SplitAgent: A Privacy-Preserving Distributed Architecture for Enterprise-Cloud Agent Collaboration

SplitAgent introduces a novel distributed architecture that enables privacy-preserving collaboration between enterprise and cloud AI agents by utilizing context-aware dynamic sanitization, differential privacy, and zero-knowledge verification to achieve high task accuracy while significantly reducing data leakage compared to static approaches.

The Gist

Imagine you own a very valuable, secret recipe for a world-famous soup. You want to hire a famous, super-smart chef (the Cloud AI) to help you improve the recipe, but you are terrified that if you send them the original recipe, they might steal it, sell it, or accidentally leak your secret ingredients.

Currently, the tech world offers you two bad choices:

1. The "All-or-Nothing" Cloud: You send the whole recipe to the chef. They give you amazing improvements, but now they know your secret.
2. The "Do It Yourself" Local: You keep the recipe safe in your kitchen and try to improve it yourself using a small, not-so-smart notebook. The recipe stays safe, but the improvements are mediocre.

SplitAgent is a brilliant new solution that lets you have the best of both worlds. Think of it as hiring a super-smart translator who works right in your kitchen.

How SplitAgent Works: The "Translator" Analogy

Here is the step-by-step process using our soup recipe analogy:

1. The Two Teams

• The Privacy Agent (Your Kitchen): This is a smart robot living inside your secure office. It holds the original, secret recipe. It never leaves your building.
• The Reasoning Agent (The Cloud Chef): This is the super-smart AI living in the cloud. It has seen millions of recipes and knows how to make soup taste amazing, but it is not allowed to see your secret ingredients.

2. The Magic "Context-Aware" Translator
This is the paper's biggest innovation. Usually, if you want to hide a secret, you just black out words with a marker (Static Masking). But that makes the recipe useless. If you black out "salt," the chef doesn't know if you need a pinch or a cup.

SplitAgent uses a Context-Aware Translator. It understands what you are trying to do:

• Scenario A: Improving the Flavor. If you ask the chef to make the soup tastier, the translator says: "Chef, this is a soup recipe. The secret is 'Truffle Oil,' but don't worry about the brand. Just tell us how to balance the salt and pepper." It hides the brand name but keeps the amount and type of ingredient so the chef can still give good advice.
• Scenario B: Checking for Safety. If you ask the chef to check if the recipe is safe for people with allergies, the translator says: "Chef, here is the list of ingredients, but we've replaced 'Peanuts' with 'Nut-Allergen-Group-A'. You can check for safety without knowing we specifically use peanuts."

The translator changes the level of secrecy based on the task. It's like wearing different masks for different jobs: a disguise for a party, a helmet for construction, but always keeping your face safe.

3. The "Privacy Budget"
Imagine you have a wallet with a limited amount of "Privacy Coins." Every time you ask the cloud chef a question, it costs a few coins.

• If you ask a simple question, it costs 1 coin.
• If you ask a complex question, it costs 5 coins.
• The SplitAgent system watches your wallet. If you are running low on coins, it automatically makes the translator a bit more careful (hiding more details) so you don't run out of privacy before the job is done.

Why is this a Big Deal?

The paper tested this system with real-world tasks like reviewing legal contracts, checking computer code, and analyzing financial numbers.

• The Old Way (Static Masking): Like putting a giant black box over the whole recipe. The chef guesses, and gets it wrong 30% of the time.
• The SplitAgent Way: The chef gets a "sanitized" version of the recipe that is perfect for the job.
  • Accuracy: The chef got the right answer 83.8% of the time (compared to 73% for the old way).
  • Privacy: Your secrets were protected 90.1% of the time (compared to 79% for the old way).

The Bottom Line

SplitAgent is like a secure, intelligent middleman. It allows companies to use the super-powerful brains of Cloud AI without handing over their most sensitive secrets. It doesn't just hide data; it smartly reshapes the data so the AI can still do its job, while ensuring the original secrets stay locked in the vault.

It solves the age-old problem: "How do I get help from the outside world without letting them in?" by building a smart, secure airlock that lets information out, but keeps the secrets in.

Technical Summary

Here is a detailed technical summary of the paper "SplitAgent: A Privacy-Preserving Distributed Architecture for Enterprise-Cloud Agent Collaboration."

1. Problem Statement

The rapid adoption of Large Language Models (LLMs) for enterprise automation faces a critical privacy-utility dilemma:

• The Conflict: Sophisticated AI capabilities reside in cloud-hosted models requiring data sharing, while enterprises must protect sensitive data (customer records, IP, financial data) due to compliance and security regulations.
• Limitations of Current Solutions:
  • Full-Cloud: Sharing raw data with cloud agents compromises privacy.
  • Full-Local: Running models locally limits AI capabilities due to resource constraints.
  • Existing Protocols (MCP, A2A): Current agent communication frameworks assume complete trust and plaintext data sharing, making them unsuitable for confidential enterprise environments.
  • Static Sanitization: Existing data masking approaches apply fixed rules (e.g., regex) regardless of task context, leading to either excessive data loss (reducing utility) or insufficient privacy protection.

