AgentCIBench: Contextual Integrity Benchmark
- AgentCIBench is a benchmark that operationalizes privacy as context-specific disclosure, testing if agents share only information appropriate to each situation.
- It evaluates three failure modes—visual co-location, task-ambiguity overshare, and recipient misalignment—using a re-runnable six-app workspace to simulate real-world tasks.
- Empirical results across 15 frontier agents reveal widespread leakage, highlighting the need for improved disclosure safety and targeted mitigation strategies.
AgentCIBench is a benchmark and evaluation harness for contextual-integrity failures in computer-use agents (CUAs): it asks whether an agent that can act across personal applications can produce an externally visible artifact that includes the information that should be shared while excluding information that should not be shared to that recipient in that context (Goel et al., 22 Jun 2026). Rather than treating privacy as a binary property of “sensitive” data, it operationalizes inappropriate disclosure as a scenario-specific violation of contextual integrity, under ordinary cooperative use rather than adversarial prompting. The benchmark targets three recurring failure modes—visual co-location, task-ambiguity overshare, and recipient misalignment—and evaluates them in a re-runnable six-application workspace with deterministically scored scenarios (Goel et al., 22 Jun 2026).
1. Conceptual basis and threat model
AgentCIBench adopts the contextual-integrity view that privacy is preserved when information flows respect the norms of the context in which the information was shared, and that a violation occurs when “the actor, recipient, content type, or transmission principle deviates from those norms” (Goel et al., 22 Jun 2026). In this formulation, the central risk is not generic secrecy failure, but a cooperative agent’s tendency to over-include information visible in one application context when acting in another.
The paper formalizes a scenario as a tuple containing the initial app state, task prompt, recipient, and two labeled sets: one for information that must be shared and one for information that must not be shared. Both sets are visible to the agent in the workspace. The benchmark therefore does not test extraction of hidden data; it tests whether the final disclosure decision is contextually appropriate. The paper concentrates on three classes of externally visible artifacts—“a sent message, a saved calendar event, and a posted note or reply”—because these are the main ways in which personal state becomes visible to others (Goel et al., 22 Jun 2026).
The per-scenario metrics are binary utility and binary leakage. The paper defines utility as whether all must-share items are present in the final artifact, and leakage as whether any must-not-share item appears in that artifact: It then reports utility rate , leakage rate , refusal rate , and engagement-conditioned leakage , so that an agent cannot look safe merely by refusing many tasks (Goel et al., 22 Jun 2026).
A defining feature of the benchmark is its non-adversarial threat model. The paper explicitly states that there is “no adversary in the loop.” AgentCIBench is therefore not a prompt-injection benchmark and not a generic capability benchmark. It targets unintentional contextual-integrity violations by a cooperative agent acting across a user’s personal applications (Goel et al., 22 Jun 2026).
2. Harness architecture and scenario generation
AgentCIBench is built on OpenApps, “a six-app personal workspace built on BrowserGym.” The six applications are Messenger, Calendar, Maps, ToDo, Code Editor, and Shop (Goel et al., 22 Jun 2026). Each scenario populates a live multi-tab workspace with both must-share and must-not-share content. The same scenario JSON supports two evaluation tracks.
The first is a state-grounded (reasoning) track, in which the agent receives serialized JSON of workspace state and task prompt, then emits a single action JSON. The second is an end-to-end (visual) track, in which the agent operates through the rendered OpenApps interface inside BrowserGym (Goel et al., 22 Jun 2026). This paired design isolates disclosure choice in the reasoning track while permitting transfer tests in a live UI.
The scenario pool is generated rather than manually enumerated. AgentCIBench uses Monte Carlo Tree Search, following PersistBench, to mutate ordinary, non-adversarial seed tasks such as workplace updates, calendar sharing, shopping, and procurement. The main text states that the study scenarios derive from 28 hand-authored seeds, while the appendix states that the broader search pool contained 36 distinct seeds from public CUA demonstrations, compositional cross-app patterns from user studies, and documented failure patterns in conversational CI literature (Goel et al., 22 Jun 2026). The search reward is: In the appendix’s rollout formulation, each proxy rollout receives , average reward is computed across rollouts, and a novelty term based on Jaccard distance over is added before acceptance (Goel et al., 22 Jun 2026).
The released evaluation set contains 117 scenarios. The generation pipeline described in the appendix proceeds from 480 high-reward post-keep candidates to 140 retained candidates, removes 7 exact duplicates and 16 near duplicates, and yields 117 final scenarios (Goel et al., 22 Jun 2026). The final failure-mode split is 75 task-ambiguity overshare scenarios, 24 recipient-misalignment scenarios, and 18 visual-co-location scenarios. The thematic distribution includes 38 workplace status or day-digest updates, 23 calendar availability sharing tasks, 18 engineering collaboration tasks, 12 shopping or procurement tasks, 11 maps or ETA-sharing tasks, 10 household or family logistics tasks, and 5 community, volunteer, or school tasks (Goel et al., 22 Jun 2026).
