SoK: Trust-Authorization Mismatch in LLM Agent Interactions

Large Language Models (LLMs) are evolving into autonomous agents capable of executing complex workflows via standardized protocols (e.g., MCP). However, this paradigm shifts control from deterministic code to probabilistic inference, creating a fundamental Trust-Authorization Mismatch: static permissions are structurally decoupled from the agent's fluctuating runtime trustworthiness. In this Systematization of Knowledge (SoK), we survey more than 200 representative papers to categorize the emerging landscape of agent security. We propose the Belief-Intention-Permission (B-I-P) framework as a unifying formal lens. By decomposing agent execution into three distinct stages-Belief Formation, Intent Generation, and Permission Grant-we demonstrate that diverse threats, from prompt injection to tool poisoning, share a common root cause: the desynchronization between dynamic trust states and static authorization boundaries. Using the B-I-P lens, we systematically map existing attacks and defenses and identify critical gaps where current mechanisms fail to bridge this mismatch. Finally, we outline a research agenda for shifting from static Role-Based Access Control (RBAC) to dynamic, risk-adaptive authorization.

Key Contributions

• Proposes the Belief-Intention-Permission (B-I-P) framework to decompose LLM agent execution into three stages and unify analysis of diverse agent security threats
• Identifies Trust-Authorization Mismatch — the structural decoupling of static permissions from fluctuating runtime trustworthiness — as the shared root cause across agent attack categories
• Surveys 200+ papers to systematically map existing attacks and defenses, identifies critical gaps, and outlines a research agenda for dynamic, risk-adaptive authorization replacing static RBAC

🛡️ Threat Analysis

Details

Similar Papers