PrivacyAlign: Contextual Privacy Alignment for LLM Agents
Abstract: AI agents acting on behalf of users are constantly making decisions, and for users to trust their agents, those decisions must align with what they actually want. Privacy is an important alignment problem for agents: every message, post, or tool call an agent makes is a contextual judgment about what is appropriate to share, with whom, and under which conditions. Because such judgments depend on social expectations and norms, human judgment does not merely label privacy violations but also helps define them. While existing work relies on unreliable proxies for both training and evaluation, we place human judgment at the center of agentic privacy alignment. We introduce PrivacyAlign, a dataset of 1,350 samples with 3,516 detailed annotations from 599 unique annotators across diverse scenarios where current LLMs actually leak, and use it to ground both alignment training and automated evaluation in human privacy norms. Building on these annotations, we first show that conditioning LLM judges on human annotations and explanations for reference responses to the same prompt makes their judgments more reliable. We then introduce annotation-conditioned reward modeling, which uses these annotations to score new responses during RL, and show that small open-weight agents trained with this reward better align with human privacy norms, with strong gains on PrivacyAlign and existing privacy benchmarks for agents.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
What is this paper about?
This paper looks at how AI assistants (called “agents”) can avoid spilling personal or sensitive information when they talk or act on your behalf. The authors say that privacy isn’t just about hiding everything—it’s about sharing the right things with the right people in the right situations. Because those decisions are very human and depend on social norms, the paper puts human judgment at the center of training and testing AI for privacy.
What questions did the researchers ask?
- Can we build realistic, varied situations where AI agents are likely to overshare, so we can test them properly?
- If we show AI “judges” what humans think about privacy in specific situations, will those judges make better, more consistent decisions?
- Can we train smaller, open-source AI agents to follow human privacy norms better by using human feedback as a guide?
- Can we reduce leaks without making the agent unhelpful (by leaving out important information the user needs)?
How did they study it?
The team created a full “ecosystem” to test and train AI privacy behavior, then measured how well different methods worked.
Step 1: Build realistic privacy test cases (PrivacyAlign)
Think of this like creating detailed, pretend scenarios where an assistant might accidentally share too much:
- They generated short stories about people, their jobs, tasks, and tools the AI agent could use (like searching emails or calendars). Tools and “memories” are like the agent’s notes and lookups.
- Each scenario includes:
- A user instruction (what the agent should do)
- A trail of “tool calls” the agent might make (like checking an inbox)
- A small set of “memories” (facts about the person)
- Two possible final responses the agent could give
- Humans then reviewed these two responses and marked:
- If each response leaked anything sensitive (a “leak”)
- If each response left out important task details (an “omit”)
- Which response they preferred overall
- A short explanation of why
They collected 1,350 such comparisons and 3,516 annotations from 599 different people. This makes PrivacyAlign a strong, human-grounded dataset for privacy.
Everyday analogy: Imagine two draft texts your friend could send for you. You ask several classmates: “Does either message reveal a secret? Does it skip something important? Which message is better?” Their answers and reasons become your “guidebook” for future messages.
Step 2: Make the AI “judges” better using human guidance
An AI judge is an AI model that scores whether a reply is good or not. The team tried two ways to use human feedback:
- Annotation-conditioned judge: When the AI judge scores new answers, it also sees the human annotations from that same scenario (what people thought was sensitive or relevant, and why). This is like giving the judge a scenario-specific cheat sheet from humans.
- Trained generative reward model: A separate AI model is trained across many examples to learn general privacy rules from human labels. Later, it scores new answers using what it learned, but without seeing the scenario’s specific human notes.
Step 3: Train agents with rewards (reinforcement learning)
They used the judges as scoring systems to reward agents during practice, a bit like a coach scoring drills:
- The agent writes several possible replies.
- The judge compares them and gives higher scores to better, more privacy-safe replies.
- The agent updates its behavior to aim for higher scores next time.
