OCELOT: Designing an Inference Leakage Budget Mechanism for Privacy-Preserving LLM Agents

OCELOT is a runtime mediation mechanism designed for privacy-preserving LLM agents. It sets an upper limit on inference leakage budgets using the "Witness-Verified Decryption" technique, aiming to address the cumulative, bidirectional, and task-dependent privacy leakage risks faced by LLM agents while ensuring task utility and effectively controlling privacy risks. This article was originally published on arXiv (released on June 10, 2026), with the original title 《OCELOT: Inference-Leakage Budgets for Privacy-Preserving LLM Agents》, link: http://arxiv.org/abs/2606.12341v1.

LLM agents are evolving into complex task execution assistants, but continuous multi-step interactions bring unprecedented privacy risks. Traditional methods struggle to address three core challenges: 1. Cumulative leakage: Harmless information fragments from single interactions can accumulate to infer a complete privacy profile; 2. Bidirectional leakage: External malicious inputs (e.g., jailbreak attacks) induce agents to leak information; 3. Task dependency: The same information varies greatly in sensitivity to different recipients, making uniform filtering strategies ineffective.

OCELOT proposes a "post-hoc risk control" paradigm, setting leakage budgets for interaction trajectories and quantifying the information gain an attacker obtains through an agent's behavior. The core technology is the "Witness-Verified Decryption" mechanism: 1. Untrusted defense model: A locally fine-tuned model that outputs structured evidence (atomic information tags, decryption operation proposals); 2. Deterministic verifier: Audits evidence, calculates the minimum entropy cost, checks if it is within the budget (based on the recipient's trust weight), and the verifier is deterministic and auditable.

In terms of budget management, all decryption decisions are recorded in a tamper-proof ledger, and budget allocation considers the recipient's trust level. Experimental results show OCELOT's advantages: 1. Lower leakage and higher utility: Precise budget allocation achieves a win-win between privacy and task quality; 2. Resistance to multiple attacks: Adaptive injection, jailbreak, cumulative inference, and recipient collusion attacks; 3. Moderate performance overhead: The verification process has controllable computational complexity, facilitating practical deployment.

OCELOT marks a shift in LLM agent privacy protection from "post-hoc remediation" to "pre-emptive prevention", providing a quantifiable and auditable framework to help enterprises meet regulatory requirements such as GDPR. In the future, similar budget control mechanisms may become standard configurations for AI systems in sensitive scenarios (healthcare, finance, law), and open-source code and evaluation frameworks will promote community exploration.