{"ID":6024091,"CreatedAt":"2026-07-08T01:00:23.257252134Z","UpdatedAt":"2026-07-09T17:51:18.37832961Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2607.05518","arxiv_id":"2607.05518","title":"aiAuthZ: Off-Host, Identity-Bound Authorization for AI Agents","abstract":"AI agents issue tool calls on the basis of text they cannot verify, so any party who controls part of the context can forge the appearance of authority. I evaluate 15 contemporary language models against eight attack scenarios derived from a published corpus of real agent incidents and find that refusal varies from 100% down to 38% across fully evaluated models; the most expensive model refused only half of the attacks despite a twentyfold price spread. I present aiAuthZ, an authorization gateway that moves the safety decision off the agent's host. Before a tool call executes, the gateway verifies caller identity with a per-message HMAC-SHA256 signature bound to a single-use nonce and a timestamp window, and it evaluates a role-based and argument-level policy that the agent can neither read nor modify. Every decision joins a SHA-256 hash-chained audit log, and each accepted message yields an HMAC-authenticated QR receipt that achieves 94% mean verification across eight transmission channels, with zero forgeries accepted in 25 wrong-key trials. With the gateway in place, residual attack success falls to 0% for all 15 models at no more than 0.03 ms of added decision latency. On the AgentDojo banking suite, aiAuthZ blocks all seven attacker-directed tool calls the evaluated agents emit, at the cost of one legitimate first-time payment, while a spotlighting baseline allows two injections to succeed. Across nine in-scope case studies from the same incident corpus, aiAuthZ blocks nine of nine, against four of nine for a policy baseline without identity binding. The gateway does not prevent a model from being deceived; it prevents a deceived model from acting beyond the verified user's authority on every call routed through it. The implementation and all experiments are released at https://github.com/Sports-Vision-Inc/aiAuthZ.","short_abstract":"AI agents issue tool calls on the basis of text they cannot verify, so any party who controls part of the context can forge the appearance of authority. I evaluate 15 contemporary language models against eight attack scenarios derived from a published corpus of real agent incidents and find that refusal varies from 100...","url_abs":"https://arxiv.org/abs/2607.05518","url_pdf":"https://arxiv.org/pdf/2607.05518v1","authors":"[\"Sai Varun Kodathala\"]","published":"2026-07-06T18:00:49Z","proceeding":"cs.CR","tasks":"[\"cs.CR\",\"cs.AI\"]","methods":"[\"Language Model\"]","has_code":false,"code_links":[{"ID":614032,"CreatedAt":"2026-07-08T01:00:23.257252134Z","UpdatedAt":"2026-07-08T01:00:23.257252134Z","DeletedAt":null,"paper_id":6024091,"paper_url":"https://arxiv.org/abs/2607.05518","paper_title":"aiAuthZ: Off-Host, Identity-Bound Authorization for AI Agents","repo_url":"https://github.com/Sports-Vision-Inc/aiAuthZ","is_official":false,"mentioned_in_paper":false,"mentioned_in_github":true,"github_stars":0}]}