To keep agents from “cheating” by saying almost nothing, the team added a length penalty if a response was too short. They also tracked two kinds of mistakes:
- Leaks: sharing sensitive info.
- Omits: leaving out important info needed for the task.
They summarized results with a “clean rate” — the percent of replies that had no leaks and no omits (both safe and helpful).
What did they find?
- Human guidance makes AI judges more reliable: When the judge reads the human annotations tied to that specific scenario, different judges agree with each other more, and they match carefully checked “gold” answers better.
- Training with annotation-conditioned rewards works best: Small, open-source agents trained with the scenario-specific human guidance leaked less while staying helpful. Their “clean” responses went up more than other methods.
- Simple prompts help but aren’t enough: Adding a “be careful with privacy” prompt reduced leaks for big proprietary models, but it didn’t consistently fix omissions, and it helped smaller open models much less. Training was more effective than prompts alone.
- Better than string-matching rules: A baseline method that checks for forbidden words or exact strings (like a simple filter) did reduce leaks but often caused more omissions. The new method struck a better balance: safer without becoming unhelpful.
- Gains carry over: Models trained on PrivacyAlign also improved on other privacy tests (benchmarks) they weren’t trained on, suggesting the approach generalizes.
Why is this important?
- Trustworthy AI assistants: If an assistant reads your emails or calendar, it must understand what’s okay to share and what isn’t, depending on who’s asking and why.
- Human norms matter: Privacy depends on context and social expectations. Teaching AI using real human judgments makes its decisions closer to what people actually want.
- Practical progress for smaller models: The approach helps smaller, open models get closer to big, proprietary ones in privacy behavior—good for wider, safer use.
Limitations and what’s next
- Synthetic (made-up) scenarios: The test cases are generated by AI, not taken from real user data, to avoid privacy risks. While they worked to make these realistic, the real world is messier. Future work could test with more varied or audited real-world-like data.
- Broader coverage: More cultures, languages, and types of tools or tasks could be added to make the norms even more inclusive and robust.
Bottom line
The paper shows a practical way to teach AI assistants to protect privacy in context: use human judgments directly, both to judge and to train. With scenario-specific human guidance, AI gets better at knowing what to say, what to keep private, and how to stay helpful.
Knowledge Gaps
Knowledge gaps, limitations, and open questions
Below is a concrete list of unresolved issues that future work could address:
- Real-world validity: How well do models trained/evaluated on synthetic scenarios transfer to real user interactions, logs, and deployment contexts where privacy stakes and behaviors differ?
- Selection bias in data generation: The pipeline filters for scenarios where baseline LLMs leak; does this overrepresent “hard” cases and distort base rates compared to typical usage?
- Domain and topic skew: Despite diversity caps (and a healthcare-specific filter), are certain domains still over/under-represented relative to real workloads? Quantify and correct residual skews.
- Cross-cultural generalization: Privacy norms vary globally. How do models behave across languages, regions, and cultures, given U.S.-centric name sampling and Prolific annotator demographics?
- Annotation density and reliability: The training split averages ~2.5 annotations per item. What is the annotation count needed for stable preferences/leak/omit labels, and how does label noise affect RL?
- Omit-label reliability and sparsity: Omit labels are rare (≈16.5%) with low κ. How can rubrics, examples, or task design increase clarity and inter-annotator reliability on helpfulness/omissions?
- Severity and granularity: Current leak/omit labels are binary. Can graded severity scales (e.g., high/medium/low harm or utility) yield better training signals and more actionable evaluation?
- Anchoring from AI comparative analysis: The interface reveals an AI-generated comparison after initial labels. What is the measured anchoring or revision effect versus a no-assist control?
- “Gold” label scope: Agreement analyses use only 30 items with author-audited gold labels. Expand gold sets (and domains) to robustly calibrate judges and measure evaluator drift.
- Judge dependence and robustness: Results average two frontier judges; training uses a specific judge setup. How robust are conclusions across more/other judges, reasoning modes, temperatures, and families?
