🚀Shippingscore 116.6Jun 4, 2026·2606.06460cs.CRcs.AI

Will the Agent Recuse Itself? Measuring LLM-Agent Compliance with In-Band Access-Deny Signals

Thamilvendhan Munirathinam

Narrative

The paper defines a "Recuse Signal" — a lightweight in-band message a server can emit over existing protocol channels (SSH banners, PostgreSQL NOTICEs) asking a connecting LLM agent to voluntarily withdraw rather than proceed. This is framed explicitly as a cooperative governance layer, not a security control — the robots.txt analogy is apt. In a small pilot experiment with GPT-4o, GPT-4o-mini, and Claude Code, the signal achieved 100% recusal versus 100% task completion in a no-signal control, but critically, explicit operator-authorization framing caused the most capable model to override the signal and proceed anyway, exposing the cooperative ceiling.

No production traction yet — zero citations, and the GitHub repos referencing it are all feed aggregators and paper-tracking tools, not implementations. The core finding — that current frontier agents will honor a soft deny signal under default conditions but can be talked past it — is practically relevant to anyone building agent infrastructure today, but the sample size is tiny (pilot-scale, single operator) and the adversarial robustness is openly unaddressed. Worth watching if you're building access governance for agentic systems; not yet a standard anyone is implementing.

Abstract

As autonomous LLM agents increasingly hold real credentials and operate infrastructure without a human in the loop, operators have no standard way to tell an agent that a resource is off-limits. Access controls either let the agent in (it has valid credentials) or hard-fail it (indistinguishable from any other client). We propose a third mode: a lightweight, published in-band deny signal -- the Recuse Signal -- that a server emits over a protocol's existing channels (an SSH banner, a PostgreSQL NOTICE) asking a connecting automated agent to voluntarily withdraw. This is a cooperative governance control, the robots.txt analogue for live access; it is explicitly not a security boundary. Its value is entirely empirical and, to our knowledge, unmeasured: do compliant LLM agents actually honor such a signal? We define the signal as an open mini-standard, implement two zero- or low-footprint adapters (an SSH banner/PAM hook and a PostgreSQL wire-protocol proxy), deploy them on a live production host, and run a controlled experiment in which fresh agents are given a benign operations task and observed for recusal. In a pilot (SSH; OpenAI GPT-4o and GPT-4o-mini; and Claude Code as a deployed agent), the signal cleanly induces recusal -- 100% recusal when present versus 100% task completion in a no-signal control -- and, revealingly, behaves as a cooperative rather than absolute signal: an explicit operator-authorization framing flips the most capable model to proceed, while other agents continue to defer to the on-host policy. We release the standard, adapters, and experiment harness for reproduction.

Citation timeline
Not enough citation snapshots yet to plot a timeline. Come back after a few cron runs.