The Planning Twin

An LLM agent needs to plan actions in your environment. Your environment contains source code, credentials, file paths. The LLM runs in the cloud. The planning requires understanding the environment. The environment cannot be sent to the cloud.

Yu et al. build PlanTwin: a middleware that creates a sanitized digital twin of the environment — an abstraction that preserves everything the planner needs to know while removing everything that could be reconstructed into sensitive information. The twin is schema-constrained: it maps the real environment into a planning-oriented representation where structure is preserved but content is replaced.

The privacy guarantees are formal. (k,δ)-anonymity ensures that sensitive items cannot be uniquely identified. ε-unlinkability ensures that multiple interactions do not compose into a reconstruction attack. The compositional guarantee matters — a planner that sees one abstracted view per query might reconstruct the original across many queries, and PlanTwin’s disclosure budget tracks cumulative leakage.

The results: full sensitive-item non-disclosure (SND = 1.0) with planning quality exceeding 0.79 for three of four planners tested. The abstraction costs something — not every planning detail survives sanitization — but the degradation is small relative to the privacy gained.

The structural tension: planning requires understanding, and understanding requires information, and information leaks. The twin resolves this by distinguishing between structural information (which the planner needs) and content information (which the planner must not see). The same distinction that makes abstraction useful in programming — hiding implementation behind interface — makes it useful in privacy: hiding sensitive content behind planning-relevant structure.