3. Failure modes and scoring protocol
The three failure modes are primary labels assigned “by construction,” each corresponding to a different contextual-integrity stressor (Goel et al., 22 Jun 2026).
Visual co-location tests whether the agent filters by contextual appropriateness or by spatial proximity. The benchmark describes this as the case where “the agent acts on prohibited items that sit next to the task target in the rendered UI.” Representative examples include adjacent calendar entries, neighboring chat threads, sibling files in an editor, or nearby to-do items in a list (Goel et al., 22 Jun 2026).
Task-ambiguity overshare tests what happens when a user request is underspecified. The benchmark asks whether the agent infers a CI-respecting transmission principle or “defaults to dumping all available state.” The canonical examples are prompts such as “summarise my list” or “send the open tabs,” where work items and personal or medical items coexist in the same application view (Goel et al., 22 Jun 2026).
Recipient misalignment tests whether the agent conditions output on the role, relationship, and trust tier of the addressee. The same content may be acceptable in a family thread and inappropriate in a work channel. The benchmark therefore treats recipient identity as a first-class part of the scenario, not merely metadata (Goel et al., 22 Jun 2026).
Scoring uses a hybrid pipeline. A deterministic matcher checks exact and near-exact mentions using normalized containment, token coverage, and sequence similarity; the appendix specifies thresholds such as at least 4 matched tokens, at least 72% token coverage, at least 88% sequence similarity, or exact normalized containment, with stricter handling for short items (Goel et al., 22 Jun 2026). An LLM judge sees the scenario and output and returns binary utility, leaked items, a CI-violation severity from 1 to 5, and an explanation. The final merge is conservative: a leak counts if found by the matcher, or by the judge with textual support in the output; task completion counts only if required items are supported by the output (Goel et al., 22 Jun 2026).
The paper reports agreement statistics over the 1,755 model-scenario cells in the main study: binary utility agreement is 84.8% with 266 disagreements out of 1,755, severity disagreement is 57.9%, and the mean absolute reward gap is 1.29 on the 0–5 scale. The authors therefore treat binary outcomes as sufficiently stable for headline reporting (Goel et al., 22 Jun 2026).
4. Empirical results across 15 frontier agents
The main study evaluates 15 agents: Claude-Opus-4.7, Claude-Sonnet-4.6, GPT-5.4, GPT-5.4-mini, Gemini-3.1-Pro, Gemini-3-Flash, Grok-4.3, Qwen-3.6-Max, DeepSeek-v4-Pro, Kimi-K2.6, MiniMax-M2.7, Qwen-3.6-35B-A3B, GLM-5.1, GPT-OSS-120B, and Gemma-4-26B (Goel et al., 22 Jun 2026). All proprietary models are queried through official provider APIs, open-weight models are served locally with vLLM, and all evaluations use temperature 0 (Goel et al., 22 Jun 2026).
The paper’s headline finding is widespread leakage. The abstract reports that 12 of 15 agents leak on more than 50% of scenarios, with average leakage of 67.9%; the conclusion states 11 of 15, so the paper contains a minor inconsistency on that single count, but the qualitative conclusion is unchanged: leakage is common and often severe (Goel et al., 22 Jun 2026). Average utility is 68.8%, average leakage is 67.9%, and six agents leak on more than 80.0% of scenarios (Goel et al., 22 Jun 2026).
The best overall agent in the state-grounded track is Claude-Opus-4.7, with , 0, refusal 1, and 2 (Goel et al., 22 Jun 2026). GPT-5.4 has 3, 4, refusal 5, and 6, illustrating why raw leakage must be interpreted together with refusal (Goel et al., 22 Jun 2026). Claude-Sonnet-4.6 reaches 7, 8, refusal 9, and 0 (Goel et al., 22 Jun 2026).
Several high-utility agents are also highly leaky. Gemini-3.1-Pro reaches 1 with 2 and 3; Gemini-3-Flash reaches 4 with 5 and 6; Qwen-3.6-Max reaches 7 with 8 and 9 (Goel et al., 22 Jun 2026). Among agents with utility above 75.0%, engagement-conditioned leakage ranges from 14.0% to 98.3%, an 84-point spread (Goel et al., 22 Jun 2026). Across all agents, the correlation between utility and disclosure behavior is weak: Pearson 0 with 1 (Goel et al., 22 Jun 2026). This suggests that capability rankings and disclosure-safety rankings are only weakly aligned.
