Table of Contents
Fetching ...

AgenTRIM: Tool Risk Mitigation for Agentic AI

Roy Betser, Shamik Bose, Amit Giloni, Chiara Picardi, Sindhu Padakandla, Roman Vainshtein

TL;DR

The paper targets safety in LLM-based agents that use external tools by addressing the core issue of unbalanced tool-driven agency. It introduces AgenTRIM, a hybrid framework with an offline tool extractor that builds a verified, risk-labeled tool inventory and an online tool orchestrator that enforces per-step least-privilege access while preserving the agent’s reasoning. Across the AgentDojo benchmark and additional attacks, AgenTRIM achieves state-of-the-art safety-utility trade-offs, substantially reducing indirect prompt injections and description-based tool attacks with only modest latency overhead. The approach is practical, auditable, and adaptable to policy-based safety constraints, offering a deployable foundation for safer tool use in open-ended agentic systems.

Abstract

AI agents are autonomous systems that combine LLMs with external tools to solve complex tasks. While such tools extend capability, improper tool permissions introduce security risks such as indirect prompt injection and tool misuse. We characterize these failures as unbalanced tool-driven agency. Agents may retain unnecessary permissions (excessive agency) or fail to invoke required tools (insufficient agency), amplifying the attack surface and reducing performance. We introduce AgenTRIM, a framework for detecting and mitigating tool-driven agency risks without altering an agent's internal reasoning. AgenTRIM addresses these risks through complementary offline and online phases. Offline, AgenTRIM reconstructs and verifies the agent's tool interface from code and execution traces. At runtime, it enforces per-step least-privilege tool access through adaptive filtering and status-aware validation of tool calls. Evaluating on the AgentDojo benchmark, AgenTRIM substantially reduces attack success while maintaining high task performance. Additional experiments show robustness to description-based attacks and effective enforcement of explicit safety policies. Together, these results demonstrate that AgenTRIM provides a practical, capability-preserving approach to safer tool use in LLM-based agents.

AgenTRIM: Tool Risk Mitigation for Agentic AI

TL;DR

The paper targets safety in LLM-based agents that use external tools by addressing the core issue of unbalanced tool-driven agency. It introduces AgenTRIM, a hybrid framework with an offline tool extractor that builds a verified, risk-labeled tool inventory and an online tool orchestrator that enforces per-step least-privilege access while preserving the agent’s reasoning. Across the AgentDojo benchmark and additional attacks, AgenTRIM achieves state-of-the-art safety-utility trade-offs, substantially reducing indirect prompt injections and description-based tool attacks with only modest latency overhead. The approach is practical, auditable, and adaptable to policy-based safety constraints, offering a deployable foundation for safer tool use in open-ended agentic systems.

Abstract

AI agents are autonomous systems that combine LLMs with external tools to solve complex tasks. While such tools extend capability, improper tool permissions introduce security risks such as indirect prompt injection and tool misuse. We characterize these failures as unbalanced tool-driven agency. Agents may retain unnecessary permissions (excessive agency) or fail to invoke required tools (insufficient agency), amplifying the attack surface and reducing performance. We introduce AgenTRIM, a framework for detecting and mitigating tool-driven agency risks without altering an agent's internal reasoning. AgenTRIM addresses these risks through complementary offline and online phases. Offline, AgenTRIM reconstructs and verifies the agent's tool interface from code and execution traces. At runtime, it enforces per-step least-privilege tool access through adaptive filtering and status-aware validation of tool calls. Evaluating on the AgentDojo benchmark, AgenTRIM substantially reduces attack success while maintaining high task performance. Additional experiments show robustness to description-based attacks and effective enforcement of explicit safety policies. Together, these results demonstrate that AgenTRIM provides a practical, capability-preserving approach to safer tool use in LLM-based agents.
Paper Structure (36 sections, 7 equations, 12 figures, 9 tables)

This paper contains 36 sections, 7 equations, 12 figures, 9 tables.

Figures (12)

  • Figure 1: AgenTRIM Framework: An offline tool extractor builds a verified tool inventory; online, a tool orchestrator wraps the AI agent to enforce least-privilege tool access per step while retaining the agent’s logic.
  • Figure 2: Qualitative example. An attack embedded in a file causes the baseline agent to send money to the attacker, whereas under AgenTRIM the send_money tool is filtered, and the attack fails (example from AgentDojo).
  • Figure 3: AgenTRIM offline tool extractor. Deterministic code analysis enumerates candidate tools; a validator then generates per-tool probes, executes the agent and verifies existence from traces while regenerating clarified descriptions. A dynamic search step surfaces missed tools, which are re-validated, yielding a verified inventory.
  • Figure 4: AgenTRIM online tool orchestration. Top: baseline agent runs a single LLM–tool loop, with access to all of the agnet's tools. Bottom: our orchestrator adds adaptive tool filtering (deterministic), high risk validator (dynamic), and a status manager (dynamic), executing short, status-guided iterations in a filtered environment.
  • Figure 5: AgentDojo results vs. baseline defenses.AgenTRIM is closest to the ideal (low ASR, high utility) in both scatter plots. Panel (c) reports tool usage for the baselines and, for AgenTRIM, separately for low-risk tools, high-risk tools, and overall. Low-risk tools show low usage rate (high redundancy), while high risk tools have zero redundancy. This dual effect keeps AgenTRIM flexible and high-performing while remaining attack-resistant.
  • ...and 7 more figures