Papers
Topics
Authors
Recent
Search
2000 character limit reached

Harness-MU: A Safe, Governed, and Effective Harness for Multi-User LLM Agents

Published 20 Jun 2026 in cs.CR and cs.AI | (2606.21856v1)

Abstract: The increasing deployment of LLM agents in collaborative workflows demands robust multi-user, multi-principal interaction mechanisms capable of enforcing access permissions, resolving authoritative conflicts, and preventing unauthorized data disclosure. However, a fundamental mismatch exists between the single-user training paradigm of contemporary LLMs and the hard constraints required for multi-principal governance, rendering probabilistic, prompt-based safeguards vulnerable under multi-turn adversarial interactions.Our key insight is that governance constraints -- who is authorized, what is restricted, and whose instructions take precedence -- are deterministic runtime variables that should be enforced by execution hooks rather than entrusted to the LLM. We present \textbf{Harness-MU}, the first model-agnostic, zero-tuning infrastructure framework for multi-user LLM agents. By decoupling language generation from safety orchestration, Harness-MU guarantees unbreakable permission boundaries while maximizing compliant demand satisfaction. Across four frontier open-weight and proprietary models on the \textit{Muses-Bench} benchmark, Harness-MU achieves the goal of privacy preservation across all access-control attacks, outperforming the standard baseline by 0.28--0.39 in utility score and improving instruction-following accuracy by up to 48.9 percentage points. Harness-MU advances the philosophy of \textit{Harness Engineering}, establishing that systematic infrastructure is essential for solving LLM multi-principal governance challenges. The code and data are available at https://github.com/YuanJrShiuan/Harness-MulUser.

Summary

  • The paper introduces a formal MPA decision process that enforces deterministic, role-based privacy and access controls for LLM agents.
  • It details a four-module runtime pipelineโ€”Gatekeeper, Mediator, Worker Collective, and ComplianceCheckerโ€”that secures multi-user interactions.
  • Empirical results show perfect privacy preservation and significant accuracy improvements, demonstrating Harness-MUโ€™s superiority over conventional methods.

A Formal Analysis of "Harness-MU: A Safe, Governed, and Effective Harness for Multi-User LLM Agents"

Motivation and Problem Setting

Deployment of LLM agents in enterprise and team-centric use-cases faces fundamental challenges related to multi-principal governance: enforcing strict privacy and role-based access controls, mediating conflicting instructions according to authority hierarchies, and guaranteeing that untrusted users cannot circumvent policy constraints through prompt engineering or adversarial dialogue. Prevailing LLM-centric approaches, including prompt engineering and model fine-tuning (e.g., instruction tuning, RLHF), are probabilistic and lack deterministic guarantees when exposed to multi-user, adversarial environments, often failing in basic privacy and authority-respecting protocols [yang2026multi, ramakrishnan2025assessingmitigatingdatamemorization].

The paper addresses the inherent mismatch between the probabilistic, single-principal optimization logic of current LLMs and the need for deterministic, policy-aligned multi-user orchestration. It rigorously formalizes the multi-user LLM agent setting as a Multiple Principalโ€“Agent (MPA) decision process, emphasizing the need for explicit, runtime-enforced privacy and authority boundaries. The study proposes shifting these hard constraints from model-internal logic to explicit system infrastructure.

System Architecture: Harness-MU

Harness-MU introduces a decoupled, model-agnostic harness for MPA scenarios that strictly enforces privacy, access control, and arbitration of competing goals outside the LLMโ€™s generative boundary. The system is architected as a four-module runtime pipeline:

  • Gatekeeper: Computes deterministic per-user authorization vectors, freezing runtime policy boundaries prior to any model invocation.
  • Mediator: Implements authority-weighted orchestration, decomposing multi-user requests into isolated, policy-compliant execution plans for each user.
  • Worker Collective: Executes parallel, context-isolated generations for each user, preventing contamination of user history and eliminating prompt injection attack vectors.
  • ComplianceChecker: Applies deterministic, post-generation projection to enforce non-leakage of sensitive tokens and correct constraint violations, fail-closing unauthorized actions. Figure 1

    Figure 1: Harness-MU pipeline. Runtime orchestration modules within a six-component harness infrastructure framework.

This runtime infrastructure operationalizes harness engineering principles [meng2026agentharness, lopopolo2026harness], realizing the full six-component formal harness tuple (EE, TT, CC, SS, LL, VV). The architecture keeps all privacy, authority, and constraint enforcement logic outside the LLMโ€™s probabilistic scope, providing explicit and auditable boundaries.

Theoretical Guarantees and Formalism

The multi-principal optimization objective is framed as a constrained maximizationโ€”jointly maximizing authority-weighted utility across users while strictly prohibiting privacy leakage or authority inversion:

  • Hard Constraints: The agentโ€™s action space is projected onto a feasible set where any unauthorized data disclosure or failure to satisfy dominant authority invariants is strictly disallowed, operationalizing a fail-closed policy.
  • Feasible Projection: Candidate actions violating these hard constraints are deterministically overridden (e.g., with refusals) by the ComplianceChecker.
  • No Context Contamination: Worker threads and context management guarantee that user context and histories cannot be cross-leaked, and adversarial prompt engineering is structurally nullified.