- Evaluation realism: Annotation-conditioned judges see same-prompt reference annotations; in the wild, no such annotations exist. How do evaluations change without this context?
- Generalization without annotations: The annotation-conditioned reward leverages per-prompt annotations at training time. How well do trained models handle entirely novel prompts with no guidance?
- Intermediate leakage channels: The work evaluates final actions; investigate leakage in tool arguments, intermediate tool calls, scratchpads/reasoning traces, and tool orchestration logs.
- Long-horizon memory: Scenarios use short memory stores (5–10 facts). How do agents behave with rich, persistent, multi-session memories that accumulate sensitive context over time?
- Realistic side effects: The tool calls are read-only; assess privacy under write/actuating tools (email sending, ticket updates, calendar invites) with real or sandboxed side effects.
- Multi-turn privacy behavior: Evaluate agents’ ability to seek consent, clarify recipients/contexts, or negotiate disclosure boundaries over multiple turns before acting.
- Adversarial and deceptive contexts: Test resilience to prompt injections, malicious tools/recipients, and social-engineering attempts that induce unauthorized disclosure.
- Reward hacking and failure modes: Analyze whether agents learn to superficially avoid “leaks” (e.g., being overly terse, evasive, or hiding content via paraphrase/steganography) while harming utility.
- Balanced multi-objective training: The gen-RM omits omit-label supervision due to sparsity, correlating with higher omission rates. How to design rewards that jointly optimize privacy and helpfulness?
- Alternative metrics: Incorporate task success, factual correctness, and user satisfaction alongside leak/omit—avoiding models that are “clean” but unhelpful or incorrect.
- Fairness auditing: Do leak/omit rates differ across demographic attributes (names, ethnicity, religion, citizenship)? Measure and mitigate disparate privacy protection.
- Personalization: Users differ in privacy preferences. How can agents learn and respect user-specific policies and context-dependent norms, and reconcile conflicts among stakeholders?
- Legal/compliance grounding: Map judgments to regulatory frameworks (e.g., GDPR, HIPAA) and enterprise policies to assess legal compliance versus crowd norms; explore policy-aware training.
- Open, reproducible pipelines: Several stages rely on proprietary models. Reproduce the full generation, judging, and training pipeline with open-weight models and report performance deltas.
- External benchmark validity: PrivacyLens and CIMemories rely on automated labels. Re-evaluate transfer gains with human-labeled subsets to validate true generalization.
- Data scale and cost: Explore active learning or uncertainty sampling to prioritize items for annotation, reducing cost while increasing coverage of contentious cases.
- Hyperparameter and ablation studies: Provide sensitivity analyses for SAPO settings, KL regularization, group size K, short-response penalty, and response-length floor.
- Annotation rationales: The gen-RM ignores free-text rationales; test whether rationale-conditioned or rationale-supervised RMs improve alignment and reduce omissions.
- Detection of indirect leaks: Move beyond string matching to evaluate paraphrases, inferences from quasi-identifiers, linkability, and context re-identification risks.
- Continual learning of norms: Privacy expectations evolve. Study mechanisms for updating models with fresh annotations/policies while avoiding catastrophic forgetting.
- Human-in-the-loop deployment: Evaluate user trust, satisfaction, and override rates with trained agents in realistic workflows; measure how explanations affect user acceptance.
- Composability with runtime defenses: Study how training-time alignment composes with inference-time filters (e.g., mediators, reviewers) to achieve defense-in-depth.
- Multilingual and modality coverage: Extend to non-English text, code-switching, and multimodal inputs/outputs (voice, images) where privacy risks and norms may differ.
Practical Applications
Immediate Applications
Below are concrete, deployable uses that organizations and researchers can implement now, leveraging the dataset, judging method, and training recipes introduced in the paper.
