Contextual Integrity Verification (CIV)
- Contextual Integrity Verification (CIV) is a framework that defines information flows as structured tuples to assess compliance with context-specific norms.
- It applies to domains like data leakage prevention, privacy auditing, legal analysis, web tracking, and AI safety using rule-based verification systems.
- CIV systems leverage formal methods, norm elicitation, and benchmarking to validate context boundaries and mitigate privacy breaches.
Searching arXiv for recent and foundational papers on contextual integrity verification and related CI operationalizations. Contextual Integrity Verification (CIV) denotes a family of methods for deciding whether an information flow is appropriate in its surrounding context, using the theory of contextual integrity as the normative substrate. Across data leakage prevention, privacy-policy auditing, legal-compliance analysis, web-tracking measurement, and AI-agent safety, CIV systems typically represent a flow as a structured tuple, compare it against context-specific norms or constraints, and then either permit, block, classify, audit, or structurally prevent the flow (Shvartzshnaider et al., 2017, Markopoulou et al., 2023, Ghalebikesabi et al., 2024, Gupta, 12 Aug 2025).
1. Formal object of verification
The central object in CIV is the information flow. In the CI literature, this is most often expressed as a tuple over actors, data, and conditions. One widely used formulation is the 5-tuple , which was encoded directly in Datalog for educational privacy norms (Shvartzshnaider et al., 2016). In assistant settings, the flow is made fully explicit as
where is context, sender, recipient, attribute, and transmission principle; a flow is CI-compliant iff and (Ghalebikesabi et al., 2024). Legal-compliance formulations add an explicit norm type, writing a norm as
with 0 (Li et al., 2024). In edge-device auditing, where the subject is often implicitly the device user, the tuple may be reduced to 1 over sender, recipient, attribute, and transmission principle (Markopoulou et al., 2023).
These variants differ in arity, but they serve the same verification role: they turn a natural-language or observed privacy-relevant event into a typed symbolic object that can be checked. The checked object may be an email transmission, a form field disclosure, a network flow, a browser identifier reuse event, a computer-use-agent action, or even token-to-token influence inside a transformer (Shvartzshnaider et al., 2017, Sivan-Sevilla et al., 2024, Goel et al., 22 Jun 2026, Gupta, 12 Aug 2025).
| Setting | Flow representation | Verification target |
|---|---|---|
| Crowdsourced norms | allowed(Context, Sender, Recipient, Subject, Attribute, TransmissionPrinciple) |
Whether a Datalog derivation exists (Shvartzshnaider et al., 2016) |
| Form-filling assistants | Information Flow Card over context, sender, recipient, subject, attribute, principle | fill, refuse, or unsure per field (Ghalebikesabi et al., 2024) |
| Edge auditing | Actual set 2 and policy set 3 or 4 of CI-tuples | clear, vague, omitted, ambiguous, incorrect disclosure (Markopoulou et al., 2023) |
| Provable LLM security | Token provenance label plus trust level | Deterministic per-token non-interference (Gupta, 12 Aug 2025) |
A notable feature of later CIV work is that the “flow” need not be only an externally visible message. In enterprise-agent evaluation, retrieved evidence is partitioned into 5 and 6, and verification asks both whether essential items were conveyed and whether sensitive items leaked (Fu et al., 23 Apr 2026). In computer-use agents, the flow is formalized as 7 and contexts are collapsed to app-workspace boundaries, so the verified object is a concrete action over a serialized multi-app state (Goel et al., 22 Jun 2026).
2. Symbolic rule systems and verifiable enforcement
The earliest computational CIV systems are rule-centric. In the educational privacy framework, the predicates inrole/3 and allowed/6 encode CI norms in Datalog, and verification is performed by posing runtime queries of the form ?- allowed(Ctx, Sender, Recipient, Subject, Attribute, TransmissionPrinciple) to a standard Datalog engine (Shvartzshnaider et al., 2016). Because Datalog is function-symbol–free, the Herbrand universe is finite; queries terminate in polynomial time in the size of the database, and bottom-up fixpoint evaluation reaches a unique least model in finitely many steps (Shvartzshnaider et al., 2016).
