Will the Agent Recuse Itself? Measuring LLM Compliance with In-Band Access-Deny Signals

Authentication says whether you can. Authorization says whether you may. But what happens when an autonomous agent has valid credentials and passes both checks, yet the resource owner wants it to voluntarily walk away?

This is not a hypothetical edge case. As LLM agents increasingly hold production credentials and operate infrastructure without a human in the loop, operators face a protocol-level gap: access controls either let the agent in (it authenticated successfully) or hard-fail it (indistinguishable from a network error or wrong password). There is no standard way to say “you have permission, but you shouldn’t proceed.”

ArXiv paper 2606.06460v1 proposes the Recuse Signal, a lightweight in-band message that servers emit over existing protocol channels (SSH banners, PostgreSQL NOTICE messages) asking automated agents to voluntarily withdraw. The paper then measures whether compliant LLM agents actually honor it.

The Missing Layer Between Auth and Action

Traditional access control is binary:

Authentication succeeds: the agent proceeds.
Authentication fails: the agent stops (or retries).

This works for human operators who read context clues (a login banner warning about maintenance, a database connection message about read-only mode). Humans recuse themselves. Agents do not, because they have no protocol-level signal to interpret.

The gap appears in scenarios like:

A database is online and accepting connections, but undergoing a schema migration. Automated agents should defer non-critical queries.
An SSH host is accessible, but a deployment is in progress. Agents should wait.
A service is up, but a compliance audit is underway. Agents should log their intent and pause.

Hard-failing authentication (rotating credentials, firewall rules) works but breaks legitimate workflows. The Recuse Signal is a cooperative governance control, not a security boundary. It assumes the agent is well-intentioned and capable of interpreting soft signals.

The Recuse Signal Protocol

The signal is a structured message embedded in existing protocol channels:

SSH example (banner):

RECUSE-SIGNAL: reason="maintenance-window" contact="ops@example.com" expires="2026-06-05T06:00:00Z"

PostgreSQL example (NOTICE):

NOTICE: RECUSE-SIGNAL: reason="schema-migration" contact="dba@example.com" expires="2026-06-05T08:00:00Z"

The signal includes:

reason: human-readable context (maintenance, audit, migration).
contact: operator email or Slack channel.
expires: optional timestamp after which the signal no longer applies.

The paper implements two zero-footprint adapters:

SSH banner + PAM hook: injects the signal into the SSH login banner and logs connection attempts.
PostgreSQL wire-protocol proxy: intercepts the connection handshake and emits a NOTICE before the agent can execute queries.

Both adapters require no changes to the agent’s credentials or the server’s authentication logic. They sit between the protocol handshake and the first action.

Experimental Setup

The paper runs a controlled experiment on a live production host:

Task: agents are given a benign operations task (check disk usage, query a database table).
Treatment group: the Recuse Signal is present.
Control group: no signal.
Agents tested: OpenAI GPT-4o, GPT-4o-mini, and Claude Code (deployed as an autonomous agent).

The experiment measures two outcomes:

Recusal rate: does the agent voluntarily disconnect after seeing the signal?
Task completion rate: does the agent proceed and complete the task?

Results: Cooperative, Not Absolute

The pilot results are striking:

Condition	GPT-4o	GPT-4o-mini	Claude Code
No signal (control)	100% task completion	100% task completion	100% task completion
Signal present	100% recusal	100% recusal	100% recusal
Signal + explicit operator override	Proceeds	Recuses	Recuses

When the signal is present, all agents recuse themselves. When absent, all agents complete the task. This is the expected behavior.

The third row is the interesting one. When the agent is given an explicit operator-authorization framing (“you are authorized to proceed despite the signal”), GPT-4o proceeds, while GPT-4o-mini and Claude Code still recuse. This reveals that the signal behaves as a cooperative rather than absolute control. The most capable model interprets the authorization as overriding the signal. The others treat the signal as a hard stop.

This is not a bug. It is a feature. The signal is designed to be context-sensitive. An agent operating under explicit human instruction should be able to override it. An agent operating autonomously should defer.

