AgentSCOPE: Evaluating Contextual Privacy Across Agentic Workflows
This work identifies a critical blind spot in privacy evaluation for agentic systems, specifically for developers and users concerned about sensitive data exposure during intermediate processing steps.
This paper addresses the lack of privacy evaluation for intermediate information flows within agentic systems by introducing the Privacy Flow Graph framework and AgentSCOPE benchmark. Their evaluation of seven state-of-the-art LLMs on 62 multi-tool scenarios revealed that over 80% of scenarios contained privacy violations within the pipeline, even when final outputs appeared clean in 24% of cases, with most violations occurring at the tool-response stage.
Agentic systems are increasingly acting on users' behalf, accessing calendars, email, and personal files to complete everyday tasks. Privacy evaluation for these systems has focused on the input and output boundaries, but each task involves several intermediate information flows, from agent queries to tool responses, that are not currently evaluated. We argue that every boundary in an agentic pipeline is a site of potential privacy violation and must be assessed independently. To support this, we introduce the Privacy Flow Graph, a Contextual Integrity-grounded framework that decomposes agentic execution into a sequence of information flows, each annotated with the five CI parameters, and traces violations to their point of origin. We present AgentSCOPE, a benchmark of 62 multi-tool scenarios across eight regulatory domains with ground truth at every pipeline stage. Our evaluation across seven state-of-the-art LLMs show that privacy violations in the pipeline occur in over 80% of scenarios, even when final outputs appear clean (24%), with most violations arising at the tool-response stage where APIs return sensitive data indiscriminately. These results indicate that output-level evaluation alone substantially underestimates the privacy risk of agentic systems.