- Pre-deployment privacy evaluation gates for LLM agents
- What: Use the annotation-conditioned LLM judge to score leak rate, omit rate, and clean rate as CI/CD gates before releasing agents that use tools (email, calendar, web, internal docs) or persistent memory.
- Sectors: software/IT (MLOps, DevSecOps), healthcare (PHI handling), finance (PII/PCI), legal/HR, customer support, enterprise productivity.
- Tools/products/workflows:
- CI plugins (GitHub Actions/Jenkins) that run PrivacyAlign tests and block promotion if clean rate < threshold.
- Model registry metadata storing leak/omit/clean KPIs per version.
- Assumptions/dependencies: Requires adopting the released PrivacyAlign tasks or creating a small, org-specific annotated set (the paper’s generation pipeline helps bootstrap). Judge costs and latency must fit CI budgets; judges rely on LLMs and the quality of human annotations used for conditioning.
- Privacy red-teaming harnesses specific to an organization
- What: Use the paper’s automated scenario generator to synthesize privacy-sensitive tasks using the org’s tool schemas, then mine pairs and run a naive agent to ensure real leak potential. Add a small burst of human annotations to calibrate and use the annotation-conditioned judge to score.
- Sectors: enterprise software, SaaS platforms, internal LLM platform teams, regulated industries.
- Tools/products/workflows:
- “Scenario Studio” for privacy red-teaming tied to internal tool APIs (email, ticketing, CRM).
- Scheduled “privacy regression” jobs that refresh scenarios every release.
- Assumptions/dependencies: Synthetic scenarios need prompt engineering and diversity controls (the paper notes overproduction of health themes without caps). Minimal human annotation is still needed to anchor norms.
- Runtime guardrail for outbound agent actions
- What: Add a pre-send “privacy gate” that runs the annotation-conditioned judge on an agent’s outbound message/post/tool call; if likely leak, trigger redaction, ask-for-consent, or human-in-the-loop review.
- Sectors: email/calendar assistants, customer support autoresponders, social media/social CRM tools, sales enablement.
- Tools/products/workflows:
- “Hold-and-review” queue for flagged responses.
- Inline “consent prompts” that summarize the suspected sensitive item(s) and ask the user to confirm sharing.
- Assumptions/dependencies: Judge inference time must be acceptable (batch or caching may be required). The judge is calibrated to scenarios with human annotations; for new domains, seed with a few annotated examples to stabilize judgments.
- Prompt-based privacy mode for existing assistants
- What: Adopt the paper’s privacy-enhanced prompting template to reduce leaks immediately in frontier models while monitoring omit rate to avoid over-withholding.
- Sectors: customer support, HR chatbots, productivity assistants.
- Tools/products/workflows:
- “Privacy Mode” toggle in product UI with separate prompts and metrics dashboards.
- Assumptions/dependencies: Prompting reduces (but doesn’t eliminate) leaks; must be combined with monitoring of omit rates to preserve usefulness.
- Fine-tuning small open models for privacy-aware on-device or private-cloud use
- What: Apply the paper’s RL recipe with annotation-conditioned reward to small open-weight models to approach frontier behavior without sending data to third-party APIs.
- Sectors: privacy-sensitive enterprises, on-device/mobile assistants, edge scenarios.
- Tools/products/workflows:
- “Privacy-aligned micro-models” packaged as internal base models for downstream teams.
- Assumptions/dependencies: Requires RL expertise, compute, and a seed of domain-relevant annotated tasks. Results depend on the congruence between training scenarios and deployment distribution.
- Procurement and vendor benchmarking
- What: Compare LLM providers or agent frameworks using standardized leak/omit/clean rates on a shared or customer-tailored PrivacyAlign evaluation pack.
- Sectors: all regulated sectors and enterprise buyers of AI.
- Tools/products/workflows:
- RFP annex with target clean-rate thresholds and public test results.
- Assumptions/dependencies: Benchmarks should be adapted to sector norms; results depend on which judge(s) are used and the annotation pool.
