Towards Policy-Compliant Agents: Learning Efficient Guardrails For Policy Violation Detection

TL;DR

PolicyGuardBench addresses the gap in evaluating policy-trajectory compliance for autonomous web agents by providing a large-scale, cross-domain benchmark of trajectory-policy violations. The authors synthesize diverse policies, align them with standardized agent trajectories, and annotate violations, enabling both full-trajectory and prefix-based detection tasks. They train PolicyGuard-4B, a lightweight guardrail model, which achieves strong accuracy and efficient inference and generalizes across unseen domains. The work demonstrates that accurate, generalizable policy guardrails are feasible at small scales, offering a practical path toward trustworthy policy-compliant web agents.

Abstract

Autonomous web agents need to operate under externally imposed or human-specified policies while generating long-horizon trajectories. However, little work has examined whether these trajectories comply with such policies, or whether policy violations persist across different contexts such as domains (e.g., shopping or coding websites) and subdomains (e.g., product search and order management in shopping). To address this gap, we introduce PolicyGuardBench, a benchmark of about 60k examples for detecting policy violations in agent trajectories. From diverse agent runs, we generate a broad set of policies and create both within subdomain and cross subdomain pairings with violation labels. In addition to full-trajectory evaluation, PolicyGuardBench also includes a prefix-based violation detection task where models must anticipate policy violations from truncated trajectory prefixes rather than complete sequences. Using this dataset, we train PolicyGuard-4B, a lightweight guardrail model that delivers strong detection accuracy across all tasks while keeping inference efficient. Notably, PolicyGuard-4B generalizes across domains and preserves high accuracy on unseen settings. Together, PolicyGuardBench and PolicyGuard-4B provide the first comprehensive framework for studying policy compliance in web agent trajectories, and show that accurate and generalizable guardrails are feasible at small scales.

Figures (5)

• Figure 1: Example trajectory illustrating agent actions, policies, and violations. The agent completes the task but violates policies both directly (alcohol) and cumulatively (more than one cake, total cost > $200), cases that traditional guardrails fail to detect.
• Figure 2: Data processing pipeline for constructing PolicyGuardBench, from raw trajectories to standardized trajectories, synthesized policies, and annotated violations.
• Figure 3: Prefix-based violation detection accuracy across all evaluated models. Accuracy is generally highest at $N=1$ and decreases as prefix length increases.
• Figure 4: Prefix-based violation detection accuracy for large-scale models ($\geq$30B parameters and frontier systems). Performance is strong at $N=1$ and declines moderately as prefix length increases.
• Figure 5: Prefix-based violation detection accuracy for smaller open-source models ($<$30B, including PolicyGuard-4B). Smaller models show greater variance and sharper drops in accuracy, whereas our lightweight PolicyGuard-4B achieves robust and competitive results across prefix lengths.