MosaicLeaks: Can your research agent keep a secret?
- company Microsoft
- lab Anthropic
- lab DeepMind
- lab Meta AI
- lab MosaicLeaks
- lab OpenAI
- location January
- location Q1 2025
A new benchmark called MosaicLeaks reveals that deep-research AI agents routinely leak sensitive enterprise information through their web queries, and that simply instructing them to be careful does little to stop the problem [1]. The benchmark, which contains 1,001 multi-hop research chains, is designed to test how agents handle tasks that require interleaving private local documents with public web searches [1]. The core risk is the "mosaic effect," where an adversary observing an agent's outbound query log can piece together fragments of private data, even if no single query reveals a complete secret [1]. The dataset is split into 559 training chains, 98 validation chains, and 344 held-out-company test chains [1]. Researchers found that a base Qwen3-4B model achieved a strict chain success rate of 48.7% while exhibiting an answer or full-information leakage rate of 34.0% [1]. When the model was trained solely for task performance, its success rate climbed to 59.3%, but leakage worsened significantly to 51.7% [1]. This illustrates a central tension: more informative web queries improve task accuracy but also provide more fragments for an observer to exploit [1]. The study also tested a simple prompt-based defense, telling the agent not to issue web queries that leak local information. For the Qwen3-4B model, this approach reduced leakage from 34.0% to 25.5%, but it also caused strict chain success to drop from 48.7% to 44.5% [1]. The primary behavioral change was a reduction in the number of web queries, not consistently safer query construction [1]. To address this, the team developed a training method called Privacy-Aware Deep Research (PA-DR), which combines a situational task reward with a learned privacy reward [1]. The privacy component uses a classifier to estimate whether new web queries leak information directly or create a new mosaic leak when added to the existing query log [1]. After training with PA-DR, the model's strict chain success rose to 58.7% while its leakage rate plummeted to 9.9%, a figure lower than the untrained base model [1]. The agent achieved this not by searching less, but by dropping revealing details such as specific metrics and dates from its queries [1]. The broader AI landscape has seen a surge in the deployment of large language models by major firms. Microsoft, one of the companies referenced in the benchmark's example chains, has heavily invested in AI and cloud computing through its Azure platform [10]. Meanwhile, companies like Anthropic have centered their corporate identity on AI safety, developing models such as Claude with techniques like "constitutional AI" to improve ethical compliance [8][9]. The MosaicLeaks research suggests that for agentic systems, safety must be actively trained into the search behavior itself, rather than relying on pre-existing model alignment or simple instructions [1].
controversy
Background sources we checked (9)
- en.wikipedia.org ↗ The Marvel Cinematic Universe (MCU) is an American media franchise and shared universe centered on a series of superhero films produced by Marvel Studios. The films are based on characters from American comic books published by Marvel Comics. The franchise also includes several t…
- en.wikipedia.org ↗ Nvidia Corporation ( en-VID-ee-ə) is an American multinational technology company headquartered in Santa Clara, California. The company develops graphics processing units (GPUs), systems on chips (SoCs), and application programming interfaces (APIs) for data science, high-perform…
- en.wikipedia.org ↗ Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes, and supports Mozilla products, thereby promoting free software and open standards. The community is supported institutionally by the non-profit Mozilla Fo…
- en.wikipedia.org ↗ Each entry on this list of common misconceptions is worded as a correction; the misconceptions themselves are implied rather than stated. These entries are concise summaries; the main subject articles can be consulted for more detail.…
- arxiv.org ↗ AI model documentation is fragmented across platforms and inconsistent in structure, preventing policymakers, auditors, and users from reliably assessing safety claims, data provenance, and version-level changes. We analyzed documentation from five frontier models (Gemini 3, Grok…
- arxiv.org ↗ The CIA security triad - Confidentiality, Integrity, and Availability - is a cornerstone of data and cybersecurity. With the emergence of large language model (LLM) applications, a new class of threat, known as prompt injection, was first identified in 2022. Since then, numerous …
- en.wikipedia.org ↗ Anthropic PBC is an American artificial intelligence (AI) company headquartered in San Francisco, California. It has developed a series of large language models (LLMs) named Claude and has a focus on AI safety. Anthropic was founded in 2021 by former members of OpenAI, including …
- en.wikipedia.org ↗ Claude is a series of large language models developed by American software company Anthropic. Claude was released as an AI-based chatbot in March 2023. It is also used in AI-assisted software development. Claude is trained using "constitutional AI", a technique developed by Anthr…
- en.wikipedia.org ↗ Microsoft Corporation is an American multinational technology company headquartered in Redmond, Washington. The company became influential in the rise of personal computers through software like Windows and has since expanded into areas such as Internet services, cloud computing,…
Sources
- huggingface.co — MosaicLeaks: Can your research agent keep a secret? ↗