- The paper introduces CORA, a post-policy safety controller that applies conformal risk control to enforce statistical harm limits on mobile GUI actions.
- It details a three-stage safety pipeline: action-conditioned risk estimation, calibrated thresholding, and minimal intervention with a VLM-based Diagnostician.
- Empirical results on the Phone-Harm benchmark show CORA achieves high goal success rates while strictly controlling harm, outperforming conservative and permissive baselines.
Mobile GUI agents based on vision-LLMs (VLMs) and LLMs are showing promise for direct autonomous device control across complex, multi-app environments. However, their autonomy also exposes users to potential high-stakes harms, such as unauthorized financial transactions, privacy breaches, or system misconfiguration errors. Compared to desktop counterparts, the mobile setting presents unique challenges: smaller display areas, denser UI elements, tight coupling of permissions/payments to device owner identity, a broad attack surface via notifications/overlays, and rapid, personalized UI evolution. Current safeguards—prompt engineering, heuristic rules, or VLM-based critics—lack formal risk guarantees and practical user-tuning, leaving a critical gap in safe, deployable automation frameworks.
The paper "CORA: Conformal Risk-Controlled Agents for Safeguarded Mobile GUI Automation" (2604.09155) addresses this deficit by proposing CORA, a post-policy, pre-execution safety controller for mobile agents. The core insight is to recast execution as a problem of selective action execution under a user-tunable risk budget, employing conformal risk control (CRC) for statistical safety guarantees. The work is accompanied by Phone-Harm, an adversarial and naturalistic benchmark for mobile GUI safety, enabling rigorous step-level evaluation under real-world conditions.
CORA Framework and Architecture
The CORA framework encapsulates a three-stage safety pipeline for any base mobile GUI agent. The process begins with the agent proposing a low-level GUI action (tap/type/swipe) given the current screen and UI context. CORA then applies:
- Action-Conditional Guardian: A lightweight, fine-tuned model provides a calibrated risk score for each proposed action by considering the frozen, clarified user intent (goal) and the action context. This step explicitly conditions risk on both the specific action and the visual state, unlike previous approaches that only evaluate at the global state level.
- Conformal Risk Calibration: The Guardian's scores are mapped—using a held-out calibration set—into an adaptive execute/abstain threshold that ensures the rate of autonomous harmful executions does not exceed a user-specified budget α. This transforms safety specification from a heuristic exercise into a knob with formal guarantees.
- Diagnostician with Minimal Intervention: High-risk actions (those exceeding the risk threshold) are routed to a trainable Diagnostician—a VLM-based generator producing a harm type, UI-grounded rationale, and one of several minimal interventions (Abort, Confirm, Reflect), reducing unnecessary user interruption.
A further layer of protection is provided by Goal-Lock: the user intent is clarified and frozen at the start of the trajectory, and on-screen text is only untrusted evidence. This prevents instruction drift and resists indirect visual prompt injections.
Figure 1: CORA architecture for selective action gating, risk calibration, and semantic intervention, with a foundational role for conformal risk control.
Methodology: Statistical Risk Control and Robustness
The core methodological innovation is to enforce a formal risk bound on harmful executions via the Conformal Risk Control protocol. The Guardian’s action-conditional risk scores are thresholded according to CRC, which guarantees, under exchangeability of calibration and test data, that the expected executed-harm rate is controlled at the desired level α. This provides a deployable, user-tunable knob for risk management—e.g., setting α=1% ensures that at most 1% of autonomous agent actions result in harm (in expectation), regardless of model calibration or class distribution.
The framework further supports weighted calibration, allowing robustness to covariate shift across apps, devices, or interface distributions. Sequential dependence is handled through blockwise calibration (trajectory-level splits), mitigating temporal dependency leakage.
Benchmark: Phone-Harm
Recognizing the gap in available testbeds, the authors introduce Phone-Harm—a benchmark targeting high-stakes mobile GUI safety. Phone-Harm consists of two balanced subsets:
- Harm-150: 150 human-authored tasks across 29 mobile apps, each annotated at the step level for harm category (Misuse, Injection, Misbehavior) and risk level. Examples include irreversible sharing of sensitive information or executing injected commands from malicious pop-ups.
- Normal-150: 150 benign, purely helpful tasks from the same app/task distribution, for evaluating false positive and utility preservation.