This theoretical framing distinguishes Harness-MU from prior LLM-centric approaches, which cannot offer such deterministic assurances under adversarial and multi-turn settings.

Empirical Evaluation

Harness-MU is benchmarked on Muses-Bench [yang2026multi], the canonical suite for MPA agent evaluation. The experiments focus on two key scenarios: multi-principal access control (AC) and multi-user instruction following (IF). Performance is assessed against leading open-weight and proprietary model families (Deepseek, Qwen, Gemini, GPT).

Multi-Principal Access Control (AC)

Across 12 templateโ€“attack datasets and multiple adversarial settings, Harness-MU achieves perfect privacy preservation ($1.000$) with zero variance and no utility degradation (Figure 2 and breakdown in main text). In contrast, standard Muses-Bench baselines exhibit unauthorized leakage, with privacy drops up to 8% and utility losses ranging from 24-42%. Notably, in cases like the GPT backbone, Harness-MU raises utility by over 33 percentage points without sacrificing privacy. Figure 2

Figure 2: Access-control results comparison across four models. Error bars denote ยฑ\pm standard error across 12 templateโ€“attack datasets.

Multi-User Instruction Following (IF)

Harness-MU delivers substantial improvements in both accuracy and authority-weighted accuracy across all evaluated models, especially in settings with instruction conflict or weaker LLM backbones. On GPT, aligned-mode accuracy improves by 48.9 points (from 0.422 to 0.912), and conflict-mode accuracy by 47.2 points (from 0.309 to 0.781). The system robustly enforces priority of higher-authority constraints and serves compatible lower-authority demands when feasible. Figure 3

Figure 3

Figure 3: Instruction-following results comparison across four defender models. Error bars denote ยฑ\pm standard error across scenarios.

Module Contribution and System Cost

The ComplianceChecker demonstrably closes all privacy leaks (raising privacy by up to +6.8 percentage points in the worst-case model), and its correctness is supported by zero observed false positives in authorized transaction paths. Empirically, the harness' deterministic layers compensate most in regimes where the underlying LLM is weakest.

Regarding system cost, while Harness-MU drives up aggregate LLM calls and token consumption due to per-user isolation, its wall-clock latency is reduced by 11% relative to single-agent baselines (via parallelization). Deterministic modules (Gatekeeper, ComplianceChecker) add negligible computational burden. Figure 4

Figure 4: Per-dataset wall-time comparison between Muses-Bench (agent) and Harness-MU (Mediator + Worker critical path) across 12 templateโ€“attack datasets. Worker and Mediator contributions are decomposed, showing bounded latency despite higher LLM call volume.

Practical and Theoretical Implications

Harness-MU demonstrates that deterministic, infrastructure-layer enforcement is essential for robust multi-user LLM deployment where privacy and access control are non-negotiable. This paradigm:

  • Obsoletes reliance on prompt engineering or fine-tuning for privacy and authority guarantees in multi-user contexts.
  • Enables LLM agents to operate safely in enterprise or regulated domains with strict governance boundaries.
  • Provides a modular pattern to extend to tool usage, side-effectful actions, and composable policy encodings.

The separation of language generation and governance logic is both a practical and theoretical advancement, aligning LLM agents with established security and system engineering best practices (e.g., RBAC, fail-closed firewalls), and enabling rigorous formal analysis and verification.

Limitations and Future Directions

Current evaluations presuppose simulated user profiles and fixed attacker backbones, which may underestimate the adversaryโ€™s capability in matched-model scenarios. Cost trade-offs, specifically aggregate token consumption and parallelization limits, become acute at large scale and suggest the need for optimization in prompt assembly, tool orchestration, and context caching. Defending against semantic or covert leakage channels not covered by string-matching requires integration with formal verification, cryptographic tracking, or information-flow analyses.

Broader directions include adapting ComplianceChecker logic for tool and environment-action governance, supporting negotiated or collaborative workflows, and empirically validating the architecture under human-in-the-loop dynamics and naturally ambiguous authority signals.

Conclusion

Harness-MU establishes a new standard for multi-user LLM agent safety, determinism, and utility alignment. By decoupling privacy and authority governance from the LLM and implementing it at the runtime infrastructure level, it offers strictly enforced, auditable access control and principled arbitration in multi-principal settings. This framework affirms the critical role of harness engineering for trustworthy LLM deployment and provides a broadly applicable pattern for future research at the intersection of agentic AI, access governance, and system safety.


References

  • "Harness-MU: A Safe, Governed, and Effective Harness for Multi-User LLM Agents" (2606.21856)
  • "Multi-User LLM Agents" (Yang et al., 19 Mar 2026)
  • "Agent Harness for LLM Agents: A Survey" [preprints20(2604.0428).v3]
  • "Assessing and Mitigating Data Memorization Risks in Fine-Tuned LLMs" (Ramakrishnan et al., 10 Aug 2025)
  • "Training LLMs to follow instructions with human feedback" [ouyang2022training]

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.