Contemporary large language model (LLM) agents are remarkably capable, but they still lack reliable safety controls and can produce unconstrained, unpredictable, and even actively harmful outputs. To address this, we introduce Reflection-Driven Control, a standardized and pluggable control module that can be seamlessly integrated into general agent architectures. Reflection-Driven Control elevates "self-reflection" from a post hoc patch into an explicit step in the agent's own reasoning process: during generation, the agent continuously runs an internal reflection loop that monitors and evaluates its own decision path. When potential risks are detected, the system retrieves relevant repair examples and secure coding guidelines from an evolving reflective memory, injecting these evidence-based constraints directly into subsequent reasoning steps. We instantiate Reflection-Driven Control in the setting of secure code generation and systematically evaluate it across eight classes of security-critical programming tasks. Empirical results show that Reflection-Driven Control substantially improves the security and policy compliance of generated code while largely preserving functional correctness, with minimal runtime and token overhead. Taken together, these findings indicate that Reflection-Driven Control is a practical path toward trustworthy AI coding agents: it enables designs that are simultaneously autonomous, safer by construction, and auditable.
Autonomous LLM agents are rapidly evolving from singleturn text generators into systems capable of multi-step task execution, tool use, and real-world decision making (Chowa et al. 2025). This shift fuses internal reasoning with external actions, enabling agents to browse at scale, invoke APIs, and modify external artifacts, thereby exhibiting cross-task competence. As a result, the design space is expanding quickly, while challenges around safety, control, and evaluation are intensifying. With long-term memory, proactive planning, and environment interaction becoming core components, AI agents are transforming from single-model reasoners into distributed networks of cooperating components. This transition is reshaping generative AI practice and catalyzing a global discussion on agentic AI security (Park et al. 2023).
Despite this progress, contemporary agent workflows still produce untrusted content in uncontrollable ways. Even strong base models can hallucinate or emit unsafe outputs. When tools and autonomy enter the loop, jailbreaks, prompt injection, and agent worms further expose fragile control surfaces (John et al. 2025). Such failures can translate directly into system risk and unsafe behavior.
Advancing the safety and trustworthiness of agent workflows hinges on two core challenges. (i) Trusted control at decision time: how to dynamically constrain agent behavior during reasoning and execution to prevent task drift and hazardous tool calls. (ii) Post-hoc verifiability and auditability: how to trace the evidential basis and execution logic of decisions, thereby enabling accountability and transparency.
We propose a standardized reflect agent module that elevates “reflection” from an external, post-hoc procedure to an internal, first-class control loop within the agent. By tightly coupling the reflection pathway with the knowledge feedback channel, the agent architecture equipped with this module can perform continuous self-supervision and selfcorrection across the planning, execution, and verification stages, thereby significantly enhancing system trustworthiness and auditability without compromising autonomy.
To concretely validate the system-level benefits of reflection-centric orchestration, we instantiate our framework in secure code generation. Our experiments show that, relative to strong agent baselines, embedding a reflection agent yields consistent gains in safety, consistency, and traceability, resulting in higher practical trust and auditability. This evidences that the reflection-centric control is effective and scalable for high-risk tasks.
The contributions of this article mainly include the following three points:
• A reflection-driven, closed-loop control framework.
We integrate reflection as a first-class control circuit that spans planning, execution, and verification, with an auditable evidence trail rather than ad-hoc postprocessing, and implemente it as the Reflect layer in a Plan-Reflect-Verify agentic framework.
• A practical instantiation for secure code generation.
We compose lightweight self-checks, dynamic memory/RAG, reflective prompting, and tool governance (compiler/tests/CodeQL) into an evidence-grounded genera-tion pipeline that maintains autonomy while enforcing safety. • Comprehensive evaluation and analysis. On public security-oriented code-generation benchmarks with strict compile/run/static-analysis validation, our framework delivers consistent improvements over agent baselines, alongside ablations and case studies that quantify each component’s impact and illuminate failure modes in high-risk settings.
Agent framework and system security As LLMs evolve from passive generators to autonomous decision-makers, agentic systems have become central to generative AI. Han et al. (2024) note that multi-agent systems enable complex task coordination through role division and communication but still lack robust safety boundaries. Thus, while multiagent architectures enhance automation and scalability in security assessment, they can also introduce systemic risks, where coordination failures or misaligned goals may propagate across agents (David and Gervais 2025). Ensuring cross-agent safety constraints, auditable decisions, and realtime intervention is therefore essential.
Recent work shows that the attack surface of agentic systems exceeds that of traditional AI, encompassing prompt manipulation, toolchain hijacking, external API abuse, and persistent session pollution (Achiam et al. 2023). The THOR framework (Narajala and Narayan 2025) systematizes these threats across the agent lifecycle and argues for layered defenses and auditability to ensure traceable safety. More broadly, de Witt (2025) formalize multi-agent security, showing that decentralized cooperation among autonomous agents introduces systemic risks such as covert collusion, coordinated group attacks, and cross-platform propagation. These observations suggest a shift in security governance from sin
This content is AI-processed based on open access ArXiv data.
