_internal_anchor":true},{"citing_arxiv_id":"2603.09002","citing_title":"Security Considerations for Multi-agent Systems","ref_index":89,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14421","citing_title":"MemLineage: Lineage-Guided Enforcement for LLM Agent Memory","ref_index":17,"is_internal_anchor":true},{"citing_arxiv_id":"2605.13044","citing_title":"No Attack Required: Semantic Fuzzing for Specification Violations in Agent Skills","ref_index":33,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10907","citing_title":"Engineering Robustness into Personal Agents with the AI Workflow Store","ref_index":51,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11360","citing_title":"Options, Not Clicks: Lattice Refinement for Consent-Driven MCP Authorization","ref_index":43,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11039","citing_title":"The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck","ref_index":21,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10907","citing_title":"Engineering Robustness into Personal Agents with the AI Workflow Store","ref_index":51,"is_internal_anchor":true},{"citing_arxiv_id":"2604.02375","citing_title":"KAIJU: An Executive Kernel for Intent-Gated Execution of LLM Agents","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2605.06393","citing_title":"Constraining Host-Level Abuse in Self-Hosted Computer-Use Agents via TEE-Backed Isolation","ref_index":40,"is_internal_anchor":true},{"citing_arxiv_id":"2605.05868","citing_title":"SkillScope: Toward Fine-Grained Least-Privilege Enforcement for Agent Skills","ref_index":50,"is_internal_anchor":true},{"citing_arxiv_id":"2605.05501","citing_title":"SOCpilot: Verifying Policy Compliance for LLM-Assisted Incident Response","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2605.05274","citing_title":"Sealing the Audit-Runtime Gap for LLM Skills","ref_index":36,"is_internal_anchor":true},{"citing_arxiv_id":"2604.19657","citing_title":"An AI Agent Execution Environment to Safeguard User Data","ref_index":60,"is_internal_anchor":true},{"citing_arxiv_id":"2604.07536","citing_title":"TRUSTDESC: Preventing Tool Poisoning in LLM Applications via Trusted Description Generation","ref_index":63,"is_internal_anchor":true},{"citing_arxiv_id":"2604.14723","citing_title":"Bounded Autonomy for Enterprise AI: Typed Action Contracts and Consumer-Side Execution","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2604.15579","citing_title":"Symbolic Guardrails for Domain-Specific Agents: Stronger Safety and Security Guarantees Without Sacrificing Utility","ref_index":61,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53","json":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53.json","graph_json":"https://pith.science/api/pith-number/7PZFUWQOSDFCUEL5PBDZBOGS53/graph.json","events_json":"https://pith.science/api/pith-number/7PZFUWQOSDFCUEL5PBDZBOGS53/events.json","paper":"https://pith.science/paper/7PZFUWQO"},"agent_actions":{"view_html":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53","download_json":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53.json","view_paper":"https://pith.science/paper/7PZFUWQO","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2504.11703&json=true","fetch_graph":"https://pith.science/api/pith-number/7PZFUWQOSDFCUEL5PBDZBOGS53/graph.json","fetch_events":"https://pith.science/api/pith-number/7PZFUWQOSDFCUEL5PBDZBOGS53/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/action/timestamp_anchor","attest_storage":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/action/storage_attestation","attest_author":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/action/author_attestation","sign_citation":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/action/citation_signature","submit_replication":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/action/replication_record"}},"created_at":"2026-05-17T23:39:18.129345+00:00","updated_at":"2026-05-17T23:39:18.129345+00:00"}