- The paper introduces LBAC, a unified model that leverages static typing to enforce strict behavior policies in agent systems.
- It employs type systems to encode security policies, ensuring compositional policy adherence and preventing side effects in agent-generated code.
- Empirical results with the TypeGuard prototype show LBAC’s comparable utility and robust resistance to prompt injection attacks.
Language-Based Agent Control: A Programming Model for Secure, Expressive Agentic Systems
Introduction and Motivation
"Language-Based Agent Control" (2605.12863) introduces a unified programming model (LBAC) for the construction of agentic applications that reconciles two fundamental properties: strong enforceable control over agent behavior, and the retention of high expressiveness. Existing LLM agent frameworks typically require sacrificing one for the other—either providing restrictive tool APIs for safety or unconstrained sandboxed interpreters for expressiveness, with problematic security and policy coverage gaps. LBAC leverages established programming language theory—specifically, the enforcement of application- and system-level invariants through static typing and language-based security—to generalize agent control and guarantee compositional policy adherence even as agentic systems become more complex.
Core LBAC Model
The central tenet of LBAC is that all agent-generated behavior, developer scaffolding, and ambient library code exist within a unified, statically-typed, pure functional programming environment. Specifically, the prototype system TypeGuard is instantiated in Haskell, but the architecture is applicable to any sufficiently expressive typed language. Policies—including capability constraints, information flow restrictions, and data provenance—are encoded as types and effect systems. The key mechanism is that every agent invocation generates code, which must pass the host language's type checker before execution, thereby subjecting all components of the agentic system to uniform, language-level controls.
(Figure 1)
Figure 1: Overview of the Language-Based Agent Control (LBAC) model, showing the unification of agent-generated, developer, and library code under a shared type system, with type checks enforcing global invariants.
LBAC enables dynamic interleaving of LLM reasoning, tool use, and recursive agent calls, with arbitrary side-effect-free computation and flexible workflow composition. However, all agent-generated code (including recursive subagents) must statically conform to the effect and data flow constraints dictated by the scaffolding and the APIs' type signatures, ensuring that policy enforcement is both fine-grained and closed under composition.
Policy Enforcement through Types
LBAC exploits the semantic strength of pure type systems to enforce a broad spectrum of policies:
- Effect Restriction: By limiting the agent's return type to pure types (such as
Int or String), LBAC statically denies all side-effecting behavior, preventing, for example, arbitrary I/O or mutation even in the presence of adversarial or malicious agent-generated code.
- Custom EDSLs for Policy Encoding: By providing agents with a restricted effect type (such as
BibIO for BibTeX management, or RIO for filesystem access), only those effects—and only those data flows—explicitly allowed by the EDSL API are expressible by the agent. Abstract data types (e.g., Trusted Bib) further ensure that sensitive operations can only be performed with data of correct provenance.
- Policy Reuse: LBAC is compatible with mature libraries encoding well-established security policies, e.g., the LIO library for information flow control, without modification. Thus, decades of language-based security work are immediately applicable to agentic systems.
Compositionality and Agent Programming
A notable advantage of the LBAC approach is the seamless compositionality afforded by embedding agents as ordinary functions. Higher-order functional constructs—including recursion and type inference—allow agents to be plugged into existing data-processing combinators, and type information automatically propagates to agent invocations, guiding LLM code synthesis toward the intended behavior. Recursive agent patterns are naturally realized; recursive subagents inherit the parent agent's type-based restrictions, and parents may further restrict (but cannot relax) the policies seen by subagents.
Evaluation Case Studies
Data Provenance
LBAC enables robust guarantees of data provenance. For example, in bibliography generation, all written entries are forced to originate from a trusted source (such as DBLP) by requiring the agent to operate solely over abstract types constructed by trusted library functions. Fabrication of entries, or use of unsafe APIs (e.g., writeFile), is systematically eliminated by the type system.
Filesystem Sandboxing via Capabilities
The RIO effect type realizes capability-based filesystem access, where opaque path tokens encode authority over specific subtrees. Filesystem operations require such tokens, denying both syntactically and semantically any attempt at unauthorized access, even in the presence of symlink attacks or shell-level privilege escalation attempts. This approach is strictly more expressive than static OS-level sandboxing, supports dynamic authorization/delegation, and eliminates the brittleness inherent to string-based shell command permission systems.
LBAC subsumes information flow control strategies exemplified by recent agentic architectures such as CaMeL, GAAP, and Fides. By wrapping agent computation in LIO's effectful context, data labels (confidentiality and integrity) propagate through all agent-managed flows. Notably, LBAC generalizes the dual-LLM pattern: quarantined subagents can interleave tool use without violating label discipline, enabled through runtime label checking (e.g., via toLabeled). This eliminates the need for coarse architectural separation between code and data, permitting more fluid and expressive agent workflows while preserving security guarantees.
Empirical Results and Comparative Analysis
The paper reports that TypeGuard (LBAC's Haskell instantiation) achieves utility rates comparable to CaMeL on the AgentDojo Slack suite benchmark, both under benign and adversarial (prompt-injection) settings. With information flow control policies enabled, both systems resist all tested injection attacks, with a modest but expected reduction in task utility due to restrictive policies. Notably, confidence intervals for the difference in task completion include zero, indicating no statistically significant performance difference between the two systems in these settings. This outcome directly challenges the assertion that expressiveness and control are fundamentally at odds in LLM agent frameworks.
LBAC generalizes and subsumes prior language-based prompt injection defenses, both static (e.g., Guardians) and runtime (e.g., CaMeL, Fides), avoiding rigid code/data separation and enabling policy-uniform agent systems. Unlike conventional tool-based, string-matching permission and OS sandboxing approaches (as in Claude Code, IsolateGPT, ceLLMate), LBAC achieves higher assurance and flexibility without introducing new attack surfaces or approval fatigue. Existing PL machinery—refinement types, linear/resource types, and information-flow monads—is repurposed for safe agentic computation.
Implications and Future Directions
The LBAC model shifts the paradigm for agentic system design, demonstrating that agent control, security, and expressiveness can all be provided by embedding agents in a carefully constrained host language. This yields practically deployable agent frameworks with rigorous, statically-verified security properties and compositionally enforced policies. The generality of the approach invites application of more advanced type system features in future work:
- Refinement types for richer functional correctness and behavioral properties.
- Linear and graded types for bounding resources, enforcing one-shot actions, and capturing amortized cost models.
- Extensible effect systems for fine-grained, pluggable policy modules.
These avenues suggest that much of the future evolution of agentic systems—especially as they become increasingly complex and interwoven with sensitive infrastructure—will be informed by established programming languages research and formal verification paradigms.
Conclusion
Language-Based Agent Control provides a sound, compositional foundation for secure, expressive agentic systems. By embedding all agentic computation within a statically-typed, pure host language, and encoding policies as types and effects, LBAC achieves uniform enforcement of developer-specified invariants across both developer code and agent-generated programs. The results contest the necessity of the expressiveness-control tradeoff and indicate that language-based paradigms offer robust, extensible, and practically viable solutions to agent security and policy enforcement (2605.12863).