The emerging agentic web envisions AI agents that reliably fulfill users' natural-language (NL)-based tasks by interacting with existing web services. However, existing authorization models are misaligned with this vision. In particular, today's operator-scoped authorization, exemplified by OAuth, grants broad permissions tied to operators (e.g., the transfer operator) rather than to the specific operations (e.g., transfer $100 to Bob) implied by a user's task. This will inevitably result in overprivileged agents. We introduce Precise Task-Scoped Implicit Authorization (PAuth), a fundamentally different model in which submitting an NL task implicitly authorizes only the concrete operations required for its faithful execution. To make this enforceable at servers, we propose NL slices: symbolic specifications of the calls each service expects, derived from the task and upstream results. Complementing this, we also propose envelopes: special data structure to bind each operand's concrete value to its symbolic provenance, enabling servers to verify that all operands arise from legitimate computations. PAuth is prototyped in the agent-security evaluation framework AgentDojo. We evaluate it in both benign settings and attack scenarios where a spurious operation is injected into an otherwise normal task. In all benign tests, PAuth executes the tasks successfully without requiring any additional permissions. In all attack tests, PAuth correctly raises warnings about missing permissions. These results demonstrate that PAuth's reasoning about permissions is indeed precise. We further analyze the characteristics of these tasks and measure the associated token costs.

翻译：新兴的智能体网络愿景旨在通过AI智能体与现有网络服务交互，可靠地完成用户基于自然语言的任务。然而，现有授权模型与该愿景存在错位。特别是当前以OAuth为代表的"操作者范围授权"模式，将宽泛权限授予操作者（例如转账操作者），而非用户任务所隐含的具体操作（例如向Bob转账100美元）。这将不可避免地导致智能体权限过度泛化。本文提出精确任务范围隐式授权（PAuth），这是一种根本性不同的授权模型：提交自然语言任务即隐式授权仅执行该任务所需的具体操作。为实现服务端可执行性，我们提出自然语言切片概念——从任务及上游结果推导出的、每个服务预期调用的符号化规范。作为补充，我们还提出信封机制：一种特殊数据结构，将每个操作数的具体值与其符号化来源绑定，使服务端能够验证所有操作数均源自合法计算过程。PAuth已在智能体安全评估框架AgentDojo中实现原型。我们在正常场景和攻击场景（在正常任务中注入虚假操作）中对其进行评估。所有正常测试中，PAuth均成功执行任务且无需额外权限；所有攻击测试中，PAuth均能正确触发权限缺失警告。这些结果表明PAuth的权限推理机制具有精确性。我们进一步分析了任务特征并测量了相关令牌成本。