- Academic baselines and reproducible evaluation
- What: Use the open dataset, prompts, and RL/annotation-conditioned reward recipe as baselines for contextual privacy alignment research and comparisons against inference-time filters.
- Sectors: academia, industrial research labs.
- Tools/products/workflows:
- Shared leaderboard reporting leak/omit/clean metrics under common judge configurations.
- Assumptions/dependencies: Synthetic data may not fully capture real-world distributions; cross-benchmark comparisons should acknowledge model-generated labels on prior datasets.
- Policy and audit-ready metrics
- What: Adopt leak rate, omit rate, and clean rate as operational KPIs for AI risk dashboards and compliance evidence (data minimization, contextual integrity).
- Sectors: compliance, risk, governance.
- Tools/products/workflows:
- Governance dashboards that track KPI trends and drift across releases.
- Assumptions/dependencies: Organizations need to codify acceptable thresholds and exception-handling procedures; ensure alignment with jurisdictional privacy laws and internal policies.
Long-Term Applications
These opportunities build on the paper’s methods but require additional research, scaling, or ecosystem development.
- Organization- and user-personalized privacy norms
- What: Learn per-org and per-user privacy preferences (roles, relationships, sensitivity thresholds) and condition judges/reward models on those evolving norms for truly contextual decisions.
- Sectors: enterprise IT, consumer productivity, collaboration platforms.
- Tools/products/workflows:
- “Privacy profiles” that encode user/org rules; consent learning loops using post-hoc feedback.
- Assumptions/dependencies: Preference elicitation UX, continuous feedback capture, and safe storage of preference data; avoiding preference overfitting or bias.
- Standardized certification for contextual privacy alignment
- What: Third-party certification schemes that test agents across diverse, human-annotated scenarios and report clean-rate tiers (e.g., bronze/silver/gold).
- Sectors: policy/regulation, industry consortia, auditors.
- Tools/products/workflows:
- Reference test suites with cross-cultural coverage; auditor APIs for reproducible judging.
- Assumptions/dependencies: Multi-stakeholder governance; consensus on acceptable judge configurations and sampling; regulatory recognition.
- Multilingual, cross-cultural, multi-modal privacy benchmarks
- What: Expand scenario generation and annotations beyond English and text to voice, images, screenshares, and IoT contexts where norms vary markedly.
- Sectors: global products, smart home, telehealth, education, customer support.
- Tools/products/workflows:
- Cross-locale scenario packs and judges; modality-bridging tool schemas (e.g., OCR/audio diarization).
- Assumptions/dependencies: Recruiting diverse annotators with domain fluency; modality-aware privacy taxonomies; additional safety oversight.
- Privacy-aware tool orchestration and memory architectures
- What: Agent frameworks that implement contextual-integrity policies: selective recall, scoped memory, least-privilege tool calls, and redaction-by-default pipelines guided by learned rewards.
- Sectors: software engineering platforms, enterprise agents, RPA.
- Tools/products/workflows:
- “Contextual Integrity Policy Engine” that tags information flows and enforces data-minimization constraints; memory TTLs and privacy scopes.
- Assumptions/dependencies: Tool vendors must expose schemas and sensitivity metadata; performance budgets for extra planning/verification steps.
- Continual monitoring and drift detection for privacy alignment
- What: Production telemetry that samples agent outputs, evaluates with annotation-conditioned judges, and detects degradations in clean rate over time.
- Sectors: all AI product teams at scale.
- Tools/products/workflows:
- Privacy SLOs with automated rollbacks; shadow evaluations on canaries.
- Assumptions/dependencies: Log governance and consent; cost control for continuous judging; safe sampling strategies.
- Regulatory integration: automated DPIA and compliance documentation
- What: Generate data-protection impact assessments with evidence from leak/omit/clean metrics and scenario coverage; map to policies (data minimization, purpose limitation).