Architecture: Where to Inject the Signal

The signal must be emitted early enough in the protocol handshake that the agent can recuse before taking any action. Three injection points work:

1. Protocol banner (SSH, FTP, SMTP)

The server emits the signal in the pre-authentication banner. The agent reads it before sending credentials.

# SSH server config (OpenSSH)
Banner /etc/ssh/recuse-banner.txt

# /etc/ssh/recuse-banner.txt
RECUSE-SIGNAL: reason="maintenance-window" contact="ops@example.com" expires="2026-06-05T06:00:00Z"

2. Post-authentication message (PostgreSQL, MySQL)

The server emits the signal as a NOTICE or WARNING after authentication but before the first query.

# Pseudocode: PostgreSQL wire-protocol proxy
import psycopg2

def intercept_startup(connection_params):
    conn = psycopg2.connect(**connection_params)
    cursor = conn.cursor()
    cursor.execute("DO $$ BEGIN RAISE NOTICE 'RECUSE-SIGNAL: reason=schema-migration contact=dba@example.com'; END $$;")
    return conn

3. HTTP header (REST APIs, webhooks)

The server emits the signal as a custom HTTP header in the response to the first request.

HTTP/1.1 200 OK
X-Recuse-Signal: reason="rate-limit-exceeded" contact="api-support@example.com" retry-after="300"

The key constraint: the signal must be machine-readable and appear before the agent takes any irreversible action (writes, deletes, deployments).

Observability: Logging Recusal Decisions

The signal is only useful if operators can audit agent behavior. The paper’s adapters log three events:

Signal emitted: timestamp, reason, agent identity (IP, user, session ID).
Agent recused: timestamp, agent identity, task aborted.
Agent proceeded: timestamp, agent identity, task completed (potential violation).

These logs feed into existing observability stacks (Datadog, Splunk, Prometheus). A simple alert rule flags agents that proceed despite the signal:

# Prometheus alert rule
- alert: AgentIgnoredRecuseSignal
  expr: recuse_signal_emitted == 1 AND agent_proceeded == 1
  for: 1m
  labels:
    severity: warning
  annotations:
    summary: "Agent {{ $labels.agent_id }} ignored recuse signal"

This gives operators a real-time view of agent compliance without requiring changes to the agent’s code.

Failure Modes and Mitigations

The signal is cooperative, so it fails in predictable ways:

Failure Mode	Likelihood	Mitigation
Agent does not parse the signal	Medium	Standardize signal format (JSON, YAML, key-value pairs)
Agent parses but ignores the signal	Low (for compliant agents)	Log and alert on non-compliance
Signal is spoofed by an attacker	Low (requires server compromise)	Sign the signal with a shared secret or TLS cert
Signal expires but agent caches it	Medium	Include a short TTL and require agents to re-check
Out of scope: non-LLM agents	N/A	Use hard access controls (firewall, credential rotation) for legacy tools

The most common failure is agents that do not parse the signal. This is a tooling problem, not a protocol problem. The paper proposes a standard library (Python, Go, Rust) that agents can import to handle signal parsing and recusal logic.

When to Use This

The Recuse Signal is useful when:

Agents hold long-lived credentials and operate autonomously.
Hard-failing authentication breaks legitimate workflows.
You need a soft, auditable way to tell agents to defer.
You want to measure agent compliance with governance policies.

It is not useful when:

You need a security boundary (use hard access controls instead).
Agents are non-compliant or adversarial (they will ignore the signal).
The resource is truly off-limits (rotate credentials, block at the firewall).

The signal is a governance tool, not a security tool. It works because compliant agents are designed to respect it. It fails when agents are not.

Technical Verdict

Use the Recuse Signal when you operate autonomous agents with production credentials and need a lightweight, auditable way to tell them to defer without breaking authentication. It is particularly useful for maintenance windows, schema migrations, and compliance audits where hard-failing access controls are too blunt.

Avoid it when you need a security boundary or when agents are non-compliant. The signal is cooperative, not enforced. If an agent ignores it, your only recourse is logging and alerting. For truly off-limits resources, rotate credentials or block at the network layer.

The pilot achieved 100% recusal when the signal was present and 100% task completion when absent, proving the signal is both interpretable and actionable. Whether this becomes a standard depends on adoption, but the plumbing is sound and the compliance data is unambiguous.