Uncertainty-Aware, Risk-Adaptive Access Control for Agentic Systems using an LLM-Judged TBAC Model
Charles Fleming, Ashish Kundu, Ramana Kompella
TL;DR
The paper tackles securing autonomous agents performing emergent tasks without predefined policies by extending Task-Based Access Control (TBAC) with an LLM Judge that is both risk-aware and self-aware. It introduces a static resource risk function $ρ(s)$, a composite risk $R_{comp}$, and model uncertainty $υ ∈ [0,1]$ to decide when to auto-approve or escalate to human oversight, based on thresholds $θ_{risk}$ and $θ_{uncertainty}$. The approach synthesizes just-in-time policies $\,Π$ and mints short-lived, auditable capability tokens, enabling adaptive least-privilege access in two use cases: high-risk incident response and low-risk analytics. Practical considerations address latency, tool-manifest maintenance, and human-in-the-loop design, with future work focusing on calibration of uncertainty, dynamic risk updates, LLM security, and explainable auditing to improve trust and safety in agentic systems.
Abstract
The proliferation of autonomous AI agents within enterprise environments introduces a critical security challenge: managing access control for emergent, novel tasks for which no predefined policies exist. This paper introduces an advanced security framework that extends the Task-Based Access Control (TBAC) model by using a Large Language Model (LLM) as an autonomous, risk-aware judge. This model makes access control decisions not only based on an agent's intent but also by explicitly considering the inherent \textbf{risk associated with target resources} and the LLM's own \textbf{model uncertainty} in its decision-making process. When an agent proposes a novel task, the LLM judge synthesizes a just-in-time policy while also computing a composite risk score for the task and an uncertainty estimate for its own reasoning. High-risk or high-uncertainty requests trigger more stringent controls, such as requiring human approval. This dual consideration of external risk and internal confidence allows the model to enforce a more robust and adaptive version of the principle of least privilege, paving the way for safer and more trustworthy autonomous systems.