- Sectors: policy/legal/compliance in regulated industries.
- Tools/products/workflows:
- DPIA builders that ingest benchmark results and produce regulator-friendly artifacts.
- Assumptions/dependencies: Jurisdiction-specific templates; ongoing updates as models and tools evolve.
- Federated and on-device privacy-aligned models
- What: Train small models with annotation-conditioned rewards in federated settings to match local norms; deploy on device for high-sensitivity contexts.
- Sectors: mobile productivity, healthcare-at-home, assistive tech.
- Tools/products/workflows:
- On-device agents with “never leave device” guarantees and privacy-aligned defaults.
- Assumptions/dependencies: Efficient RL or post-training methods, privacy-preserving telemetry to improve models without centralizing sensitive data.
- Multi-agent privacy coordination protocols
- What: Protocols and shared budgets for information flow among collaborating agents (planner/worker/reviewer) to prevent cross-agent leakage.
- Sectors: complex enterprise workflows, software development assistants, autonomous operations.
- Tools/products/workflows:
- “Privacy budget” APIs that meter and justify disclosures across agent roles.
- Assumptions/dependencies: Standardized agent metadata and provenance; adoption across toolchains.
- Explainable privacy decisions and user consent UX
- What: Agents that produce concise, user-facing rationales for why they withheld or requested to share specific details and solicit consent when appropriate.
- Sectors: consumer apps, workplace collaboration.
- Tools/products/workflows:
- Inline “why not shared” chips; one-click override with audit trail.
- Assumptions/dependencies: High-quality rationale generation without leaking in the explanation; human factors research on consent fatigue.
- Generalization of annotation-conditioned rewards beyond privacy
- What: Apply the same technique to other normative domains (fairness, toxicity, safety, IP compliance) by conditioning judges on human rationales/labels collected for reference responses.
- Sectors: platform safety, legal/compliance, content moderation.
- Tools/products/workflows:
- Unified “norms engine” that hosts domain-specific annotated pools used to condition judges and train models.
- Assumptions/dependencies: Domain-specific annotation programs and governance; careful conflict resolution among competing norms.
Glossary
- agentic AI: AI systems that autonomously plan and act (beyond simple chat), often using tools and memory, which raises new privacy challenges. "The shift from conversational chatbots to agentic AI fundamentally changes the privacy problem for AI assistants."
- AirGapAgent: An inference-time privacy defense that filters user data before it reaches the assistant. "\citet{bagdasarian2024airgap} proposed AirGapAgent, which filters user data before passing it to the assistant."
- annotation-conditioned (pairwise) judge: An LLM-as-a-judge that compares responses while being given same-prompt human annotations as contextual guidance. "The first reward source is an LLM judge conditioned on the same-prompt annotations."
- annotation-conditioned reward modeling: Using human annotations for the same prompt at scoring time to guide the reward signal during RL. "We then introduce annotation-conditioned reward modeling, which uses these annotations to score new responses during RL, and show that small open-weight agents trained with this reward better align with human privacy norms"
- clean rate: Evaluation metric: the fraction of responses that neither leak sensitive information nor omit task-relevant information. "We summarize the two with the clean rate, the fraction of responses that neither leak nor omit."
- Cohen's kappa: A statistic measuring inter-rater agreement beyond chance. "Pairwise preferences reach substantial agreement (Cohen's , 78.1\% pairwise agreement) and per-response leak labels reach moderate agreement (, 78.4\% pairwise agreement)."
- Constitutional AI: A post-training alignment approach guided by a set of principles or “constitution.” "General post-training methods such as RLHF~\citep{ouyang2022training}, DPO~\citep{rafailov2023direct}, GRPO~\citep{shao2024deepseekmath}, RLAIF~\citep{lee2023rlaif}, and Constitutional AI~\citep{bai2022constitutional} have been widely studied for alignment."
