Task-Centric Access Control (TCAC)

• TCAC is a dynamic, intent-aligned access control model that assigns minimal privileges per task based on operational context and user intent.
• It employs real-time policy synthesis and ephemeral, context-bound permissions to mitigate risks like instruction injection and cross-task privilege leakage.
• TCAC integrates with AI agent platforms and cyber-physical systems, enabling secure, orchestrated workflows in diverse distributed environments.

Task-Centric Access Control (TCAC) is a dynamic, intent-aligned access control paradigm that synthesizes and enforces least-privilege security policies on a per-task basis. Unlike traditional models anchored in static roles or attributes, TCAC scopes privileges and resource access strictly to the specific operational boundaries of each user-initiated or agent-driven task. Its expressiveness and runtime adaptation distinguish it as foundational for secure, orchestrated workflows in contemporary distributed ecosystems spanning AI agent platforms, smart cyber-physical systems, collaborative construction environments, and risk-stratified enterprise automation.

1. Formal Foundations of Task-Centric Access Control

TCAC’s formal core centers around the explicit mapping of user or agent task intents to a minimal, dynamically generated permission set.

• Task Space ($\mathcal{T}$): Each authorized operation (task) $T \in \mathcal{T}$ is a structured, high-level intent (e.g., “Register for App X”). The Task Interpreter yields a TaskContext $$TC = (\text{tid}, \text{intent}, \text{params}, \text{TTL})$$ where $\text{tid}$ is a unique identifier, ‘intent’ captures the abstract action, ‘params’ specify concrete arguments (e.g., app name), and $\text{TTL}$ gives task expiration (Cai et al., 30 Oct 2025).
• Permission Universe ($P$): Fine-grained permissions $$p = (\text{AgentID}, \text{Resource}, \text{Operation}, \text{Context}) \mapsto \{\text{Allow}, \text{Deny}\}$$ are defined. Context (via tid) ensures isolation between different tasks' permissions.
• Task-to-permission Mapping ($f$): A function $f: \mathcal{T} \rightarrow 2^P$ produces, per task $T$, a policy $P_T = f(T)$, constituting the precise rule set to execute $T$ and nothing more. Templates encode skeletal permissions for each intent, instantiated with task parameters.
• Policy Lifecycle: Policies are ephemeral. On task completion or TTL expiry, $P_T$ is revoked (i.e., $$\text{PolicyStore}[\text{tid}] \leftarrow \emptyset$$), enforcing the non-persistence of privileges.

Mathematically, TCAC can be generalized: given agents $A$, tasks $T$, tools/resources $S_{tool}$, and primitive operations $S_{trans}$, the policy for agent $a$ and task $t$ is $\Pi \subseteq S_{tool} \times S_{trans}$, optionally enriched with risk ($\rho$) and uncertainty ($\delta$) scores (Fleming et al., 13 Oct 2025).

2. Dynamic Policy Synthesis and Enforcement Architecture

The canonical TCAC workflow comprises:

1. Task Interpretation: User/agent initiates a task; Task Interpreter extracts TaskContext.
2. Policy Synthesis: Policy Generation Engine (or LLM Judge) derives the minimal, intent-aligned policy $P_T$ by matching the intent to templates and instantiating rule specifics.
3. Policy Activation: The synthesized $P_T$ is activated for the context-bound session ($\text{tid}$, $\text{TTL}$).
4. Mediation Layer: The Policy Enforcement Point (PEP) intercepts all agent actions. The Policy Decision Point (PDP) validates whether each attempted action is in $P_T$; unauthorized actions default to deny.
5. Ephemeral Scope: Upon task completion, PEP invokes revocation, ensuring no residual permissions ("automatic revocation" as per AgentSentry).

In risk/uncertainty-augmented TCAC variants, policy synthesis further involves the calculation of composite risk $R_{comp}$ and model uncertainty $\upsilon$, with human escalation if thresholds $\theta_{risk}$ or $\theta_{uncertainty}$ are exceeded (Fleming et al., 13 Oct 2025).