2. Methodology: The SplitAgent Architecture

The authors propose SplitAgent, a novel distributed architecture that decouples data handling (on-premise) from reasoning (cloud) while enabling secure collaboration.

A. System Components

1. Privacy Agent (Enterprise-Side):
   • Acts as the guardian of sensitive data.
   • Context-Aware Sanitizer: Dynamically sanitizes data based on task semantics (e.g., preserving legal structure in contracts while hiding party names; preserving code syntax while removing credentials).
   • Local RAG Engine: Performs retrieval and summarization locally, sending only abstracted insights to the cloud.
   • Privacy Budget Manager: Tracks cumulative privacy expenditure using differential privacy (DP) principles.
   • Local Tool Executor: Runs sensitive operations (e.g., compliance checks) locally to avoid cloud exposure.
2. Reasoning Agent (Cloud-Side):
   • Operates exclusively on sanitized abstractions.
   • Utilizes powerful LLMs for high-level reasoning, pattern analysis, and strategic planning without accessing raw enterprise data.

B. Core Innovations

1. Context-Aware Dynamic Sanitization:
   • Unlike static masking, the sanitization engine adapts protection strategies based on the specific task type ($T$).
   • Example: For Contract Review, it preserves clause relationships but abstracts amounts and dates. For Code Review, it maintains syntax patterns but removes internal URLs and credentials.
   • Algorithm: Extracts entities, determines sensitivity levels relative to a privacy budget ($\epsilon$), and applies abstraction or differential privacy noise accordingly.
2. SplitAgent Protocol:
   • Extends existing agent protocols with privacy-preserving primitives:
     • Differential Privacy (DP) Context Sharing: Adds calibrated noise to shared context.
     • Zero-Knowledge Tool Verification: Allows cloud agents to verify tool execution results without seeing the underlying sensitive data.
     • Privacy Budget Management: Manages a cumulative privacy budget across multiple interaction turns to prevent leakage over time.

3. Key Contributions

• Novel Architecture: A two-tier design separating data custody (Enterprise) from reasoning capability (Cloud), enabling secure collaboration without raw data transfer.
• Semantic Adaptation: Introduction of a sanitization engine that tailors privacy protection to task semantics, maximizing utility while guaranteeing privacy.
• Formal Privacy Guarantees: Integration of $(\epsilon, \delta)$-differential privacy and zero-knowledge proofs into standard agent communication protocols.
• Intelligent Budgeting: A dynamic system for managing privacy budgets across multi-turn interactions, balancing long-term privacy with immediate task utility.

4. Experimental Results

The authors evaluated SplitAgent against baselines (Full-Cloud, Full-Local, and Static-Split) across six enterprise scenarios (contract review, code audit, financial analysis, etc.).

• Performance Balance:
  • SplitAgent: Achieved 83.8% task accuracy with 90.1% privacy protection.
  • Static-Split (Baseline): Achieved only 73.2% accuracy and 79.7% privacy protection.
  • Full-Cloud: 92.5% accuracy but 0% privacy.
  • Full-Local: 69.2% accuracy but 100% privacy.
• Context-Aware vs. Static:
  • Context-aware sanitization improved task utility by 24.1% over static regex methods and 15.2% over static NER methods.
  • It reduced privacy leakage by 67% compared to static methods.
• Privacy-Utility Tradeoff:
  • The optimal balance was found at a privacy budget of $\epsilon = 0.5$, yielding 83.4% accuracy and 94.5% privacy protection.
• Adversarial Resistance:
  • SplitAgent reduced attack success rates significantly:
    • Reconstruction Attacks: 89% reduction compared to no defense.
    • Linkability Attacks: Reduced success rate to 6.7% (vs. 88.7% with no defense).
• Scalability: The system effectively managed 50+ interaction turns with intelligent budget allocation, achieving a 96% task completion rate.

5. Significance and Impact

• Practical Enterprise Adoption: SplitAgent provides a viable path for enterprises to leverage powerful cloud AI without compromising sensitive data, solving the "binary choice" problem of current frameworks.
• Protocol Evolution: It demonstrates how existing agent protocols (like MCP) can be extended with cryptographic and statistical privacy primitives without breaking compatibility.
• Balanced Security: By moving beyond static masking to semantic-aware sanitization, the system proves that high utility and high privacy are not mutually exclusive in AI agent collaboration.
• Future Foundation: The architecture lays the groundwork for secure multi-enterprise collaboration and the integration of advanced techniques like homomorphic encryption in future iterations.

In conclusion, SplitAgent represents a significant step forward in secure AI deployment, offering a robust framework where enterprises can utilize cloud intelligence while maintaining strict control over their confidential data.