- contextual integrity: A privacy theory that defines privacy as appropriate information flows conditioned on social context, roles, and norms. "The same disclosure can be appropriate in one context and a violation in another, which contextual integrity theory explains through norms of information flow rather than secrecy"
- constraint-based diversity sampler: A filtering step that enforces distributional caps to maintain scenario diversity. "and prune the survivors with embedding-similarity deduplication and a constraint-based diversity sampler."
- data minimization: Principle that systems should collect/emit only the data necessary for a task. "\citet{zharmagambetov2025agentdam} introduced AgentDAM, an end-to-end benchmark for data minimization in autonomous web agents."
- Direct Preference Optimization (DPO): A post-training method that directly optimizes model preferences without explicit reward modeling. "General post-training methods such as RLHF~\citep{ouyang2022training}, DPO~\citep{rafailov2023direct}, GRPO~\citep{shao2024deepseekmath}, RLAIF~\citep{lee2023rlaif}, and Constitutional AI~\citep{bai2022constitutional} have been widely studied for alignment."
- embedding-similarity deduplication: Removing near-duplicate items based on vector similarity. "apply LLM-judge and rule-based filters, and prune the survivors with embedding-similarity deduplication and a constraint-based diversity sampler."
- FaithJudge: An LLM-judge method that conditions on human-annotated examples to evaluate hallucinations more faithfully. "FaithJudge~\citep{tamber-etal-2025-benchmarking} improves automated hallucination evaluation by conditioning an LLM-as-a-judge on a pool of human-annotated hallucination examples"
- format penalty: A training-time penalty for outputs that violate required structure or cannot be parsed. "A format penalty discourages unparseable verdicts."
- generative reward model (gen-RM): A learned model that predicts human preferences (and labels) to produce a reward signal without per-prompt annotations. "The second reward source is a dedicated generative reward model (gen-RM) trained to predict human preferences"
- Group Relative Policy Optimization (GRPO): A post-training optimization technique that uses group-relative feedback signals. "General post-training methods such as RLHF~\citep{ouyang2022training}, DPO~\citep{rafailov2023direct}, GRPO~\citep{shao2024deepseekmath}, RLAIF~\citep{lee2023rlaif}, and Constitutional AI~\citep{bai2022constitutional} have been widely studied for alignment."
- group-relative advantage: Advantage computed by centering a rollout’s score relative to peers sampled for the same prompt. "We run on-policy RL with a group-relative advantage."
- hallucination evaluation: Assessing whether a model invents unsupported content. "FaithJudge~\citep{tamber-etal-2025-benchmarking} improves automated hallucination evaluation by conditioning an LLM-as-a-judge on a pool of human-annotated hallucination examples"
- in-context learning: An LLM’s ability to adapt behavior using examples and instructions provided at inference time. "leveraging the in-context learning ability of LLMs~\citep{NEURIPS2020_1457c0d6} to align judgments with prior human labels."
- inference-time filter: A mitigation that screens or modifies inputs/outputs at run time to prevent privacy breaches. "\citet{wang-etal-2025-privacy} introduced PrivacyChecker as a model-agnostic inference-time filter."
- inter-annotator agreement: Agreement among human annotators on labels for the same items. "We report item-weighted inter-annotator agreement on leak, omit, and preference labels across the entire dataset."
- inter-judge agreement: Agreement among automated judges on the same evaluations. "Inter-judge agreement (Cohen's ) on 12 fresh model runs on the PrivacyAlign test set."
- leak rate: Evaluation metric: the fraction of responses judged to disclose sensitive information. "The leak rate is the fraction of responses that leak sensitive information"
- LLM-as-a-judge: Using an LLM to evaluate or grade other model outputs. "FaithJudge~\citep{tamber-etal-2025-benchmarking} improves automated hallucination evaluation by conditioning an LLM-as-a-judge on a pool of human-annotated hallucination examples"
- LLM judge: An LLM used as an evaluator of privacy, helpfulness, or preference judgments. "LLM-judge evaluations~\citep{shao2024privacylens, mireshghallah2025cimemories} substitute the judge's own hidden biases and limited understanding for human input."