3. Threat Model and Security Guarantees

TCAC is designed to mitigate vulnerabilities stemming from static, over-broad privilege assignments—especially instruction-injection attacks in LLM-augmented and agentic systems:

• Attack Surface: Malicious payloads (e.g., in email) can trigger unintended, privilege-abusing behavior by agents if static, app/global privileges remain active across tasks (Cai et al., 30 Oct 2025).
• Formal Guarantee: For any agent interpretation (even if misled), the PEP/PDP layer ensures $\text{Actions} \subseteq P_T$, and if $P_T$ is minimal and well-scoped, dangerous operations (“send”, “delete”, etc.) omitted from $P_T$ cannot be executed.
• Runtime Enforcement: The combination of default-deny semantics and per-task scoping ensures least-privilege adherence and containment of instruction injection.

TCAC’s correctness is formally rooted in the intersection of temporal scoping, fine-grained rule generation, and strict mediation at all action boundaries.

4. Extensions: Risk, Uncertainty, and Activity Semantics

Recent advances incorporate adaptive, context-aware dimensions:

• Risk-Adaptive Control: Policies include explicit quantification of resource/tool risk ($\rho(s)$), with aggregate risk $R_{comp}$ used to modulate approval workflows. When $R_{comp}$ or epistemic uncertainty $\upsilon$ of the policy is high, access may be temporally bounded, write-privileges downgraded, or escalation triggered (Fleming et al., 13 Oct 2025).
• ACAC and Activity Foundations: In cyber-physical and collaborative systems, Activity-Centric Access Control (ACAC)—conceptually overlapping with TCAC—modeled access over activities (device/object states), not just primitive actions. Activities are first-class entities ($a = (s, o, op, \tau)$), with authorization expressions incorporating preconditions, concurrent dependencies, obligations, and mutable transitions (Mawla et al., 2022, Gupta et al., 2021). TCAC subsumes ACAC for workflows where tasks comprise coordinated activity sets, enabling reasoning over compound conditions and post-activation obligations.
• Model Comparison: In contrast to Role-Based (RBAC) and Attribute-Based (ABAC) models, which are structurally static or unwieldy for fluid, goal-driven use-cases, TCAC dynamically materializes policies directly from task intent, with capability for ongoing evaluation and context adaptation (Fleming et al., 13 Oct 2025, Mawla et al., 2022).

5. Application Domains and Instantiations

TCAC principles have been instantiated across diverse environments:

• AI Agent Platforms: AgentSentry demonstrates real-time, ephemeral permission envelopes around LLM-driven mobile agents, blocking instruction-injection attacks by aligning allowed operations to each explicit user task (Cai et al., 30 Oct 2025).
• Enterprise Automation: LLM-judged TCAC frameworks synthesize access policies for emergent enterprise tasks, factoring resource criticality and LLM uncertainty to support just-in-time, risk-aware authorization (Fleming et al., 13 Oct 2025).
• Smart Ecosystems and CPS: ACAC/TCAC techniques orchestrate device collaborations by mapping allowed activities and system state constraints, with application in farming, energy, and collaborative robotics (Gupta et al., 2021, Mawla et al., 2022).
• Collaborative Construction: Context-sensitive model filtering and permissioning in virtual organizations is achieved via TCAC, restricting both model data (via templates/cutouts) and access rights only to those needed for the current project phase, user role, and task (Hilbert et al., 2012).

6. Benefits, Limitations, and Future Trajectories

TCAC advances least-privilege enforcement, intent alignment, and dynamic containment far beyond prior models. Principal advantages include:

• Per-task Minimal Privilege: Each task is bounded by the minimal capability profile, with no privilege residues post-task.
• Automated Policy Generation: Reduces manual policy-writing by leveraging templates, LLMs, or structured task interpreters.
• Robustness to Emerging Threats: Correctly constructed TCAC, as in AgentSentry or LLM-Judge architectures, mitigates cross-task privilege leakage, instruction injection, and over-privilege pitfalls.

Identified limitations include reliance on template or LLM quality, calibration of risk/uncertainty metrics, potential runtime policy synthesis latency, and the need for richer, formal administrative models (especially for collaborative or federated environments) (Fleming et al., 13 Oct 2025, Gupta et al., 2021).

Future research emphasizes formal metamodels for cross-domain task and activity composition, expressive policy languages for TCAC, administrative delegation protocols, and AI-driven adaptation of task/activity templates (Gupta et al., 2021, Mawla et al., 2022). The convergence of TCAC with Zero Trust paradigms—involving continuous, contextually re-evaluated, and intent-bounded privilege scoping—remains a critical focus for ensuring trustworthy automation in increasingly agent-driven, open, and safety-critical settings.