PACT (Provenance-Aware Capability Contracts) addresses a granularity mismatch in agent security: existing defenses mediate trust at the whole-tool-call level, but indirect prompt injection becomes dangerous only when untrusted content determines an authority-bearing argument (like a file path or command). PACT assigns semantic roles to each tool argument, tracks where each value came from across replanning steps, and checks whether the origin satisfies that argument's trust contract. This achieves 100% security on diagnostic suites while recovering 38-46% utility (8-16 points above the baseline CaMeL) on full AgentDojo deployments.
Main takeaways:
- The problem isn't untrusted content appearing in context—it's untrusted content controlling authority-bearing arguments like destinations, commands, or file paths
- PACT tracks value provenance (where did this argument's value come from?) and checks it against semantic role contracts (what level of trust does this argument position require?)
- Under oracle provenance, achieves perfect utility and security; in real deployments, hits 100% security on top models while recovering substantially more utility than invocation-level monitors
- Both semantic roles and cross-step provenance tracking are necessary—ablations show you can't remove either component
- Reframes agent security as an authority-binding problem and isolates the remaining bottleneck to provenance inference and contract synthesis