New Benchmarks Expose Security Gaps in Enterprise AI Agent Access Controls
Researchers published two papers on arXiv this week identifying a class of security failures in enterprise AI agent systems stemming from how access controls interact with agent reasoning when evidence is incomplete.
The first paper, “Partial Evidence Bench: Benchmarking Authorization-Limited Evidence in Agentic Systems,” introduces a 72-task deterministic benchmark designed to measure how AI agents behave when access control systems correctly restrict what information they can retrieve, according to the researchers. The benchmark covers three enterprise scenarios: due diligence, compliance audit and security incident response.
The researchers found that when restricted evidence is silently filtered — removed from an agent’s context without notification — the resulting outputs appear complete but may contain material errors. The agent produces confident answers that omit material facts it was never allowed to see, with no indication to the end user that relevant evidence was withheld.
“Access control can be enforced correctly while the system still produces an answer that appears complete even though material evidence lies outside the caller’s authorization boundary,” the paper states.
A companion paper, “Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure,” formalizes what it calls a distinct security problem that emerges when multiple AI agents delegate tasks to one another across trust boundaries. The authors argue this “authorization propagation” problem is separate from prompt injection and is not fully addressed by classical access control frameworks, according to the research.
The authorization propagation paper identifies three sub-problems and proposes seven structural requirements for authorization architectures in multi-agent systems, where non-human principals retrieve data, delegate tasks and synthesize results across changing organizational boundaries.
Implications for U.S. Enterprise Deployments
The findings carry direct implications for U.S. companies deploying AI agents in regulated industries such as financial services, health care and government contracting, where incomplete evidence can lead to compliance violations, missed security threats or flawed due diligence conclusions.
Current U.S. frameworks, including the NIST AI Risk Management Framework, do not specifically address the failure mode identified by Partial Evidence Bench, the papers argue — situations where security controls function as designed but produce unsafe outcomes at the application layer. Both papers suggest that as agentic AI adoption expands across U.S. enterprises and federal agencies, authorization governance will need to be treated as core infrastructure rather than a secondary consideration.
The research also raises questions for AI providers building agent platforms and tool-use capabilities. If an agent cannot distinguish between “no relevant evidence exists” and “relevant evidence exists but you lack authorization to see it,” the system’s outputs may be unreliable for high-stakes decision-making — regardless of the underlying model’s capabilities.
The Partial Evidence Bench is described as deterministic and reproducible, potentially offering enterprises and regulators a standardized way to evaluate whether their agentic deployments handle authorization boundaries safely before those systems are used in production environments.