The benchmark enforces strict isolation of training/calibration/test data, uses step-local annotation protocols to avoid future leakage, and leverages a strong LLM judge for scalable, reproducible evaluation.
Figure 2: Distributional analysis of Harm-150, indicating coverage across applications and concentration of risk types within harm subcategories.

Figure 3: Qualitative case: deliberate misuse scenario where CORA aborts before privacy-compromising action, identifying the request as high-risk.
Experimental Results
CORA is evaluated as a controller for a diverse set of base policies (GPT-5, Gemini-3, UI-TARS-1.5, AutoGLM-VLM) across Phone-Harm, MobileRisk, and AndroidWorld benchmarks. The evaluation reports key metrics including Harm Rate (HR), Goal Achievement Rate (GAR), intervention F1, and over-intervention rate (OIR), analyzed along the safety–helpfulness–interruption Pareto frontier.

Figure 4: HR–GAR Pareto frontier for the harmful Phone-Harm subset, showing dominant frontier for CORA versus baselines.
Strong empirical findings include:
- For equivalent HR, CORA achieves a GAR of 79.8% and IF1 of 85.3%, compared to much lower GAR for conservative refusal (e.g., GPT-5: GAR 37.5%, HR 0.4%) or much higher HR for permissive baselines (e.g., heuristic gate: HR 24.4%).
- Under a deployment-realistic mixture (Phone-Harm+Normal), CORA yields the highest GAR (89.7%) and IF1 (85.3%) while maintaining HR (2.2%) below UI-TARS-1.5 (2.9%), confirming calibrated selectivity rather than mere permissiveness.
- On capability retention, CORA improves safe navigation task success rates by over 20 points compared to other safety controllers, with the Diagnostician operating as an error-recovery layer rather than an alignment tax.
Ablations and Component Analysis
Comprehensive ablations validate the necessity of each architectural component:
- Conformal Risk Control: Substituting CRC with static thresholds sacrifices statistical safety, yielding poor risk–coverage tradeoffs and unpredictable harm rates.
Figure 5: CRC ablation demonstrates CRC’s statistical tightness and optimal coverage-harm trade-off.
- Action Conditioning: Disabling action-conditioning reduces the Guardian to a coarse state evaluator, failing to distinguish actions with adjacent UI context but starkly different outcomes.
Figure 6: Ablation shows action-conditioning is essential for granular risk separation under overlapping visual contexts.
- Diagnostician: Replacing the generative Diagnostician with simple heuristics results in consistent violation of the risk budget, affirming the value of semantic VLM-based reasoning for nuanced intervention.
Figure 7: Diagnostician ablation indicates critical safety and precision gains from context-aware, generative diagnosis.
- Goal-Lock: Disabling Goal-Lock forces more conservative thresholds, contracting the attainable safety–utility frontier.
Figure 8: Goal-Lock ablation reveals strong risk reduction and coverage benefits from intent anchoring against indirect injection.
Implications, Limitations, and Future Directions
The CORA framework advances agentic safety in mobile environments by offering an explicit, user-driven, and statistically justified safety–autonomy trade-off. Its post-policy, pre-action controller architecture enables plug-and-play integration atop arbitrary base policies, while Phone-Harm provides a rigorous evaluation standard for step-level safety under real-world shifts.
Practically, this framework enables deployment of mobile GUI agents with formal guarantees on catastrophic action frequency, minimal user friction, and resilience under adversarial shift and novel attack surfaces.
Theoretically, generalizing conformal risk control to decision-time, multimodal, and sequential settings points to fruitful directions: tighter sequential CRC that captures compounding temporal correlations, richer shift-detection and weighted calibration strategies, and compositional pipelines combining logic-based and statistical action gating.
Potential future work includes expansion of Phone-Harm to broader app/locale/OS coverage, continual calibration under live traffic, and domain-adaptive risk modeling.
Conclusion
CORA establishes a scalable, principled paradigm for safe mobile GUI automation. By combining action-conditional risk estimation, conformal statistical calibration, goal-anchored semantic reasoning, and targeted intervention, it sets a new standard for balancing help and harm in high-stakes agentic automation. The public release of Phone-Harm and the CORA codebase should further catalyze robust, practical progress in risk-controlled AI agents for ubiquitous, real-world settings.