Pro2Guard: Proactive Runtime Enforcement of LLM Agent Safety via Probabilistic Model Checking
Haoyu Wang, Christopher M. Poskitt, Jun Sun, Jiali Wei
TL;DR
Pro2Guard tackles the safety of LLM-powered agents by predicting multi-step risk and enforcing safety proactively. It learns a domain-specific DTMC from execution traces through predicate abstraction and Laplace smoothing, and uses CTL specifications with $(\varepsilon,\delta)$-PAC guarantees to quantify future violations. Runtime enforcement triggers risk-aware interventions when the predicted safety probability falls below a threshold $\theta$, with options for user-in-the-loop or safe-stop prompts, achieving a balance between safety and task performance. Empirical results in autonomous vehicles and embodied agents show improved safety with modest overhead and reduced manual rule-writing, demonstrating a principled, data-driven path to trustworthy LLM agents in stochastic environments.
Abstract
Large Language Model (LLM) agents demonstrate strong autonomy, but their stochastic behavior introduces unpredictable safety risks. Existing rule-based enforcement systems, such as AgentSpec, are reactive, intervening only when unsafe behavior is imminent or has occurred, lacking foresight for long-horizon dependencies. To overcome these limitations, we present a proactive runtime enforcement framework for LLM agents. The framework abstracts agent behaviors into symbolic states and learns a Discrete-Time Markov Chain (DTMC) from execution traces. At runtime, it predicts the probability of leading to undesired behaviors and intervenes before violations occur when the estimated risk exceeds a user-defined threshold. Designed to provide PAC-correctness guarantee, the framework achieves statistically reliable enforcement of agent safety. We evaluate the framework across two safety-critical domains: autonomous vehicles and embodied agents. It proactively enforces safety and maintains high task performance, outperforming existing methods.