This position paper argues that the Authorization-Execution Gap (AEG)—the divergence between what a user intends to authorize and what an open-world agent actually executes—is a major safety and security problem. Because agents act autonomously across tools, persistent state, and multi-agent handoffs, small authorization divergences can cause irreversible harm. The authors trace observed failures to three structural sources: delegation-level incompleteness (incomplete task specification), channel-level corruption (prompt injection or data poisoning), and composition-level fragmentation (handoffs across agents or tools that lose context). They argue that defenses must diagnose the structural source during execution, not just filter upfront or audit afterward, and that papers should report process-level evidence of where AEG was detected and attributed, not just outcome metrics.
Main takeaways:
- The Authorization-Execution Gap (AEG) is the divergence between what a user intends to authorize and what an agent executes; small gaps can cause irreversible harm in open-world agents.
- Three structural sources: delegation-level incompleteness (incomplete task spec), channel-level corruption (injection/poisoning), and composition-level fragmentation (handoffs losing context).
- The same observed failure can arise from any source, so symptom-targeted defenses don't address the underlying cause without source-oriented diagnosis.
- Defenses should check authorization integrity during execution, not just filter upfront or audit afterward, because AEG arises dynamically.
- Papers on open-world agents should report process-level evidence (where AEG was detected and attributed) alongside outcome metrics like task success or attack resistance.