- The paper introduces a formal MPA decision process that enforces deterministic, role-based privacy and access controls for LLM agents.
- It details a four-module runtime pipelineโGatekeeper, Mediator, Worker Collective, and ComplianceCheckerโthat secures multi-user interactions.
- Empirical results show perfect privacy preservation and significant accuracy improvements, demonstrating Harness-MUโs superiority over conventional methods.
Motivation and Problem Setting
Deployment of LLM agents in enterprise and team-centric use-cases faces fundamental challenges related to multi-principal governance: enforcing strict privacy and role-based access controls, mediating conflicting instructions according to authority hierarchies, and guaranteeing that untrusted users cannot circumvent policy constraints through prompt engineering or adversarial dialogue. Prevailing LLM-centric approaches, including prompt engineering and model fine-tuning (e.g., instruction tuning, RLHF), are probabilistic and lack deterministic guarantees when exposed to multi-user, adversarial environments, often failing in basic privacy and authority-respecting protocols [yang2026multi, ramakrishnan2025assessingmitigatingdatamemorization].
The paper addresses the inherent mismatch between the probabilistic, single-principal optimization logic of current LLMs and the need for deterministic, policy-aligned multi-user orchestration. It rigorously formalizes the multi-user LLM agent setting as a Multiple PrincipalโAgent (MPA) decision process, emphasizing the need for explicit, runtime-enforced privacy and authority boundaries. The study proposes shifting these hard constraints from model-internal logic to explicit system infrastructure.
System Architecture: Harness-MU
Harness-MU introduces a decoupled, model-agnostic harness for MPA scenarios that strictly enforces privacy, access control, and arbitration of competing goals outside the LLMโs generative boundary. The system is architected as a four-module runtime pipeline:
This runtime infrastructure operationalizes harness engineering principles [meng2026agentharness, lopopolo2026harness], realizing the full six-component formal harness tuple (E, T, C, S, L, V). The architecture keeps all privacy, authority, and constraint enforcement logic outside the LLMโs probabilistic scope, providing explicit and auditable boundaries.
The multi-principal optimization objective is framed as a constrained maximizationโjointly maximizing authority-weighted utility across users while strictly prohibiting privacy leakage or authority inversion:
- Hard Constraints: The agentโs action space is projected onto a feasible set where any unauthorized data disclosure or failure to satisfy dominant authority invariants is strictly disallowed, operationalizing a fail-closed policy.
- Feasible Projection: Candidate actions violating these hard constraints are deterministically overridden (e.g., with refusals) by the ComplianceChecker.
- No Context Contamination: Worker threads and context management guarantee that user context and histories cannot be cross-leaked, and adversarial prompt engineering is structurally nullified.
This theoretical framing distinguishes Harness-MU from prior LLM-centric approaches, which cannot offer such deterministic assurances under adversarial and multi-turn settings.
Empirical Evaluation
Harness-MU is benchmarked on Muses-Bench [yang2026multi], the canonical suite for MPA agent evaluation. The experiments focus on two key scenarios: multi-principal access control (AC) and multi-user instruction following (IF). Performance is assessed against leading open-weight and proprietary model families (Deepseek, Qwen, Gemini, GPT).
Multi-Principal Access Control (AC)
Across 12 templateโattack datasets and multiple adversarial settings, Harness-MU achieves perfect privacy preservation ($1.000$) with zero variance and no utility degradation (Figure 2 and breakdown in main text). In contrast, standard Muses-Bench baselines exhibit unauthorized leakage, with privacy drops up to 8% and utility losses ranging from 24-42%. Notably, in cases like the GPT backbone, Harness-MU raises utility by over 33 percentage points without sacrificing privacy.
Figure 2: Access-control results comparison across four models. Error bars denote ยฑ standard error across 12 templateโattack datasets.
Multi-User Instruction Following (IF)
Harness-MU delivers substantial improvements in both accuracy and authority-weighted accuracy across all evaluated models, especially in settings with instruction conflict or weaker LLM backbones. On GPT, aligned-mode accuracy improves by 48.9 points (from 0.422 to 0.912), and conflict-mode accuracy by 47.2 points (from 0.309 to 0.781). The system robustly enforces priority of higher-authority constraints and serves compatible lower-authority demands when feasible.

Figure 3: Instruction-following results comparison across four defender models. Error bars denote ยฑ standard error across scenarios.
Module Contribution and System Cost
The ComplianceChecker demonstrably closes all privacy leaks (raising privacy by up to +6.8 percentage points in the worst-case model), and its correctness is supported by zero observed false positives in authorized transaction paths. Empirically, the harness' deterministic layers compensate most in regimes where the underlying LLM is weakest.
Regarding system cost, while Harness-MU drives up aggregate LLM calls and token consumption due to per-user isolation, its wall-clock latency is reduced by 11% relative to single-agent baselines (via parallelization). Deterministic modules (Gatekeeper, ComplianceChecker) add negligible computational burden.
Figure 4: Per-dataset wall-time comparison between Muses-Bench (agent) and Harness-MU (Mediator + Worker critical path) across 12 templateโattack datasets. Worker and Mediator contributions are decomposed, showing bounded latency despite higher LLM call volume.
Practical and Theoretical Implications
Harness-MU demonstrates that deterministic, infrastructure-layer enforcement is essential for robust multi-user LLM deployment where privacy and access control are non-negotiable. This paradigm:
- Obsoletes reliance on prompt engineering or fine-tuning for privacy and authority guarantees in multi-user contexts.
- Enables LLM agents to operate safely in enterprise or regulated domains with strict governance boundaries.
- Provides a modular pattern to extend to tool usage, side-effectful actions, and composable policy encodings.
The separation of language generation and governance logic is both a practical and theoretical advancement, aligning LLM agents with established security and system engineering best practices (e.g., RBAC, fail-closed firewalls), and enabling rigorous formal analysis and verification.
Limitations and Future Directions
Current evaluations presuppose simulated user profiles and fixed attacker backbones, which may underestimate the adversaryโs capability in matched-model scenarios. Cost trade-offs, specifically aggregate token consumption and parallelization limits, become acute at large scale and suggest the need for optimization in prompt assembly, tool orchestration, and context caching. Defending against semantic or covert leakage channels not covered by string-matching requires integration with formal verification, cryptographic tracking, or information-flow analyses.
Broader directions include adapting ComplianceChecker logic for tool and environment-action governance, supporting negotiated or collaborative workflows, and empirically validating the architecture under human-in-the-loop dynamics and naturally ambiguous authority signals.
Conclusion
Harness-MU establishes a new standard for multi-user LLM agent safety, determinism, and utility alignment. By decoupling privacy and authority governance from the LLM and implementing it at the runtime infrastructure level, it offers strictly enforced, auditable access control and principled arbitration in multi-principal settings. This framework affirms the critical role of harness engineering for trustworthy LLM deployment and provides a broadly applicable pattern for future research at the intersection of agentic AI, access governance, and system safety.
References
- "Harness-MU: A Safe, Governed, and Effective Harness for Multi-User LLM Agents" (2606.21856)
- "Multi-User LLM Agents" (Yang et al., 19 Mar 2026)
- "Agent Harness for LLM Agents: A Survey" [preprints20(2604.0428).v3]
- "Assessing and Mitigating Data Memorization Risks in Fine-Tuned LLMs" (Ramakrishnan et al., 10 Aug 2025)
- "Training LLMs to follow instructions with human feedback" [ouyang2022training]