- on-policy RL: Reinforcement learning where new experience is sampled from the current policy being optimized. "We run on-policy RL with a group-relative advantage."
- PAPILLON: A system that manages privacy by mediating access between local and cloud models. "\citet{siyan2024papillon} developed PAPILLON, which mediates local and cloud model access."
- pairwise accuracy: Accuracy at predicting which of two responses humans prefer (including ties). "Pairwise accuracy scores the full three-way verdict (first response preferred, second preferred, or tie)."
- pairwise comparisons: Preference judgments collected by asking annotators to choose between two responses. "PrivacyAlign: the first human-annotated dataset of privacy failures in agentic assistant responses, with 1{,}350 pairwise comparisons"
- persistent memory: Stored prior interactions or facts that agents can draw on, which can leak private details if mishandled. "Poorly aligned agents risk leaking private details drawn from tool calls and persistent memory."
- privacy-enhanced prompt (PE): A prompting strategy that emphasizes privacy considerations to reduce leaks. "Per-model leak, omit, and clean rates on PrivacyAlign under naive and privacy-enhanced (PE) prompting"
- reverse-KL penalty: A regularizer that penalizes divergence from a reference policy using reverse KL divergence. "and regularize against a frozen reference policy using a full-vocabulary reverse-KL penalty for greater stability"
- reward modeling from human feedback: Learning a reward function from human preferences/labels to guide alignment. "Reward modeling from human feedback is the standard mechanism for turning preference annotations into alignment signals"
- RLAIF: Reinforcement Learning from AI Feedback, using AI-generated feedback instead of (or in addition to) human feedback. "General post-training methods such as RLHF~\citep{ouyang2022training}, DPO~\citep{rafailov2023direct}, GRPO~\citep{shao2024deepseekmath}, RLAIF~\citep{lee2023rlaif}, and Constitutional AI~\citep{bai2022constitutional} have been widely studied for alignment."
- RLHF: Reinforcement Learning from Human Feedback, a standard alignment technique using human preferences. "General post-training methods such as RLHF~\citep{ouyang2022training}, DPO~\citep{rafailov2023direct}, GRPO~\citep{shao2024deepseekmath}, RLAIF~\citep{lee2023rlaif}, and Constitutional AI~\citep{bai2022constitutional} have been widely studied for alignment."
- rubric-conditioned rewards: RL signals guided by instance-specific rubrics capturing multiple criteria. "Recent work has also explored rubric-conditioned rewards for RL, treating instance-specific rubrics as structured, multi-criteria reward signals for post-training"
- SAPO: A policy optimization algorithm used for RL training. "We train models with SAPO~\citep{gao2025soft}"
- short-response penalty: A penalty applied during training to discourage overly brief, unhelpful outputs that avoid leaks by omission. "To prevent responses collapsing to trivially short tool calls that avoid leaks while omitting everything useful, we add a short-response penalty."
- stratified sampling: Sampling that preserves proportions across categories (e.g., domains/actions). "The 200 test items are stratified-sampled from the pruned scenario pool to balance final-action and domain coverage across train and test."
- string-matching reward: A rule-based reward that checks for presence/absence of pre-enumerated strings instead of human judgments. "CI-RL~\citep{lan2025contextual}, which trains using a string-matching reward over required and restricted values"
- tool orchestration: Coordination of multiple tools during agent execution, which can itself cause privacy leakage. "tool orchestration as a leakage channel"
- tool-call trajectory: The sequence of tool invocations an agent performs to solve a task. "For each scenario we generate a tool-call trajectory and a small prior-interaction memory store."
- vLLM: A high-throughput inference engine used to generate rollouts during RL. "Rollouts are generated with vLLM~\citep{10.1145/360(0006.36131)65}"
Collections
Sign up for free to add this paper to one or more collections.