SplitAgent: A Privacy-Preserving Distributed Architecture for Enterprise-Cloud Agent Collaboration

📝 Paper Summary

Privacy-preserving AI Distributed Agent Architecture Enterprise AI

SplitAgent enables secure enterprise-cloud collaboration by separating sensitive data handling from reasoning, using a local agent for context-aware sanitization and a cloud agent for logic.

Core Problem

Enterprise adoption of cloud AI agents faces a binary choice: share sensitive data with the cloud (risking privacy) or keep processing local (sacrificing capability).

Why it matters:

Current frameworks like MCP (Model Context Protocol) and A2A (Agent-to-Agent) assume complete trust and plaintext data sharing, which violates enterprise security requirements
Different tasks require different privacy strategies (e.g., hiding names in contracts vs. hiding credentials in code), which static masking tools fail to address
Enterprises cannot leverage powerful cloud-hosted LLMs (Large Language Models) for confidential documents without risking data leakage or compliance violations

Concrete Example: In a contract review, a standard cloud agent requires the full text including party names and amounts. A static masker might redact all numbers, making the contract unreadable. SplitAgent abstracts '$150,000' to 'AMOUNT_LARGE', preserving the reasoning capability ('is the amount within limits?') while hiding the value.

Key Novelty

Two-Tier Split Architecture with Context-Aware Dynamic Sanitization

Separates the system into an Enterprise Privacy Agent (holds raw data, performs sanitization/execution) and a Cloud Reasoning Agent (performs logic on abstractions)
Introduces dynamic sanitization that adapts based on task semantics rather than static rules (e.g., preserving syntax for code review but legal structure for contracts)

Evaluation Highlights

83.8% task accuracy vs. 73.2% for static sanitization approaches across six enterprise scenarios
90.1% privacy protection rate vs. 79.7% for static methods, minimizing information leakage
24.1% improvement in task utility compared to static regex-based masking methods

Breakthrough Assessment

8/10

Addresses a critical barrier to enterprise AI adoption (privacy vs. utility) with a practical, architecturally distinct solution that significantly outperforms static baselines.

⚙️ Technical Details

Problem Definition

Setting: Distributed agent system where Enterprise Environment holds sensitive data D and Cloud Environment holds reasoning models, aiming to maximize task utility U while satisfying differential privacy budget ε

Inputs: Enterprise task T and sensitive data D (documents, databases, code)

Outputs: Sanitized abstraction D~ and reasoning results/action plans

Pipeline Flow

Privacy Agent (Input Analysis & Sanitization)
Cloud Reasoning Agent (Planning & Logic)
Privacy Agent (Desanitization & Execution)

System Modules

Privacy Agent

Guardian of enterprise data; manages sanitization, local RAG, and tool execution

Model or implementation: Python-based controller + spaCy for NER

Reasoning Agent

Performs high-level reasoning and planning on sanitized data

Model or implementation: Cloud LLMs (Claude, GPT-4, Gemini via API)

Novel Architectural Elements

Context-Aware Dynamic Sanitization Engine: Adapts privacy strategy (abstraction vs. redaction) based on semantic task requirements
Split-State Protocol: State machine extending MCP/A2A with privacy states (HANDSHAKE, CONTEXT_SHARE, BUDGET_LOW)
Cumulative Privacy Budget Manager: Tracks epsilon consumption across multi-turn interactions

Modeling

Base Model: Claude, GPT-4, and Gemini (accessed via API)

Compute: Modest latency increase (15%) reported; relies on external cloud APIs for heavy lift

Comparison to Prior Work

vs. MCP/A2A: Adds privacy layer (DP context sharing, ZK tool verification) enabling untrusted collaboration
vs. Static Masking: Uses semantic abstraction (e.g., preserving code structure or numerical relationships) rather than binary redaction
vs. Homomorphic Encryption [not cited in paper]: SplitAgent focuses on text abstraction for LLMs rather than encrypted computation, prioritizing utility and speed over cryptographic hardness

Limitations

Relies on the quality of the sanitization engine; failure in NER or pattern detection could leak data
Incurs a 15% latency overhead due to the sanitization/desanitization process
Requires explicit task type definition to select the correct sanitization strategy
Privacy budget management may degrade performance in long-running (50+ turn) interactions

Reproducibility

No replication artifacts mentioned in the paper. Code, prompt templates, and synthetic datasets are not provided. Methodology relies on standard libraries (spaCy) and commercial APIs.

📊 Experiments & Results

Evaluation Setup

Evaluation on synthetic enterprise datasets using six specific task scenarios

Benchmarks:

Synthetic Enterprise Datasets (Varied (Contract review, Code audit, Financial analysis, Customer support)) [New]

Metrics:

Task Accuracy
Privacy Protection Rate
Utility Preservation
Attack Success Rate
Statistical methodology: Not explicitly reported in the paper

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
Main performance comparison showing SplitAgent outperforms static methods in both accuracy and privacy.
Synthetic Enterprise Datasets (Avg)	Task Accuracy	73.2%	83.8%	+10.6%
Synthetic Enterprise Datasets (Avg)	Privacy Protection	79.7%	90.1%	+10.4%
Impact of context-aware sanitization on utility compared to different static baselines.
Synthetic Enterprise Datasets	Task Utility	Not explicitly reported in the paper	Not explicitly reported in the paper	Not reported in the paper
Resilience against adversarial attacks targeting the sanitized data.
Linkability Attack	Attack Success Rate	Not explicitly reported in the paper	6.7%	Not reported in the paper

Main Takeaways

Optimal privacy-utility balance is found at epsilon=0.5, achieving 83.4% accuracy with 94.5% privacy protection.
Context-aware sanitization is critical: preserving 'legal structure' for contracts vs 'syntax' for code yields significantly better reasoning than blanket redaction.
The system shows strong resistance to linkability attacks (6.7% success rate), making it difficult for adversaries to correlate sanitized sessions.
Budget management allows the system to scale to 50+ turns with graceful degradation, rather than abrupt failure.

📚 Prerequisite Knowledge

Prerequisites

Agent Communication Protocols (MCP, A2A)
Differential Privacy (DP)
Retrieval-Augmented Generation (RAG)

Key Terms

MCP: Model Context Protocol—a standard from Anthropic enabling agents to share context and capabilities via structured messages

A2A: Agent-to-Agent protocol—Google's protocol for hierarchical agent coordination

Differential Privacy: A formal definition of privacy ensuring that the output of an algorithm does not significantly depend on any single individual's data

Zero-Knowledge Proof: A cryptographic method allowing one party to prove they know a value or performed a computation without revealing the value itself

RAG: Retrieval-Augmented Generation—fetching relevant data to ground LLM responses

NER: Named Entity Recognition—identifying and classifying key information (names, organizations, locations) in text

Linkability Attack: An attempt to re-identify users or entities by correlating data across multiple independent sessions or datasets

Sanitization: The process of modifying data (masking, abstracting, or adding noise) to protect sensitive information while retaining utility