Policy Compiler for Secure Agentic Systems

TL;DR

PCAS takes an existing agent implementation and a policy specification, and compiles them into an instrumented system that is policy-compliant by construction, with no security-specific restructuring required, and improves policy compliance from 48% to 93% across frontier models.

Abstract

LLM-based agents are increasingly being deployed in contexts requiring complex authorization policies: customer service protocols, approval workflows, data access restrictions, and regulatory compliance. Embedding these policies in prompts provides no enforcement guarantees. We present PCAS, a Policy Compiler for Agentic Systems that provides deterministic policy enforcement. Enforcing such policies requires tracking information flow across agents, which linear message histories cannot capture. Instead, PCAS models the agentic system state as a dependency graph capturing causal relationships among events such as tool calls, tool results, and messages. Policies are expressed in a Datalog-derived language, as declarative rules that account for transitive information flow and cross-agent provenance. A reference monitor intercepts all actions and blocks violations before execution, providing deterministic enforcement independent of model reasoning. PCAS takes an existing agent implementation and a policy specification, and compiles them into an instrumented system that is policy-compliant by construction, with no security-specific restructuring required. We evaluate PCAS on three case studies: information flow policies for prompt injection defense, approval workflows in a multi-agent pharmacovigilance system, and organizational policies for customer service. On customer service tasks, PCAS improves policy compliance from 48% to 93% across frontier models, with zero policy violations in instrumented runs.

Figures (4)

• Figure 1: PCAS overview. (a) The instrumentation layer intercepts messages, tool calls, and HTTP requests. The reference monitor queries the policy engine, passing the action, identity, and roles, which evaluates Datalog rules against the dependency graph from the observability service. (b) Authorized actions are executed and recorded; denied actions return structured feedback to the agent.
• Figure 2: Information flow policies for prompt injection defense. (a) Bell-LaPadula MLS enforces clearance-based read/write restrictions. (b) Toxic flow tracks taint through the dependency graph to block exfiltration when untrusted and sensitive data combine.
• Figure 3: Policy enforcement example from the $\tau^2$-bench airline domain.Left: A customer requests flight cancellation due to an accidental booking. The agent attempts to call cancel_reservation, but PCAS blocks the action based on the policy. After receiving structured feedback, the agent recovers by offering compliant alternatives. Middle: The natural language policy specifying covered cancellation reasons is translated to Datalog rules that define CoveredReason facts and a Denied rule. Right: The policy engine evaluates the action against the causal context, determines the reason is not covered, and returns a denial with explanatory feedback.
• Figure 4: Task success rates (pass^$k$) on $\tau^2$-bench tasks. The pass^$k$ metric measures the probability that $k$ randomly sampled trials all succeed, capturing consistency rather than single-shot performance. PCAS-instrumented agents (solid lines) consistently outperform non-instrumented baselines (dashed lines) across all values of $k$, demonstrating that enforcement improves compliance without degrading task completion.