VACCINE generalizes this logic-driven style to enterprise Data Leakage Prevention (DLP). It models a norm schema as 8 over context, sender, receiver, attribute type, and precondition, and treats a policy as a set 9 of such schemas. The framework identifies soundness, completeness, and non-interference as key correctness properties, and also states a consistency theorem asserting that 0 has no contradictory norms that simultaneously allow and forbid the same flow (Shvartzshnaider et al., 2017). The runtime architecture combines a Policy Server, Data Connectors, and Enforcement Proxies; the offline stage compiles the Datalog rule set into a semi-naïve evaluation engine, while the online stage checks each send event and either forwards it or reports a violation (Shvartzshnaider et al., 2017).
The VACCINE case studies give CIV an explicitly operational character. For FERPA deployment, the reported setting includes 1,200 students, 200 faculty, a trace size of 3.5M events, a policy of 25 norm schemas, throughput of 8,000 events/sec on a single commodity server, and enforcement overhead of less than 2 ms per event. For Enron privacy rules, the reported setting includes 30K employees, 150K external contacts, 12M e-mails, a policy of 42 norm schemas, throughput of 5,500 events/sec, and overhead of approximately 3 ms per event. In both cases, the system found zero false negatives and only a handful of flagged events for manual review, mostly due to stale role-assignments (Shvartzshnaider et al., 2017).
This rule-based lineage establishes a canonical CIV pipeline: formalize norms, encode them in a decidable logic, verify meta-properties, then monitor live flows. It also fixes a recurring assumption of later work: verification is meaningful only if the representation of context is sufficiently explicit to support reuse across heterogeneous protocols (Shvartzshnaider et al., 2017).
3. Norm elicitation, regulation mapping, and policy-grounded judgment
A persistent problem for CIV is where the norms come from. One answer is crowdsourcing. In the educational-context framework, domain experts first define actors, attributes, and transmission principles; CI-template survey questions are then formed automatically and deployed through AMT and Qualtrics. The reported study used 15 survey forms with approximately 88 questions each, paid \%%%%22%%%%2c$3, CI-characteristic annotations on each leaf, a role graph $c$4, an attribute graph $c$5, and a definition dictionary $c$6. GPT-4 is used to classify each leaf as a positive norm, a negative norm, or a general definition, and to extract sender role, recipient role, subject role, data type, and transmission purpose or consent form when applicable (Li et al., 2024). Evaluation uses 214 HIPAA litigation excerpts and 618 synthetic cases; compared methods include Direct Prompt, CoT-auto, CoT-manual, Agent-ID, BM25-content, and CI-ES-content. The reported result is that RAG-based prompts improve overall accuracy by 6–18 points over Direct Prompt on real cases, while all models struggle on the “prohibit” class, with average F1 around 45% (Li et al., 2024).
PrivaCI-Bench broadens this legal-compliance orientation into a multi-domain benchmark. It constructs role and attribute ontologies with 8,993 nodes and 91,876 edges for roles, and 7,875 nodes and 176,999 edges for attributes. Its data sources include 214 HIPAA cases from the GoldCoin benchmark, 2,462 prohibited GDPR enforcement cases, 70 ACLU technology-privacy cases, 675 permitted GDPR-linked policy snippets from OPP-115 and APP-350, and synthetic EU AI Act vignettes with 1,029 permitted, 971 prohibited, and 1,000 not applicable examples (Li et al., 24 Feb 2025). The benchmark reports 147,840 multiple-choice probing questions for CI parameter extraction and shows that adding gold CI parameters typically boosts accuracy by 5–15 points, with the exact norm text adding another 2–5 points (Li et al., 24 Feb 2025).
These systems treat CIV as a norm-grounded judgment problem rather than merely a detection problem. They also show that CI parameter extraction is easier than end-to-end compliance classification: PrivaCI-Bench reports approximately 90% on Easy, approximately 80% on Medium, and approximately 60% on Hard multiple-choice probes, whereas raw compliance classification remains in the 45–90% range depending on domain and model (Li et al., 24 Feb 2025). A plausible implication is that tuple extraction is becoming relatively mature, while norm retrieval and norm application remain the dominant bottlenecks.
