SEAgent: mandatory access control to contain agent privilege escalation

What is this?

Taming Various Privilege Escalation in LLM-Based Agent Systems: A Mandatory Access Control Framework (arXiv:2601.11893, posted 17 January 2026 by Zimo Ji and colleagues at HKUST, Lingnan University, ETH Zurich and others) makes a useful reframing: most agent attacks that matter are, at bottom, privilege escalation. The authors define it cleanly as an agent taking actions that exceed the least privilege required for the user’s intended task — for example, an agent asked to summarise a file that instead reads credentials, calls a payment tool, or opens a smart lock because injected content told it to.

That framing matters because it shifts the question from “did the model get tricked?” to “should this action have been allowed at all?”. Indirect prompt injection and RAG poisoning are the trigger; the damage happens only when an over-privileged agent is permitted to act. The same month, Microsoft’s research on agent frameworks (7 May 2026) and OWASP’s mid-2026 data (11 June 2026) both land on the same conclusion: untrusted input plus excessive tool authority is the dominant failure mode in production agent systems.

How it works

The paper builds a formal model of an LLM agent system — agents, tools, data objects and the flows between them — and uses it to surface privilege-escalation scenarios, including ones specific to multi-agent systems (MAS). The notable case is a variant of the classic confused deputy problem: a low-privilege agent persuades or routes a request through a higher-privilege agent, which then performs the sensitive action on the attacker’s behalf while believing it is serving a legitimate task.

Their defense, SEAgent, is a mandatory access control (MAC) framework built on attribute-based access control (ABAC). Three ideas carry it:

• Information-flow graph. SEAgent monitors agent–tool interactions and tracks how data moves between entities, so a policy can reason about where a value came from, not just what a tool is being asked to do.
• Attribute-tagged entities. Agents, tools and data objects carry attributes (sensitivity, origin, trust). Policies are written against those attributes rather than hard-coded per tool.
• Deterministic enforcement. Crucially, MAC is mandatory: the policy is enforced by the system, not negotiated by the model. This is the difference from detection-level defenses (auxiliary classifiers like Llamafirewall or PromptArmor) and model-level defenses (SecAlign, instruction hierarchy), which the authors note remain probabilistic and have been shown bypassable by adaptive or cascading-injection attacks. SEAgent sits in the system-level tradition of IsolateGPT and CaMeL.

The reported evaluation is the part to watch for a defense: SEAgent blocks the demonstrated privilege-escalation cases while keeping a low false-positive rate and minimal overhead — the two failure conditions that usually kill policy layers in practice.

Why it matters

Agent deployments are accumulating tools faster than they are accumulating controls. MCP in particular has widened the blast radius: a single agent can now reach email, code execution, cloud APIs and physical devices. In that setting, a probabilistic guard that is right 99% of the time is still an open door, because an attacker only needs the one request that slips through. A deterministic authority boundary changes the economics — the injected instruction can be read, but the privileged action it asks for is simply not permitted.

The honest limits: SEAgent is a research framework, not a drop-in product, and like any policy system its value depends entirely on the policies you write and the attributes you assign. A MAC layer with permissive defaults buys little. The contribution is the model and the enforcement architecture, not a turnkey configuration.

Defenses

Whether or not you adopt this specific framework, the design lessons are immediately usable:

• Scope privilege to the task, not the agent. Grant the minimum tool authority a request needs, and drop it when the task ends. Standing broad permissions are the precondition every escalation depends on.
• Make the authority boundary deterministic. Put a non-LLM policy decision point between the agent’s intent and any sensitive tool call. Do not let the model that can be injected also be the thing that authorises the action.
• Track provenance, not just content. Tag data by origin and sensitivity and let policy follow the flow, so a value derived from untrusted input cannot silently drive a privileged action — the discipline behind the lethal trifecta.
• Watch delegation in multi-agent systems. Treat one agent calling another as a privilege boundary. Check that the originating request is authorised for the action the downstream agent will take, to close the confused-deputy path.
• Measure false positives before you trust the guard. A policy layer that breaks legitimate tasks gets disabled. Evaluate overhead and FP rate on real workloads, not just attack suites.

Status

Item	Detail
Source	arXiv:2601.11893v1 [cs.CR], 17 Jan 2026
Framework	SEAgent — MAC built on ABAC
Mechanism	Information-flow graph + attribute-based policies, deterministic enforcement
Threat reframed	Privilege escalation = action beyond least privilege for the task
Notable scenario	Confused-deputy variant in multi-agent systems
Reported results	Blocks tested escalation; low false-positive rate, minimal overhead
Maturity	Research prototype, not a deployable product

This is a defensive, design-level contribution: no exploit payloads, no actionable attack. The takeaway outlives the specific framework — in agent systems, the durable control is not detecting every malicious prompt but enforcing a deterministic authority boundary so the prompt cannot escalate privilege in the first place.