Enterprise AI Analysis
Delegated Authorization for Agents Constrained to Semantic Task-to-Scope Matching
By Majed El Helou*, Chiara Troiani*, Benjamin Ryder*, Jean Diaconu†, Hervé Muyal†, Marcelo Yannuzzi†
Authorizing Large Language Model driven agents to dynamically invoke tools and access protected resources introduces significant risks, since current methods for delegating authorization grant overly broad permissions and give access to tools allowing agents to operate beyond the intended task scope. We introduce and assess a delegated authorization model enabling authorization servers to semantically inspect access requests to protected resources, and issue access tokens constrained to the minimal set of scopes necessary for the agents' assigned tasks. Given the unavailability of datasets centered on delegated authorization flows, particularly including both semantically appropriate and inappropriate scope requests for a given task, we introduce ASTRA, a dataset and data generation pipeline for benchmarking semantic matching between tasks and scopes. Our experiments show both the potential and current limitations of model-based matching, particularly as the number of scopes needed for task completion increases. Our results highlight the need for further research into semantic matching techniques enabling intent-aware authorization for multi-agent and tool-augmented applications, including fine-grained control, such as Task-Based Access Control (ТВАС).
Executive Impact & Key Findings
This paper introduces a novel delegated authorization model for LLM-driven agents, focusing on semantic task-to-scope matching to mitigate risks of overly broad permissions. It proposes an architecture where authorization servers semantically inspect access requests, issuing granular access tokens. The ASTRA dataset and pipeline are introduced for benchmarking. Experimental results highlight the potential and limitations of model-based matching, especially as task complexity grows, emphasizing the need for intent-aware authorization and fine-grained access control like Task-Based Access Control (TBAC).
0
Reduction in Over-Scoping Risk
0
Improvement in Security Posture
0
Faster Agent Deployment Cycle
Deep Analysis & Enterprise Applications
Select a topic to dive deeper, then explore the specific findings from the research, rebuilt as interactive, enterprise-focused modules.
Introduction
Related Work
Methodology
Experimental Evaluation
Results
Conclusion
Introducing Intent-Aware Authorization
LLM-driven agents present significant risks due to overly broad permissions. This work proposes a delegated authorization model with semantic task-to-scope matching to issue access tokens constrained to minimal necessary scopes, addressing challenges like Task-Based Access Control (TBAC).
Contextualizing Authorization for LLMs
Existing LLM tool selection benchmarks and delegated authorization protocols like OAuth 2.0 lack the semantic understanding needed for intent-aware access control. This paper bridges the gap by enabling authorization servers to interpret original user intent.
Semantic Task-to-Scope Matching
A new semantic, task-centric authorization model combines an authorization server with a trusted proxy. It uses an NLP semantic matching module (supported by a trusted LLM) to compare natural language task descriptions with requested tool/resource specifics, granting granular, ephemeral permissions.
ASTRA Dataset & Matcher Performance
The ASTRA dataset and pipeline were developed to benchmark semantic matching between tasks and scopes. Two approaches, Semantic Similarity Matcher (SemSimM) and LLM Reasoning Matcher (LLM-ResM), were evaluated on single-tool and multi-tool tasks.
Balancing Over- and Under-Scoping
LLM-ResM consistently outperformed SemSimM, especially in single-tool tasks. For multi-tool tasks, performance degraded with complexity, showing a trade-off between over-scoping (false positives) and under-scoping (false negatives).
Future of Agentic Authorization
The proposed architecture offers robust, fine-grained, and reliable task-based authorization for agent-driven systems. Future work includes expanding to multi-turn contexts, diversified data generation, and lighter-weight NLP techniques for improved scalability and usability.
Enterprise Process Flow: Delegated Authorization Flow with Semantic Matching
Our proposed model ensures granular access by embedding semantic task-to-scope matching within the authorization server workflow.
Subject requests Principal
→
Trusted Auth Proxy captures intent
→
Principal requests scopes (from LLM)
→
AuthZ Server matches task-to-scope
→
Access Token Issued (minimal scopes)
→
Agent accesses Protected Resource
Improved Security Posture
96% Accuracy with LLM-ResM on single-tool tasks (Val. Set)| Feature | Traditional Authorization | Semantic Task-to-Scope Matching |
|---|---|---|
| Permission Granularity | Broad, static permissions | Fine-grained, dynamic, task-specific |
| Intent Understanding | Limited to explicit requests | Interprets natural language intent |
| Risk Mitigation | High over-scoping risk | Reduces over-scoping, prevents overreach |
| Dataset Support | Lacks specific benchmarks for agent intent | Introduces ASTRA dataset for evaluation |
ASTRA Dataset: Benchmarking Next-Gen Authorization
The ASTRA dataset and data generation pipeline are critical for benchmarking semantic matching between tasks and scopes. It uniquely includes both appropriate and inappropriate scope requests, allowing for robust evaluation of delegated authorization flows in realistic agentic scenarios. This enables detailed analysis of model-based matching capabilities and limitations, paving the way for advancements in intent-aware authorization for multi-agent applications.
Calculate Your Potential ROI
Estimate the impact of fine-grained authorization and agent optimization on your enterprise operations.
Estimated Annual Savings
$0
Annual Hours Reclaimed
0
Your Implementation Roadmap
A phased approach to integrate semantic task-to-scope matching into your AI agent workflows.
Phase 1: Discovery & Strategy
Conduct a thorough assessment of your existing agentic applications and authorization protocols. Define key use cases and scope the initial implementation for semantic matching.
Phase 2: Pilot Implementation & Integration
Deploy a pilot program using the ASTRA framework, integrating the semantic task-to-scope matching module with a subset of your agents and protected resources. Establish monitoring and feedback loops.
Phase 3: Scaled Deployment & Optimization
Expand the solution across your enterprise, iteratively refining semantic matching models and policies. Leverage insights from ASTRA benchmarking to continuously optimize for security and agent utility.
Ready to Secure Your AI Agents?
Book a personalized consultation with our experts to explore how delegated authorization with semantic matching can transform your enterprise AI security.
Ready to Get Started?
Book Your Free Consultation.
Let's Discuss Your AI Strategy!
Lets Discuss Your Needs
Select a Date
Sun
Mon
Tue
Wed
Thu
Fri
Sat