4. Auditing observed systems and measuring context collapse
CIV is also used to compare what systems do against what they say they do. In the edge-device auditing framework, actual traffic tuples 7 are extracted from network monitoring and policy tuples 8 or 9 are extracted from privacy policies using NLP. Consistency checking then matches tuples on recipient and attribute subsumption, using an ontology over data types, and classifies each observed flow as “clear,” “vague,” “omitted,” “ambiguous,” or “incorrect” (Markopoulou et al., 2023). In the OVRseen study of 100 Oculus Quest apps, this tuple-matching pipeline showed that over 30% of apps sent data not clearly disclosed in their policies (Markopoulou et al., 2023).
A different auditing direction treats CIV as measurement of structural privacy harm on the Web. In the web privacy study, each flow is represented as 0, where the attribute 1 is an identifier assigned by a tracker, and contextual-integrity violation is defined operationally as reuse of the same identifier within or across social contexts such as health, finance, news and media, LGBTQ, eCommerce, adult, and education (Sivan-Sevilla et al., 2024). The study crawls the top-700 popular websites across these contexts, builds within-context and between-context graphs over sites linked by persistent identifiers, and uses chromatic number 2 to derive the number of browser storage containers required to prevent the measured collapse of contexts (Sivan-Sevilla et al., 2024). The reported findings include that between 18% and 24% of all third-parties in any origin context re-use IDs elsewhere, and that in six contexts a plurality of persistent IDs reach all seven contexts (Sivan-Sevilla et al., 2024).
Implicit-context settings complicate CIV further because the relevant contexts are not given in advance. In online social networks, the Information Assistant Agent infers contexts by community finding, maintains topic-level appropriateness estimates 3 and knowledge estimates 4, and alerts users when a candidate message may be inappropriate or may disseminate sensitive information (Criado et al., 2015). In experiments with 100 agents, a scale-free friendship graph, Infomap for ground-truth contexts, and 36 topics, obedient users cut inappropriate exchanges by approximately 90% and sensitive disseminations by approximately 89% in one reported setting; alerts stabilized within a few hundred steps, with overall alerts below 25% and non-followed alerts below 5% (Criado et al., 2015).
Taken together, these auditing lines show that CIV is not limited to ex ante access control. It is equally a method for reconstructing latent flows from network traces, browser state, UI interactions, or social exchange histories and then evaluating those flows against contextual norms.
5. AI assistants, enterprise agents, and benchmark-driven CIV
The rise of tool-using assistants has turned CIV into a runtime supervision problem. In privacy-conscious form-filling assistants, each requested field is converted into an Information Flow Card that extracts context, sender, recipient, subject, attribute, and transmission principle; a second supervisory stage then classifies the flow as fill, refuse, or unsure, and only “yes” fields are exposed to the form filler (Ghalebikesabi et al., 2024). The associated benchmark contains 126 distinct form contexts, 18 personas with 51 structured key–value fields each, and 714 judged pairs of form scenario and data key, annotated by eight crowd workers (Ghalebikesabi et al., 2024). On Gemini Ultra, the reported privacy leakage and utility values are 0.21 and 0.79 for self-censoring, 0.03 and 0.82 for a binary supervisor, 0.02 and 0.79 for a reasoning supervisor, and 0.01 and 0.86 for a CI-based supervisor (Ghalebikesabi et al., 2024).
A complementary line trains models to reason explicitly about CI. The CI-RL framework uses a synthetic dataset of approximately 795 total examples, split into 590 train, 66 validation, and 73 test, and optimizes a reward that increases with the presence of required attributes and decreases with the presence of restricted attributes (Lan et al., 29 May 2025). It defines three evaluation metrics on the synthetic test set—Integrity, Utility, and Complete—and reports consistent gains from “base” to “+ CI-RL” across Qwen, Mistral, and Llama models; on PrivacyLens, CI-RL achieves up to 40% relative drop in privacy leakage while largely restoring or improving helpfulness (Lan et al., 29 May 2025).
