The Privacy Norm Becomes the Agent Policy
The June 2026 arXiv paper PrivacyAlign: Contextual Privacy Alignment for LLM Agents, by Manveer Singh Tamber, Abhay Puri, Marc-Etienne Brunet, Perouz Taslakian, Jimmy Lin, and Spandana Gella, asks what agent privacy looks like when the agent is acting, remembering, and writing on behalf of a user.
Not Just Secrets
The paper, arXiv:2606.21710 [cs.CL], was submitted on June 19, 2026. Its central move is to define privacy for agents as a contextual disclosure problem. A tool-using assistant may read email, calendar entries, local documents, prior memories, or other records before sending a message or taking an action. The issue is not simply whether the output contains a sensitive string. The issue is whether that information should travel to that recipient for that purpose.
That makes this paper a useful companion to agent data acquisition and inter-agent message leakage. Those pages ask where private data enters and moves inside an agent system. PrivacyAlign asks how an agent should decide what may leave.
The Disclosure Problem
The authors argue that agentic privacy cannot be reduced to secrecy. The same fact can be appropriate in one message and inappropriate in another because social roles, relationships, expectations, task relevance, and recipient identity change the meaning of disclosure. The paper explicitly grounds this frame in contextual privacy rather than a static list of forbidden terms.
That matters for governance because agents increasingly act through final outputs: emails, tickets, summaries, posts, forms, recommendations, and tool calls. A user may not see every record the system inspected. A recipient may not know which memory supplied a detail. A vendor may measure only whether a task completed. PrivacyAlign treats the final action as the place where private memory, tool evidence, and social judgment collide.
Human Labels
The dataset is the paper's concrete contribution. The authors introduce 1,350 response-pair items, split into 1,150 training items and 200 test items, with 3,516 retained human annotations from 599 unique Prolific annotators. Annotators compared two candidate agent responses, marked whether each leaked sensitive information, marked whether each omitted task-relevant information, chose which response they preferred, and wrote rationales.
The paper says the scenarios are synthetic, not drawn from real user traces. That is an important design choice: releasing authentic privacy-sensitive agent interactions would itself create privacy risk. The scenarios include tool-use trajectories and small persistent-memory stores, then keep cases where generated agents actually leak. The result is not a map of all real-world privacy harms. It is a controlled testbed for a hard decision: withhold what should not be shared without dropping what the task legitimately needs.
Rewarding Restraint
PrivacyAlign also tests whether human annotations can guide automated evaluation and training. The authors report that conditioning LLM judges on same-prompt human annotations and explanations raises agreement among judges. In their Table 2, mean Cohen's kappa for leak judgments rises from 0.47 to 0.71, and mean kappa for omit judgments rises from 0.25 to 0.44.
For training, the paper compares reward sources for small open-weight agents. Its annotation-conditioned reward uses human annotations for the same prompt as local guidance while scoring new responses during reinforcement learning. The authors report that this reward outperforms a trained generative reward model and a string-matching reward in their setup, raising clean rates by reducing leakage while avoiding some of the excessive withholding that can make a privacy system useless.
What the Scores Mean
The key metric is "clean" response rate: a response is clean when it neither leaks sensitive information nor omits task-relevant information. This is the right pressure. A privacy model that simply refuses, redacts everything, or writes empty messages can look safe under a leak-only metric while failing the user. A helpfulness-only metric can hide unsafe disclosure. PrivacyAlign forces the tradeoff into the measurement.
The paper reports that even strong models leak in the test setting. Under a privacy-enhanced prompt, GPT-5.5 has the lowest leak rate among the reported frontier models at 14.5% and the highest clean rate at 70.7%. The authors also state that open-weight base models leak on more than half of scenarios. Those numbers should not be read as universal deployment rates. They are testbed results. Their value is comparative: they show why prompt-level caution is uneven and why privacy alignment needs scenario-specific evidence.
Limits That Matter
The authors name several limitations that should stay visible. The data is synthetic and may miss realism or quality problems. Evaluation still relies on LLM judges, even when those judges are conditioned on human annotations. Human annotators differ in privacy intuitions, effort, cultural background, and values. The model-training experiments use small open-weight checkpoints from 4B to 8B parameters. Strong scores on PrivacyAlign do not guarantee safe privacy handling under distribution shift, adversarial prompts, or uncovered domains.
The ethical section adds another governance constraint: the 599 annotators span more than 20 countries of residence, but the pool is English-fluent and not globally representative. That is not a defect to hide. It is the point. Privacy norms are plural. A single reward model can smooth legitimate disagreement into one operational policy.
Governance Standard
An agent privacy policy should not stop at "do not reveal secrets." It should name sender, recipient, subject, purpose, information type, memory source, tool source, expected flow, omission risk, and review path. For each outbound action, the system should preserve a privacy receipt: what sources were consulted, what sensitive details were withheld, what task-relevant details were included, what policy or annotation class justified the choice, and whether a human reviewed the edge case.
This belongs beside contextual integrity, AI agents, memory operations, and privacy and data governance. The Spiralist rule is narrow but durable: when an agent speaks for a person, privacy is not a filter at the edge. It is a norm translated into policy at the moment memory becomes action.
Sources
- Manveer Singh Tamber, Abhay Puri, Marc-Etienne Brunet, Perouz Taslakian, Jimmy Lin, and Spandana Gella, PrivacyAlign: Contextual Privacy Alignment for LLM Agents, arXiv:2606.21710 [cs.CL], submitted June 19, 2026.
- arXiv PDF for PrivacyAlign: Contextual Privacy Alignment for LLM Agents, reviewed June 24, 2026.
- Project page for PrivacyAlign, reviewed June 24, 2026.
- Related pages: The Agent Data Request Becomes the Privacy Boundary, The Inter-Agent Message Becomes the Privacy Leak, The Memory Operation Becomes the Wire Protocol, Contextual Integrity, and AI Agents.