AGrail: A Lifelong Agent Guardrail with Effective and Adaptive Safety Detection
About
The rapid advancements in Large Language Models (LLMs) have enabled their deployment as autonomous agents for handling complex tasks in dynamic environments. These LLMs demonstrate strong problem-solving capabilities and adaptability to multifaceted scenarios. However, their use as agents also introduces significant risks, including task-specific risks, which are identified by the agent administrator based on the specific task requirements and constraints, and systemic risks, which stem from vulnerabilities in their design or interactions, potentially compromising confidentiality, integrity, or availability (CIA) of information and triggering security risks. Existing defense agencies fail to adaptively and effectively mitigate these risks. In this paper, we propose AGrail, a lifelong agent guardrail to enhance LLM agent safety, which features adaptive safety check generation, effective safety check optimization, and tool compatibility and flexibility. Extensive experiments demonstrate that AGrail not only achieves strong performance against task-specific and system risks but also exhibits transferability across different LLM agents' tasks.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Safety Compliance Evaluation | eICU-AC | LPA98.4 | 10 | |
| Safety Compliance Evaluation | Mind2Web SC | LPA94 | 10 | |
| Agent Defense | S2Bench | Query ASR0.377 | 10 | |
| Task-specific Risk Detection | Mind2Web-SC (test) | LPA0.984 | 9 | |
| Task-specific Risk Detection | EICU-AC (test) | LPA98.4 | 9 | |
| Systemic Risk Detection | Safe-OS | Normal Count95.6 | 7 | |
| Systemic Risk Detection | AdvWeb | Prompt Injection (PI)0.00e+0 | 6 | |
| Systemic Risk Detection | EIA | Action Grounding (Grd)8 | 6 | |
| Safety Detection | TS-Bench AgentHarm-Traj (eval) | Latency (s/sample)8.75 | 4 | |
| Safety Detection | TS-Bench AgentDojo-Traj (eval) | Efficiency (s/sample)8.75 | 4 |