Abstract
AI agents issue tool calls based on unverifiable text, allowing any party controlling part of the context to forge the appearance of authority. I evaluated 15 contemporary language models against eight attack scenarios derived from a published corpus of real agent incidents, finding refusal rates varied from 100% down to 38%. The most expensive model only refused half the attacks despite a twentyfold price disparity.
I present aiAuthZ, an authorization gateway that moves the safety decision off the agent's host. Before a tool call executes, the gateway verifies caller identity with a per-message HMAC-SHA256 signature bound to a single-use nonce and a timestamp window, and it evaluates a role-based and argument-level policy that the agent cannot read or modify. Every decision joins a SHA-256 hash-chained audit log, and each accepted message yields an HMAC-authenticated QR receipt that achieves 94% mean verification across eight transmission channels, with zero forgeries accepted in 25 wrong-key trials.
With the gateway in place, residual attack success falls to 0% for all 15 models with no more than 0.03 ms of added decision latency. In the AgentDojo banking suite, aiAuthZ blocks all seven attacker-directed tool calls emitted by the evaluated agents, at the cost of one legitimate first-time payment, while a spotlighting baseline allows two injections to succeed. Across nine in-scope case studies from the same incident corpus, aiAuthZ blocks nine of nine, against four of nine for a policy baseline without identity binding. The gateway does not prevent a model from being deceived; it prevents a deceived model from acting beyond the verified user's authority on every call routed through it. The implementation and all experiments are released at GitHub.
Blogger's Review: The introduction of aiAuthZ provides a robust security framework for AI agents, significantly reducing the attack success rate through off-host identity verification and role-based policies. This innovation not only enhances the safety of AI systems but also lays a foundation for future intelligent agent applications.