Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Please Don't Kill My Vibe: Empowering Agents with Data Flow Control

Charlie Summers, Haneen Mohammed, Eugene Wu

TL;DR

The paper tackles the safety risks of stateful LLM agents by proposing Data Flow Controls (DFCs) that are enforced at the data system layer. It introduces FlowGuard, a DBMS-native DFC policy language based on provenance polynomials, and demonstrates how query rewrites can enforce policies with minimal overhead. Through use-case analysis and initial experiments, FlowGuard shows low runtime cost and outperforms provenance-capture baselines, illustrating the practicality of system-centric safety for agent workflows. The authors outline a broad research agenda to extend DFC to general agent ecosystems and tool interactions, aiming to make safe agent deployment feasible in enterprise settings.

Abstract

The promise of Large Language Model (LLM) agents is to perform complex, stateful tasks. This promise is stunted by significant risks - policy violations, process corruption, and security flaws - that stem from the lack of visibility and mechanisms to manage undesirable data flows produced by agent actions. Today, agent workflows are responsible for enforcing these policies in ad hoc ways. Just as data validation and access controls shifted from the application to the DBMS, freeing application developers from these concerns, we argue that systems should support Data Flow Controls (DFCs) and enforce DFC policies natively. This paper describes early work developing a portable instance of DFC for DBMSes and outlines a broader research agenda toward DFC for agent ecosystems.

Please Don't Kill My Vibe: Empowering Agents with Data Flow Control

TL;DR

The paper tackles the safety risks of stateful LLM agents by proposing Data Flow Controls (DFCs) that are enforced at the data system layer. It introduces FlowGuard, a DBMS-native DFC policy language based on provenance polynomials, and demonstrates how query rewrites can enforce policies with minimal overhead. Through use-case analysis and initial experiments, FlowGuard shows low runtime cost and outperforms provenance-capture baselines, illustrating the practicality of system-centric safety for agent workflows. The authors outline a broad research agenda to extend DFC to general agent ecosystems and tool interactions, aiming to make safe agent deployment feasible in enterprise settings.

Abstract

The promise of Large Language Model (LLM) agents is to perform complex, stateful tasks. This promise is stunted by significant risks - policy violations, process corruption, and security flaws - that stem from the lack of visibility and mechanisms to manage undesirable data flows produced by agent actions. Today, agent workflows are responsible for enforcing these policies in ad hoc ways. Just as data validation and access controls shifted from the application to the DBMS, freeing application developers from these concerns, we argue that systems should support Data Flow Controls (DFCs) and enforce DFC policies natively. This paper describes early work developing a portable instance of DFC for DBMSes and outlines a broader research agenda toward DFC for agent ecosystems.

Paper Structure

This paper contains 23 sections, 7 figures.

Table of Contents

  1. Introduction
  2. Use Cases
  3. Regulations and Data Privacy
  4. Business Processes
  5. LLM Agents
  6. Addressing These Use Cases
  7. In-DBMS Data Flow Control
  8. Design Challenge
  9. DFC Policies
  10. Disaggregation
  11. K-anonymity
  12. Business Processes
  13. Prompt Injection
  14. DFC Policy Evaluation
  15. Disaggregation
  16. ...and 8 more sections

Figures (7)

  • Figure 1: Agents interacting with stateful systems suffer from errors that become visible by tracking data flow (red).
  • Figure 2: Provenance polynomials encode how input tuples are joined ($\times$) and aggregated ($+$) to compute output tuples.
  • Figure 3: Conceptual evaluation of a FlowGuard policy. Each box is a clause, labeled arrows are traversed based on the preceding clause's predicate, and dashed boxes are optional.
  • Figure 4: The query plan for $\gamma(\sigma({\text{\small}\texttt{students}})\bowtie\pi(S))$ is rewritten to enforce the disaggregation policy in \ref{['sss:disaggregationpolicy']}.
  • Figure 5: K-anonymity policy on $\gamma(\sigma(T)\bowtie\pi({\text{\small}\texttt{constituents}}))$.
  • ...and 2 more figures