{"id":"https://openalex.org/W7155193954","doi":"https://doi.org/10.48550/arxiv.2604.18658","title":"Owner-Harm: A Missing Threat Model for AI Agent Safety","display_name":"Owner-Harm: A Missing Threat Model for AI Agent Safety","publication_year":2026,"publication_date":"2026-04-20","ids":{"openalex":"https://openalex.org/W7155193954","doi":"https://doi.org/10.48550/arxiv.2604.18658"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.18658","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.18658","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.18658","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5007482960","display_name":"Dongcheng Zhang","orcid":"https://orcid.org/0000-0003-0292-6264"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Dongcheng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5134274441","display_name":"Yiqing Jiang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jiang, Yiqing","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.18569999933242798,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.18569999933242798,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.1590999960899353,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.09099999815225601,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6744999885559082},{"id":"https://openalex.org/keywords/generalization","display_name":"Generalization","score":0.5787000060081482},{"id":"https://openalex.org/keywords/harm","display_name":"Harm","score":0.4706999957561493},{"id":"https://openalex.org/keywords/focus","display_name":"Focus (optics)","score":0.462799996137619},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.38519999384880066},{"id":"https://openalex.org/keywords/terrorism","display_name":"Terrorism","score":0.31679999828338623},{"id":"https://openalex.org/keywords/satisfiability-modulo-theories","display_name":"Satisfiability modulo theories","score":0.30820000171661377}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7222999930381775},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6833000183105469},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6744999885559082},{"id":"https://openalex.org/C177148314","wikidata":"https://www.wikidata.org/wiki/Q170084","display_name":"Generalization","level":2,"score":0.5787000060081482},{"id":"https://openalex.org/C2777363581","wikidata":"https://www.wikidata.org/wiki/Q15098235","display_name":"Harm","level":2,"score":0.4706999957561493},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.462799996137619},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.38519999384880066},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3573000133037567},{"id":"https://openalex.org/C203133693","wikidata":"https://www.wikidata.org/wiki/Q7283","display_name":"Terrorism","level":2,"score":0.31679999828338623},{"id":"https://openalex.org/C164155591","wikidata":"https://www.wikidata.org/wiki/Q2067766","display_name":"Satisfiability modulo theories","level":2,"score":0.30820000171661377},{"id":"https://openalex.org/C2778868856","wikidata":"https://www.wikidata.org/wiki/Q18394273","display_name":"Threat assessment","level":2,"score":0.30329999327659607},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.29670000076293945},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.2800999879837036},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.2752000093460083},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.2653000056743622},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.2533999979496002}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.18658","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.18658","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.18658","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.18658","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.8112403154373169}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Existing":[0],"AI":[1,38],"agent":[2,53,73],"safety":[3,88],"benchmarks":[4],"focus":[5],"on":[6,83,96,108],"generic":[7],"criminal":[8,99],"harm":[9],"(cybercrime,":[10],"harassment,":[11],"weapon":[12],"synthesis),":[13],"leaving":[14],"a":[15,20,51,65,86,147,162],"systematic":[16],"blind":[17],"spot":[18],"for":[19,229],"distinct":[21],"and":[22,50,173],"commercially":[23],"consequential":[24],"threat":[25,67],"category:":[26],"agents":[27],"harming":[28],"their":[29],"own":[30],"deployers.":[31],"Real-world":[32],"incidents":[33],"illustrate":[34],"the":[35,76,80,120,152,186,207],"gap:":[36],"Slack":[37],"credential":[39],"exfiltration":[40],"(Aug":[41],"2024),":[42,49],"Microsoft":[43],"365":[44],"Copilot":[45],"calendar-injection":[46],"leaks":[47],"(Jan":[48],"Meta":[52],"unauthorized":[54],"forum":[55],"post":[56],"exposing":[57],"operational":[58],"data":[59],"(Mar":[60],"2026).":[61],"We":[62,78,184],"propose":[63],"Owner-Harm,":[64],"formal":[66],"model":[68],"with":[69],"eight":[70],"categories":[71],"of":[72],"behavior":[74],"damaging":[75],"deployer.":[77],"quantify":[79],"defense":[81],"gap":[82,121,209],"two":[84],"benchmarks:":[85],"compositional":[87],"system":[89],"achieves":[90,155],"100%":[91],"TPR":[92,157,168],"/":[93,158],"0%":[94],"FPR":[95],"AgentHarm":[97],"(generic":[98],"harm)":[100],"yet":[101],"only":[102],"14.8%":[103],"(4/27;":[104],"95%":[105],"CI:":[106],"5.9%-32.5%)":[107],"AgentDojo":[109],"injection":[110,219],"tasks":[111],"(prompt-injection-mediated":[112],"owner":[113],"harm).":[114],"A":[115],"controlled":[116],"generic-LLM":[117],"baseline":[118],"shows":[119],"is":[122,227],"not":[123,224],"inherent":[124],"to":[125,141,169,178,195],"owner-harm":[126,150,231],"(62.7%":[127],"vs.":[128,214],"59.3%,":[129],"delta":[130],"3.4":[131],"pp)":[132,172],"but":[133],"arises":[134],"from":[135,176],"environment-bound":[136],"symbolic":[137],"rules":[138],"that":[139],"fail":[140],"generalize":[142],"across":[143],"tool":[144],"vocabularies.":[145],"On":[146],"post-hoc":[148],"300-scenario":[149],"benchmark,":[151],"gate":[153],"alone":[154],"75.3%":[156],"3.3%":[159],"FPR;":[160],"adding":[161],"deterministic":[163],"post-audit":[164],"verifier":[165],"raises":[166],"overall":[167],"85.3%":[170],"(+10.0":[171],"Hijacking":[174],"detection":[175,196,208],"43.3%":[177],"93.3%,":[179],"demonstrating":[180],"strong":[181],"layer":[182],"complementarity.":[183],"introduce":[185],"Symbolic-Semantic":[187],"Defense":[188],"Generalization":[189],"(SSDG)":[190],"framework":[191],"relating":[192],"information":[193],"coverage":[194],"rate.":[197],"Two":[198],"SSDG":[199],"experiments":[200],"partially":[201],"validate":[202],"it:":[203],"context":[204,218],"deprivation":[205],"amplifies":[206],"3.4x":[210],"(R":[211],"=":[212,216],"3.60":[213],"R":[215],"1.06);":[217],"reveals":[220],"structured":[221],"goal-action":[222],"alignment,":[223],"text":[225],"concatenation,":[226],"required":[228],"effective":[230],"detection.":[232]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-23T00:00:00"}