Policy Compiler for Secure Agentic Systems

LLM-based agents are increasingly being deployed in contexts requiring complex authorization policies: customer service protocols, approval workflows, data access restrictions, and regulatory compliance. Embedding these policies in prompts provides no enforcement guarantees. We present PCAS, a Policy Compiler for Agentic Systems that provides deterministic policy enforcement. Enforcing such policies requires tracking information flow across agents, which linear message histories cannot capture. Instead, PCAS models the agentic system state as a dependency graph capturing causal relationships among events such as tool calls, tool results, and messages. Policies are expressed in a Datalog-derived language, as declarative rules that account for transitive information flow and cross-agent provenance. A reference monitor intercepts all actions and blocks violations before execution, providing deterministic enforcement independent of model reasoning. PCAS takes an existing agent implementation and a policy specification, and compiles them into an instrumented system that is policy-compliant by construction, with no security-specific restructuring required. We evaluate PCAS on three case studies: information flow policies for prompt injection defense, approval workflows in a multi-agent pharmacovigilance system, and organizational policies for customer service. On customer service tasks, PCAS improves policy compliance from 48% to 93% across frontier models, with zero policy violations in instrumented runs.

💡 Research Summary

The paper tackles a fundamental weakness of current large‑language‑model (LLM) agents: they rely on natural‑language prompts to convey organizational policies, which are ambiguous, hard to verify, and easily subverted by prompt‑injection attacks. To provide strong, model‑agnostic enforcement, the authors introduce PCAS (Policy Compiler for Agentic Systems), a framework that compiles high‑level declarative policies into runtime checks that are guaranteed to be applied before any action is executed.

The cornerstone of PCAS is a fine‑grained dependency graph that records every event in an agentic system—tool calls, tool results, messages, and their causal relationships. Unlike linear logs, this graph preserves the “happens‑before” ordering across multiple agents, enabling the system to answer questions such as “Did a supervisor’s approval precede this data‑access request?” or “Is the information used by this action derived from a confidential source?” The graph is updated incrementally as the system runs.

Policies are expressed in a Datalog‑derived domain‑specific language (DSL). The DSL allows recursive predicates over the graph, supporting transitive closure and provenance queries. Policies are essentially ABAC rules where the attributes include not only the acting agent’s identity and role but also graph‑derived context attributes (e.g., “has‑path‑from‑approval‑node”). Because the language is based on Datalog, it guarantees termination and can be compiled to efficient incremental evaluation code (implemented via Differential Datalog).

PCAS works by automatically instrumenting any existing agent implementation (assumed to be built on standard frameworks). It inserts a reference monitor that intercepts every prospective action, queries the current graph against the compiled policy rules, and blocks the action if any rule evaluates to false. The monitor’s evaluation is performed in Rust code generated from the Datalog policies, ensuring low latency and deterministic behavior. This separation of policy decision from the LLM’s reasoning eliminates reliance on the model’s internal compliance and protects against adversarial manipulation of prompts.

The authors evaluate PCAS on three realistic case studies:

1. Prompt‑injection defense – an information‑flow policy that tracks confidentiality labels through the graph and blocks any tool call that would leak high‑confidential data.
2. Pharmacovigilance approval workflow – a multi‑agent system where a drug‑safety analyst must obtain explicit supervisor approval before accessing patient records; the policy enforces both the presence of approval and its causal precedence.
3. Organizational customer‑service policies – a suite of rules governing data access, escalation procedures, and audit logging across a team of service agents.

Using the τ2‑bench customer‑service benchmark, the authors compare uninstrumented LLM agents (Claude Opus 4.5, GPT‑5.2, Gemini 3 Pro) with PCAS‑instrumented versions. Policy compliance jumps from 48 % to 93 % on average, and zero policy violations are observed in the instrumented runs. The improvement is consistent across model families, demonstrating that PCAS’s enforcement is model‑agnostic.

A comparative table shows that prior runtime enforcement systems (Progent, NeMo Guardrails, Invariant Guardrails, AgentSpec, ShieldAgent, GuardAgent, FIDES) each miss at least one critical dimension: expressive policy language, recursive graph queries, causal dependency tracking, multi‑agent support, or deterministic enforcement. PCAS uniquely satisfies all five.

The paper acknowledges limitations: the dependency graph can grow large in highly interactive environments, and the current DSL lacks native temporal operators (e.g., “must approve within 5 minutes”). Future work includes graph compression techniques, formal verification of compiled policies, and extending the language with time‑based predicates.

In summary, PCAS demonstrates that a policy‑compiler approach—combining a causal dependency graph with a Datalog‑based declarative language—can provide deterministic, model‑independent enforcement for complex, cross‑agent authorization policies in LLM‑driven systems, substantially improving compliance while preserving the flexibility of existing agent implementations.