Will the Agent Recuse Itself? Measuring LLM-Agent Compliance with In-Band Access-Deny Signals
Thamilvendhan Munirathinam
Why It Matters
What makes this one worth your time
As LLM agents take on more responsibilities, establishing mechanisms for compliance with access controls is crucial for safe and effective deployment in real-world applications.
Introducing a cooperative signal for LLM agents to self-regulate access to resources.
Summary
The paper introduces a new in-band deny signal, called the Recuse Signal, which allows LLM agents to voluntarily withdraw from accessing certain resources, and evaluates its effectiveness through controlled experiments.
Key contributions
- Development of the Recuse Signal as a lightweight governance control for LLM agents.
- Implementation of adapters for SSH and PostgreSQL to facilitate the Recuse Signal.
- Empirical evaluation demonstrating the effectiveness of the Recuse Signal in inducing agent recusal.
Notable insights
- The Recuse Signal acts as a cooperative governance tool rather than a strict security measure, highlighting the nuanced behavior of LLM agents in response to contextual signals.
- The experimental results indicate that agent compliance can vary significantly based on framing and context, suggesting the importance of operator communication strategies.
Possible limitations
- Potential edge cases where agents may not comply with the signal under certain conditions are not addressed.
- The abstract does not specify the range of LLM agents tested beyond those mentioned, limiting generalizability.
Abstract
arXiv:2606.06460v1 Announce Type: cross Abstract: As autonomous LLM agents increasingly hold real credentials and operate infrastructure without a human in the loop, operators have no standard way to tell an agent that a resource is off-limits. Access controls either let the agent in (it has valid credentials) or hard-fail it (indistinguishable from any other client). We propose a third mode: a lightweight, published in-band deny signal -- the Recuse Signal -- that a server emits over a protocol's existing channels (an SSH banner, a PostgreSQL NOTICE) asking a connecting automated agent to voluntarily withdraw. This is a cooperative governance control, the robots.txt analogue for live access; it is explicitly not a security boundary. Its value is entirely empirical and, to our knowledge, unmeasured: do compliant LLM agents actually honor such a signal? We define the signal as an open mini-standard, implement two zero- or low-footprint adapters (an SSH banner/PAM hook and a PostgreSQL wire-protocol proxy), deploy them on a live production host, and run a controlled experiment in which fresh agents are given a benign operations task and observed for recusal. In a pilot (SSH; OpenAI GPT-4o and GPT-4o-mini; and Claude Code as a deployed agent), the signal cleanly induces recusal -- 100% recusal when present versus 100% task completion in a no-signal control -- and, revealingly, behaves as a cooperative rather than absolute signal: an explicit operator-authorization framing flips the most capable model to proceed, while other agents continue to defer to the on-host policy. We release the standard, adapters, and experiment harness for reproduction.