Failure-mode breakdown reinforces the heterogeneity. For Claude-Opus-4.7, 2 is 33.3% on visual co-location, 9.3% on task-ambiguity overshare, and 12.5% on recipient misalignment (Goel et al., 22 Jun 2026). For GPT-5.4, the corresponding values are 27.8%, 18.7%, and 12.5% (Goel et al., 22 Jun 2026). By contrast, Gemini-3.1-Pro reaches 94.4%, 98.7%, and 100.0% across the three modes, while Qwen-3.6-Max reaches 88.9%, 100.0%, and 95.8% (Goel et al., 22 Jun 2026). The authors therefore argue that visual co-location may be a partially distinct axis of difficulty even for comparatively safer models.
5. End-to-end transfer and relation to adjacent agent benchmarks
AgentCIBench is not limited to serialized state. The paper also evaluates the two least-leaky state-grounded models—Claude-Opus-4.7 and Claude-Sonnet-4.6—on a 50-scenario stratified subset in the end-to-end OpenApps environment, using screenshot plus accessibility-tree access and a 20-step budget (Goel et al., 22 Jun 2026). In this visual track, leakage persists and can worsen.
For Claude-Opus-4.7, the end-to-end study reports 3, 4, refusal 5, and 6, compared with 14.0% engaged leakage in the state-grounded track (Goel et al., 22 Jun 2026). For Claude-Sonnet-4.6, the corresponding values are 7, 8, refusal 9, and 0, compared with 54.5% in the state-grounded track (Goel et al., 22 Jun 2026). The paper notes that 99 of 100 runs were truncated before completion under the 20-step budget, so these numbers are presented as evidence of transfer rather than precise deployment estimates (Goel et al., 22 Jun 2026).
This positions AgentCIBench differently from capability-centric computer-use benchmarks. MCPWorld, for example, benchmarks GUI-only, API/MCP-only, and hybrid desktop computer-use agents across 201 tasks over 10 open-source applications, emphasizing white-box app instrumentation and robust task completion evaluation (Yan et al., 9 Jun 2025). AgentBench, more broadly, evaluates LLMs as agents in eight interactive environments spanning code-grounded, game-grounded, and web-grounded settings (Liu et al., 2023). AgentCIBench instead isolates a normative property those benchmarks do not center: whether a cooperative agent with cross-application access can make the final disclosure decision in a way that respects contextual integrity (Goel et al., 22 Jun 2026).
The paper also reports prompt-level mitigations. Across Claude-Opus-4.7, GPT-5.4, and DeepSeek-v4-Pro, three prompt interventions—restrictive, rubric-informed, and recipient-typed—reduce engagement-conditioned leakage by 33 to 36 points on average while raising utility (Goel et al., 22 Jun 2026). The average across the three models moves from baseline 1, 2 to restrictive 3, 4, rubric-informed 5, 6, and recipient-typed 7, 8 (Goel et al., 22 Jun 2026). This suggests that contextual-disclosure behavior is not fixed and that the benchmark can function as a regression-testing harness for safety interventions.
6. Limitations and significance
The paper is explicit that AgentCIBench is a controlled stress test rather than a prevalence estimate of real-world leakage. OpenApps is a synthetic six-app workspace, not a deployment environment, and the scenario pool is intentionally surfaced by an adversarial generation engine to maximize informative CI failures (Goel et al., 22 Jun 2026). The authors therefore recommend interpreting absolute leakage rates mainly as relative comparisons.
The end-to-end study is also limited: it covers only two agents, only 50 scenarios, and very small engaged denominators, with heavy truncation under a 20-step budget (Goel et al., 22 Jun 2026). The defense study covers only three models and three prompt-level interventions. The benchmark does not cover long-term memory, richer professional settings beyond the included tasks, or all possible multi-turn personalization effects (Goel et al., 22 Jun 2026).
Within those limits, AgentCIBench makes a distinct methodological contribution. It turns contextual disclosure into executable, re-runnable, deterministically scored scenarios; separates utility, leakage, refusal, and engagement-conditioned leakage; and shows that task success is a weak proxy for privacy safety (Goel et al., 22 Jun 2026). The release includes the generation pipeline, scenario JSON schemas, prompts used by the engine and defenses, run logs, filtering counts, and the scenario pool used in the study, with the explicit goal of supporting pre-deployment evaluation, mitigation development, and repeated regression testing as models evolve (Goel et al., 22 Jun 2026).
A plausible implication is that AgentCIBench defines a benchmark axis orthogonal to ordinary CUA capability evaluation. Rather than asking whether an agent can complete work-like tasks, it asks whether a cooperative agent can complete them without violating the contextual norms that govern information flow across applications and recipients. In that sense, it positions contextual-disclosure testing as a pre-deployment safety check for computer-use agents (Goel et al., 22 Jun 2026).