{"id":"https://openalex.org/W7155170357","doi":"https://doi.org/10.48550/arxiv.2604.19657","title":"An AI Agent Execution Environment to Safeguard User Data","display_name":"An AI Agent Execution Environment to Safeguard User Data","publication_year":2026,"publication_date":"2026-04-21","ids":{"openalex":"https://openalex.org/W7155170357","doi":"https://doi.org/10.48550/arxiv.2604.19657"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.19657","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.19657","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.19657","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5134287128","display_name":"Robert Stanley","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Stanley, Robert","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111281458","display_name":"Avi Verma","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Verma, Avi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5007441020","display_name":"Lillian Tsai","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tsai, Lillian","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5054940489","display_name":"\u039a\u03c9\u03bd\u03c3\u03c4\u03b1\u03bd\u03c4\u03af\u03bd\u03bf\u03c2 \u039a\u03b1\u03bb\u03bb\u03ac\u03c2","orcid":"https://orcid.org/0000-0002-8984-6648"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kallas, Konstantinos","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5103398357","display_name":"Sam Kumar","orcid":"https://orcid.org/0009-0003-4036-2233"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kumar, Sam","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5134287128"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.3555000126361847,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.3555000126361847,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.28529998660087585,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.05510000139474869,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/permission","display_name":"Permission","score":0.6920999884605408},{"id":"https://openalex.org/keywords/private-information-retrieval","display_name":"Private information retrieval","score":0.6406000256538391},{"id":"https://openalex.org/keywords/confidentiality","display_name":"Confidentiality","score":0.5613999962806702},{"id":"https://openalex.org/keywords/user-agent","display_name":"User agent","score":0.5303999781608582},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.39239999651908875},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.391400009393692},{"id":"https://openalex.org/keywords/data-breach","display_name":"Data breach","score":0.3580999970436096},{"id":"https://openalex.org/keywords/safeguard","display_name":"Safeguard","score":0.33149999380111694}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7447999715805054},{"id":"https://openalex.org/C2779089604","wikidata":"https://www.wikidata.org/wiki/Q7169333","display_name":"Permission","level":2,"score":0.6920999884605408},{"id":"https://openalex.org/C99221444","wikidata":"https://www.wikidata.org/wiki/Q1532069","display_name":"Private information retrieval","level":2,"score":0.6406000256538391},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6225000023841858},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.5613999962806702},{"id":"https://openalex.org/C71191987","wikidata":"https://www.wikidata.org/wiki/Q763744","display_name":"User agent","level":2,"score":0.5303999781608582},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.39239999651908875},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.391400009393692},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.3725999891757965},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3596999943256378},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.3580999970436096},{"id":"https://openalex.org/C2780771206","wikidata":"https://www.wikidata.org/wiki/Q3271761","display_name":"Safeguard","level":2,"score":0.33149999380111694},{"id":"https://openalex.org/C2779965156","wikidata":"https://www.wikidata.org/wiki/Q5227350","display_name":"Data sharing","level":3,"score":0.3253999948501587},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.31630000472068787},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.314300000667572},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.30480000376701355},{"id":"https://openalex.org/C169093310","wikidata":"https://www.wikidata.org/wiki/Q3702971","display_name":"Personally