AI/ ai · agents · security · research

Janus Tests Who Should Really Control Your AI Agent

A new open-source research system shows that no single permission design works for all situations — and that ignoring user fatigue is a serious design flaw.

Researchers have built a public testing ground for figuring out how much control users should have over the actions AI agents take on their behalf.

The system, called Janus, is a two-part framework: a modular core that can simulate a range of permission management designs, and an automated evaluation harness that tests those designs against different scenarios and user behavior models. The team implemented six distinct "permission assistants" — spanning from fully autonomous agent decisions to user-approved every step — and ran them across three scenarios using three synthetic user profiles. Their finding: user involvement meaningfully improves privacy and security outcomes, but AI-assisted decision support helps reduce the cognitive burden on users. Crucially, none of the six designs came out on top across all contexts.

That last point is the uncomfortable one for anyone building agentic products right now. The field has largely converged on the assumption that more user control equals better safety, but Janus surfaces a messier reality — permission fatigue is real, and a design that overwhelms users with prompts effectively degrades back to no control at all. The research suggests that context-sensitive permission design is not a nice-to-have; it is a prerequisite for agentic systems that actually behave as users expect.

With every major AI lab shipping agents that browse the web, write files, and call APIs, the question of who authorized what is no longer academic — and the fact that this is still being studied in playgrounds rather than enforced in production says a lot about where the industry actually is.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →