MosaicLeaks: Can your research agent keep a secret?
A Blog post by ServiceNow on Hugging Face Back to Articles a]:hidden"> MosaicLeaks: Can your research agent keep a secret? Enterprise Article Published June 18, 2026 Upvote - Alexander Gurung agurung Follow ServiceNow Rafael Pardinas rafapi-snow Follow ServiceNow TL;DR Deep research agents increasingly combine private local documents with external tools like web retrieval, creating a privacy risk: an agent's external queries may leak sensitive information. MosaicLeaks proposes a new deep-research task with multi-hop questions that interleave public and private information.
Key Takeaways
- Across the models we tested, agents frequently leaked private information, and training only for task performance made it worse.
We propose a mosaic-leakage-aware RL training method, Privacy-Aware Deep Research (PA-DR) , which raises strict chain success (the share of chains where every hop is answered correctly) from 48.
- One references a cloud-migration milestone, one a January 2024 security disclosure, one narrows down which vendor got hit.
- Intent leakage reveals what the agent is investigating .
Answer leakage means the query log holds enough to answer a private question someone already has in hand.
- Each query looks benign alone, but seen together they let an observer deduce that the answer was 15%, and so claim that Lee's online traffic grew 15% in 2020.
Building MosaicLeaks MosaicLeaks contains 1,001 multi-hop research chains over local enterprise documents and a controlled web corpus.
- Local documents come from DRBench-style enterprise tasks, and web documents come from BrowseComp-Plus.
Stats & Key Facts
- #Enterprise Article Published June 18, 2026 Upvote - Alexander Gurung agurung Follow ServiceNow Rafael Pardinas rafapi-snow Follow ServiceNow TL;DR Deep research agents increasingly combine private local documents with external tools like web retrieval, creating a privacy risk: an agent's external queries may leak sensitive information.
- #7% while reducing answer/full-information leakage from 34.
- #But anyone watching the agent's outbound traffic can reassemble the fragments: MediConn had migrated 70% of its infrastructure to the cloud by January 2025, a fact that lived only in private documents.
- #Here the agent searches twice about Lee's Market's 2020 traffic growth, leaking its intent, then issues a third query to answer a follow-up.
Across the models we tested, agents frequently leaked private information, and training only for task performance made it worse. We propose a mosaic-leakage-aware RL training method, Privacy-Aware Deep Research (PA-DR) , which raises strict chain success (the share of chains where every hop is answered correctly) from 48. 7% while reducing answer/full-information leakage from 34.
Privacy Leakage in Deep-Research Agents A research agent at a healthcare firm is working through a routine question, and along the way it fires off a handful of ordinary-looking web searches. One references a cloud-migration milestone, one a January 2024 security disclosure, one narrows down which vendor got hit. No single query necessarily gives away the whole secret.
But anyone watching the agent's outbound traffic can reassemble the fragments: MediConn had migrated 70% of its infrastructure to the cloud by January 2025, a fact that lived only in private documents. This is the mosaic effect, and it's the failure mode at the centre of MosaicLeaks. MosaicLeaks treats those web queries as the leakage channel: the adversary never sees the private documents or the agent's reasoning, only the cumulative query log, and tries to infer private enterprise information from it.
For more details please read the original article at Hugging Face.
Continue Learning
Comments
Sign in to join the conversation