identifiable information","level":2,"score":0.2930000126361847},{"id":"https://openalex.org/C5894958","wikidata":"https://www.wikidata.org/wiki/Q2297769","display_name":"Software agent","level":2,"score":0.2736000120639801},{"id":"https://openalex.org/C69360830","wikidata":"https://www.wikidata.org/wiki/Q1172237","display_name":"Data Protection Act 1998","level":2,"score":0.27219998836517334},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.26759999990463257},{"id":"https://openalex.org/C2775936607","wikidata":"https://www.wikidata.org/wiki/Q466845","display_name":"Tracking (education)","level":2,"score":0.26019999384880066},{"id":"https://openalex.org/C2777622855","wikidata":"https://www.wikidata.org/wiki/Q7901844","display_name":"User information","level":3,"score":0.26010000705718994},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.2572000026702881},{"id":"https://openalex.org/C47487241","wikidata":"https://www.wikidata.org/wiki/Q5227230","display_name":"Data access","level":2,"score":0.2565999925136566}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.19657","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.19657","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.19657","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.19657","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.7148517370223999,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"AI":[0,40,56,67,87,131,158,179],"agents":[1,88],"promise":[2],"to":[3,15,18,32,46,60,129,164,202,246],"serve":[4],"as":[5],"general-purpose":[6],"personal":[7,23],"assistants":[8],"for":[9,80,86,92],"their":[10,71,110],"users,":[11],"which":[12],"requires":[13,58],"them":[14],"have":[16],"access":[17],"private":[19,52,72,93,111,124,151,184,207,243],"user":[20,48,94,100,125,152,162,185,244],"data":[21,53,112,195,232,245],"(e.g.,":[22,42],"and":[24,34,98,116,133,154,182,197,217],"financial":[25],"information).":[26],"This":[27,74],"poses":[28],"a":[29,62,214,250],"serious":[30],"risk":[31],"security":[33],"privacy.":[35],"Adversaries":[36],"may":[37,113],"attack":[38],"the":[39,120,130,148,161,171,178,204],"model":[41,68,132,159],"via":[43],"prompt":[44,163],"injection)":[45],"exfiltrate":[47],"data.":[49,73,95,186],"Furthermore,":[50],"sharing":[51],"with":[54,70,137,150,192],"an":[55,83],"agent":[57,149,180,254],"users":[59,107],"trust":[61],"potentially":[63],"unscrupulous":[64],"or":[65,160],"compromised":[66],"provider":[69],"paper":[75],"presents":[76],"GAAP":[77,102,117,141,169,229],"(Guaranteed":[78],"Accounting":[79],"Agent":[81],"Privacy),":[82],"execution":[84,211],"environment":[85],"that":[89,119,199,228,237],"guarantees":[90],"confidentiality":[91],"Through":[96],"dynamic":[97],"directed":[99],"prompts,":[101],"collects":[103],"permission":[104,173],"specifications":[105],"from":[106],"describing":[108],"how":[109,177],"be":[114,165],"shared,":[115],"enforces":[118,170],"agent's":[121],"disclosures":[122,128],"of":[123,167,206],"data,":[126,153],"including":[127,235],"its":[134],"provider,":[135],"comply":[136],"these":[138],"specifications.":[139],"Crucially,":[140],"provides":[142],"this":[143],"guarantee":[144],"deterministically,":[145],"without":[146,155,249],"trusting":[147],"requiring":[156],"any":[157],"free":[166],"attacks.":[168],"user's":[172],"specification":[174],"by":[175],"tracking":[176],"accesses":[181],"uses":[183],"It":[187],"augments":[188],"Information":[189],"Flow":[190],"Control":[191],"novel":[193],"persistent":[194],"stores":[196],"annotations":[198],"enable":[200],"it":[201],"track":[203],"flow":[205],"information":[208],"both":[209],"across":[210],"steps":[212],"within":[213],"single":[215],"task,":[216],"also":[218],"over":[219],"multiple":[220],"tasks":[221],"separated":[222],"in":[223],"time.":[224],"Our":[225],"evaluation":[226],"confirms":[227],"blocks":[230],"all":[231],"disclosure":[233],"attacks,":[234],"those":[236],"make":[238],"other":[239],"state-of-the-art":[240],"systems":[241],"disclose":[242],"untrusted":[247],"parties,":[248],"significant":[251],"impact":[252],"on":[253],"utility.":[255]},"counts_by_year":[],"updated_date":"2026-04-23T06:20:18.424754","created_date":"2026-04-23T00:00:00"}