A New Framework for Cybersecurity Refusals in AI Agents
For AI safety researchers and developers, this work addresses the overlooked problem of when AI agents should refuse harmful cybersecurity requests, though the framework is domain-specific and the findings are preliminary.
The paper introduces the first framework for establishing refusal boundaries in offensive security contexts for AI agents, finding that 6 of 8 frontier models show near-zero refusal rates, with only GPT-5.2 and GPT-5.1 Codex demonstrating meaningful refusal behavior.
Agentic scaffolds have dramatically improved LLM performance on complex, long-horizon tasks, yielding both broad benefits and amplified risks in domains like cybersecurity. Existing benchmarks for AI agents in cybersecurity focus mainly on measuring proficiency--how effectively agents can complete offensive security tasks--but neglect a critical question: when and how should agents refuse harmful requests? We present the first framework for establishing refusal boundaries in offensive security contexts. Our framework defines (1) principled criteria for when tasks should be refused, (2) categories of tasks that warrant refusal, and (3) evaluation methodology for measuring agent robustness under both benign and adversarial conditions. We apply this framework to assess how current LLM-powered agents adhere to appropriate refusal boundaries across a range of web-based offensive security scenarios, finding that 6 of 8 frontier models tested show near-zero refusal rates, with only 2 models (GPT-5.2 and GPT-5.1 Codex) demonstrating any meaningful refusal behavior.