Enterprise-agent evaluation makes the privacy-utility trade-off explicit. CI-Work simulates workflows across five information-flow directions—Downward, Upward, Lateral, Diagonal, and External—and measures Conveyance Rate for essential items, Leakage Rate for sensitive items, and a binary Violation metric (Fu et al., 23 Apr 2026). The reported empirical picture is adverse: violation rates range from 15.8% to 50.9%, leakage reaches up to 26.7%, and higher task utility correlates positively with both Leakage and Violation, with Pearson 5 and 6 (Fu et al., 23 Apr 2026). The same paper argues that simply increasing model size or reasoning depth fails to resolve CI failures and calls for a shift from model-centric scaling toward context-centric architectures (Fu et al., 23 Apr 2026).
Computer-use agents extend the same concern to cross-application action. AgentCIBench formalizes each scenario as 7, where 8 is the set of items that must be shared and 9 the set that must not be shared, and targets three failure modes: visual co-location, task-ambiguity overshare, and recipient misalignment (Goel et al., 22 Jun 2026). Across 117 stratified runs on 15 frontier agents, the reported state-grounded averages are 0, 1, 2, and engaged leakage 3; 12 of 15 agents leak on more than 50% of scenarios, and the same failures persist in end-to-end UI execution (Goel et al., 22 Jun 2026).
These benchmarks recast CIV as an executable evaluation discipline. Rather than verifying only a fixed policy engine, they test whether an agent can preserve contextual boundaries while still completing the task, and they make oversharing measurable even when the agent is otherwise highly capable.
6. Structural guarantees, unresolved limits, and future directions
Most CIV systems are judgmental: they classify or block flows after reconstructing context. A distinct line instead builds context sensitivity into the model’s execution substrate. In the cryptographic CIV architecture for LLMs, every token is labeled at ingestion with a trust level and an HMAC-SHA-256 tag,
4
and attention is modified by a pre-softmax hard mask so that a token at trust level 5 cannot attend to tokens at strictly higher trust (Gupta, 12 Aug 2025). The trust lattice is totally ordered, for example as SYSTEM 6 7 USER 8 9 TOOL 0 1 DOC 2 3 WEB 4, and the formal non-interference theorem states that for positions 5 with 6, the final hidden state satisfies
7
On Elite-Attack and SoK-246, the reported attack success rate is 0%, benign false positive rate is 0%, exact token-level similarity is 93.1%, perplexity delta is less than 8, and latency is approximately 9.2 s/query versus approximately 4.4 s baseline (Gupta, 12 Aug 2025).
Even in this strongest form, CIV remains bounded by its assumptions and representations. The cryptographic architecture assumes an untampered serving stack and secret-key security, does not prevent same-tier attacks, and requires refactoring for workflows that intentionally blend SYSTEM and USER text (Gupta, 12 Aug 2025). Symbolic and survey-grounded systems face question explosion, survey fatigue, and dependence on expert pre-pruning (Shvartzshnaider et al., 2016). Edge-auditing systems identify hierarchy and summarization of tuples, merging multi-source information, completeness of policy extraction, and elusive transmission principles beyond “purpose” as open challenges (Markopoulou et al., 2023). Assistant-focused evaluations call for larger real-world benchmarks, explicit societal norms, cross-cultural variation, better personalization, and adversarial hardening against prompt injections or malicious third-party APIs (Ghalebikesabi et al., 2024).
A recurrent direction across recent work is to move from weakly contextual heuristics to context-native architectures. CI-Work explicitly recommends context partitioning and access control, role-conditioned retrieval filters, and CI-aware training objectives (Fu et al., 23 Apr 2026). The web-tracking study closes the loop from measurement to enforcement by computing container assignments directly from graph colorings of observed identifier reuse (Sivan-Sevilla et al., 2024). The VACCINE line shows that protocol-agnostic rules with correctness guarantees can already scale to enterprises involving tens of thousands of actors (Shvartzshnaider et al., 2017). This suggests that the long-term development of CIV is not a single technique but an increasingly layered stack: norm elicitation, tuple extraction, retrieval and legal grounding, runtime supervision, benchmarked stress testing, and, in some cases, architectural non-interference.