Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trustworthy Agentic AI Requires Deterministic Architectural Boundaries

Manish Bhattarai, Minh Vu

TL;DR

This paper argues that high-stakes scientific workflows require deterministic architectural boundaries to ensure authorization security in agentic AI, because training-based defenses cannot guarantee command–data separation when inputs can be adversarial. It introduces the Trinity Defense Architecture, comprising Action Governance, Information-Flow Control, and Privilege Separation, to enforce unforgeable provenance and mediated, auditable tool use via a small trusted computing base. The authors formalize the limitations of learned separation, present a minimal instantiation (FAC + Policy + Trace), and propose rigorous evaluation criteria and epistemological justification for architectural mediation as essential for trustworthy AI in science. They also discuss epistemic integrity, potential objections, and a path forward through aGLP standards to promote reproducibility and verifiability in agentic scientific work. The practical impact is a clearly defined security architecture that can be implemented to prevent unauthorized actions and leakage, enabling safer deployment of agentic AI in high-stakes research contexts while preserving epistemic traceability.

Abstract

Current agentic AI architectures are fundamentally incompatible with the security and epistemological requirements of high-stakes scientific workflows. The problem is not inadequate alignment or insufficient guardrails, it is architectural: autoregressive language models process all tokens uniformly, making deterministic command--data separation unattainable through training alone. We argue that deterministic, architectural enforcement, not probabilistic learned behavior, is a necessary condition for trustworthy AI-assisted science. We introduce the Trinity Defense Architecture, which enforces security through three mechanisms: action governance via a finite action calculus with reference-monitor enforcement, information-flow control via mandatory access labels preventing cross-scope leakage, and privilege separation isolating perception from execution. We show that without unforgeable provenance and deterministic mediation, the ``Lethal Trifecta'' (untrusted inputs, privileged data access, external action capability) turns authorization security into an exploit-discovery problem: training-based defenses may reduce empirical attack rates but cannot provide deterministic guarantees. The ML community must recognize that alignment is insufficient for authorization security, and that architectural mediation is required before agentic AI can be safely deployed in consequential scientific domains.

Trustworthy Agentic AI Requires Deterministic Architectural Boundaries

TL;DR

This paper argues that high-stakes scientific workflows require deterministic architectural boundaries to ensure authorization security in agentic AI, because training-based defenses cannot guarantee command–data separation when inputs can be adversarial. It introduces the Trinity Defense Architecture, comprising Action Governance, Information-Flow Control, and Privilege Separation, to enforce unforgeable provenance and mediated, auditable tool use via a small trusted computing base. The authors formalize the limitations of learned separation, present a minimal instantiation (FAC + Policy + Trace), and propose rigorous evaluation criteria and epistemological justification for architectural mediation as essential for trustworthy AI in science. They also discuss epistemic integrity, potential objections, and a path forward through aGLP standards to promote reproducibility and verifiability in agentic scientific work. The practical impact is a clearly defined security architecture that can be implemented to prevent unauthorized actions and leakage, enabling safer deployment of agentic AI in high-stakes research contexts while preserving epistemic traceability.

Abstract

Current agentic AI architectures are fundamentally incompatible with the security and epistemological requirements of high-stakes scientific workflows. The problem is not inadequate alignment or insufficient guardrails, it is architectural: autoregressive language models process all tokens uniformly, making deterministic command--data separation unattainable through training alone. We argue that deterministic, architectural enforcement, not probabilistic learned behavior, is a necessary condition for trustworthy AI-assisted science. We introduce the Trinity Defense Architecture, which enforces security through three mechanisms: action governance via a finite action calculus with reference-monitor enforcement, information-flow control via mandatory access labels preventing cross-scope leakage, and privilege separation isolating perception from execution. We show that without unforgeable provenance and deterministic mediation, the ``Lethal Trifecta'' (untrusted inputs, privileged data access, external action capability) turns authorization security into an exploit-discovery problem: training-based defenses may reduce empirical attack rates but cannot provide deterministic guarantees. The ML community must recognize that alignment is insufficient for authorization security, and that architectural mediation is required before agentic AI can be safely deployed in consequential scientific domains.
Paper Structure (25 sections, 2 theorems, 1 equation, 1 figure)

This paper contains 25 sections, 2 theorems, 1 equation, 1 figure.

Table of Contents

  1. Introduction
  2. The Lethal Trifecta
  3. Threat Model and Security Goal
  4. Three Claims
  5. Threat Landscape
  6. Privilege Escalation via Prompt Injection
  7. Memory Leakage via Shared State
  8. Multi-Modal Bypass
  9. The challenges of Learned Separation
  10. What Command--Data Separation Requires
  11. Why Transformers Cannot Provide Unforgeable Separation by Training Alone
  12. Proof sketch.
  13. The Trinity Defense Architecture
  14. Action Governance
  15. Interpretation.
  16. ...and 10 more sections

Key Result

Theorem 3.3

Consider an agentic system in which (i) trusted instructions and untrusted content are presented to an LLM through a single token stream, and (ii) the system's decision to treat any substring as command versus data is based only on token content and model-internal computation (i.e., no channel-bound

Figures (1)

  • Figure 1: The Trinity Imperative for Trustworthy Agentic AI. (a) Current LLM agents fail security because uniform token processing erases the command–data boundary, making learned defenses forgeable. (b) This failure, combined with the "Lethal Trifecta" of untrusted inputs, privileged data access, and external action capabilities, turns authorization security into an exploit-discovery problem in the absence of deterministic mediation. (c) The proposed "Trinity Defense" establishes deterministic architectural boundaries through Action Governance, Information-Flow Control, and Privilege Separation to provide verifiable authorization security.

Theorems & Definitions (5)

  • Definition 3.1: Command--Data Separation
  • Definition 3.2: Channel-Bound Provenance Metadata
  • Theorem 3.3: No Unforgeable Separation from Content Alone
  • Remark 3.4: What this does and does not claim
  • Theorem 4.1: Security of Command Gate