Research agents leak secrets through their own search queries
ServiceNow researchers describe a quiet privacy hole in deep research agents, the kind that read private company documents and also search the web to fill gaps. Each web query looks harmless on its own, but anyone watching the query log can reassemble the fragments. In their example, three searches about a cloud migration, a January 2024 security incident, and a named vendor together reveal that a healthcare company had moved 70% of its infrastructure to the cloud, a fact that lived only in the private documents. They call this the mosaic effect and break it into intent leakage, answer leakage, and full-information leakage.
Two findings make the problem hard to wave away. Telling the agent "don't leak" in the prompt barely helped. Worse, training an agent purely to do its job well made the leakage grow: strict task success rose from 48.7% to 59.3%, but leakage climbed from 34.0% to 51.7%, because a more capable agent asks sharper, more revealing questions. Their fix, called Privacy-Aware Deep Research, adds a learned privacy reward alongside the task reward. On Qwen3-4B it held task success at 58.7% while cutting leakage to 9.9%. The trained agent actually issued more queries, but stripped out the revealing specifics like exact metrics and dates. As they put it, "you can't prompt privacy in, you have to train it in."
Why it matters
If you build research agents over confidential data, the search queries themselves are an exfiltration channel that a system prompt will not close. This work shows the leak is real, that optimizing only for task quality makes it worse, and that the fix has to live in how the agent is trained.