Papers
Topics
Authors
Recent
Search
2000 character limit reached

Organizational Control Layer: Governance Infrastructure at the Execution Boundary of LLM Agent Systems

Published 3 Jun 2026 in cs.MA | (2606.04306v1)

Abstract: LLM-based agents are increasingly deployed in workflows where generated outputs may directly trigger state-changing actions. This creates an execution-boundary problem: proposed actions must be governed before they are executed. We study this problem through economically consequential multi-agent interactions and argue that deployment-grade agent systems should separate proposal generation from environment-facing execution. To operationalize this principle, we introduce the Organizational Control Layer (OCL), a model-agnostic governance infrastructure that intercepts generated actions before execution through policy enforcement and escalation, without modifying the underlying LLM generator. We evaluate OCL on adversarial buyer--seller negotiation environments adapted from AgenticPay. Across multiple frontier LLM backends, OCL reduces unsafe executions from 88% to near-zero while increasing valid success from 12% to 96%. Results further reveal a safety--utility tradeoff: strict governance improves compliance and reliability against policy and constraint violations, but can reduce flexibility in tightly constrained markets. These findings suggest that deployment-grade LLM agent systems require explicit governance at the boundary between language generation and executable actions. The source code is available at: https://github.com/SHITIANYU-hue/amai_ocl

Summary

  • The paper introduces OCL as a governance layer that intercepts raw LLM proposals and enforces deterministic policy constraints before execution.
  • It employs role, gate, escalation, and audit policies, with experiments reducing unsafe execution from 88% to 0% and raising valid success to 96%.
  • Empirical results show reduced negotiation rounds, decreased latency, and robust threat interception across multiple LLM backends.

Organizational Control Layer: Governance Infrastructure at the Execution Boundary of LLM Agent Systems

Motivating the Execution Boundary Problem in LLM-based Multi-Agent Systems

LLM-driven agents are increasingly deployed as autonomous intermediaries in economically consequential workflows, such as e-commerce, product negotiations, customer support actions, and tool-enabled platform operations. In these environments, the raw language outputs of LLM agents may result in direct state-altering actions, including automated pricing, refunds, inventory adjustments, and policy commitments. The decoupling of language generation and action-execution introduces a critical execution boundary: platform operators must ensure that suggested actions are authorized and compliant before triggering real changes.

Prior research in agent collaboration has primarily focused on inter-agent reasoning, error diagnosis, and internal communication. However, robust deployment requires that all environment-facing agent actions are subject to explicit operational control, especially in the presence of hidden economic constraints, adversarial personas, and complex institutional policies. The lack of such controls has been shown to yield catastrophic safety failures, such as violating monetary limits, disclosing sensitive information, committing unauthorized refunds, and breaching compliance protocols. Figure 1

Figure 1: The risk-aware multi-agent e-commerce system features real-time detection of suspicious behaviors, automated compliance checks, and continuous risk assessment, routing low-risk users to automation and high-risk cases to human operators, with closed-loop feedback for continual policy adaptation.

The Organizational Control Layer Architecture

The Organizational Control Layer (OCL) is introduced as a model-agnostic, pluggable governance interface positioned between action generation and platform-side execution. OCLโ€™s central function is to intercept raw agent proposals, apply multi-stage deterministic policy enforcement, and only permit safe, authorized, and auditable actions to affect the environment. Architecturally, OCL is decomposed into the following policy modules:

  • Role Policy (ฯ€role\pi_\mathrm{role}): Restricts which agent(s) are authorized to propose, revise, or approve specific decisions, mapping organizational roles to platform authority boundaries.
  • Gate Policy (ฯ€gate\pi_\mathrm{gate}): Implements constraint checking over all observable (but possibly partial) information, enforcing monetary limits, policy compliance, privacy filters, and risk conditions.
  • Escalation Policy (ฯ€escalate\pi_\mathrm{escalate}): Routes proposed actions that cannot be approved or safely revised to higher-authority review, human-in-the-loop, or privileged modules with access to hidden constraints.
  • Audit Policy (ฯ€audit\pi_\mathrm{audit}): Systematically records all proposals, constraint violations, control outcomes, and escalations for post-hoc traceability and governance compliance. Figure 2

    Figure 2: OCL intercepts agent-generated actions for constraint checking, approving, revising, or escalating as needed before execution, with all outcomes auditable.

OCL enforces a stateful mediation protocol. At each interaction step, the agent proposal is parsed and checked against the visible constraint set; safe actions are executed, unsafe actions are deterministically revised or blocked, and indeterminate proposals are escalated. All outcomes are systematically logged for system transparency.

Governance as Pre-Execution Mediation: Experimental Framework

The empirical evaluation operationalizes OCL on a comprehensive adversarial negotiation benchmark, leveraging a real-world corpus of buyer-seller transcripts to derive behavioral blueprints and failure modes commonly observed in e-commerce. Five adversarial personas (e.g., Lowballer, Privacy Phisher, Role Hijacker, Vague Shopper, Time Waster) are systematically simulated using prompt-driven LLM persona synthesis conditioned on observable and private task parameters.

The core environment is based on AgenticPay, with each negotiation episode instantiated as an economic multi-agent task:

T=โŸจS,{Ai}i=1N,C,U,EโŸฉ,\mathcal{T} = \langle \mathcal{S}, \{\mathcal{A}_i\}_{i=1}^N, \mathcal{C}, \mathcal{U}, \mathcal{E} \rangle,

allowing rigorous enforcement and evaluation of both hard and soft constraints with observable and hidden components.

Strong compositional baselines are run with and without OCL wrapping, across multiple LLM generator backends (GPT-5.4, Gemini-3.1, Qwen-3.5). The experimental design encompasses paired seed initialization, strict JSON action serialization and parsing, deterministic constraint checking, and real-time audit event generation. All unsafe proposals trigger deterministic revision (clamping to the nearest feasible action) or escalation, consistent with operational platform risk controls.

Numerical Analysis: Safety, Robustness, and Economic Efficiency

OCLโ€™s intervention yields pronounced improvements in both structural safety and operational transparency, establishing a strict boundary between natural language proposal and platform-side effectuation. Across 50 adversarial negotiation episodes:

  • Baseline end-to-end LLM agents display unsafe execution rates of 88%, with only 12% of task completions being structurally valid under all constraints.
  • In contrast, OCL-wrapped systems drive unsafe execution to 0% and elevate valid success to 96%, strictly eliminating all 205 constraint breaches observed in the baseline across adversarial episodes.
  • The OCL framework intercepted 52 distinct adversarial threats and deterministically resolved 48 escalations with no environment-facing violations.

Further, OCL reduces mean negotiation rounds from 5.36 to 2.58 and mean episode latency from 38.75s to 18.51s, reflecting the removal of infeasible negotiation cycles via immediate deterministic replanning. Audit event density increased, enhancing post-hoc interpretability without adverse latency impact.

Cross-model results demonstrate that OCLโ€™s constraint satisfaction and threat interception generalize robustly, yielding 94% intercept rate (GPT-5.4), 82% (Gemini-3.1), 60% (Qwen-3.5), with consistently high (>96%) task success, proving the decoupling of safety enforcement from backbone model idiosyncrasies.

Scenario Granularity and Security-Utility Trade-off

Evaluation across diverse economic conditions (easy/wide-margin, default, tight-feasibility, high-anchor, short-horizon) reveals that OCLโ€™s utility is maximized under partial-observation and stringent negotiation deadlines. In scenarios with tight feasible intervals and adversarial anchoring, OCLโ€™s strict constraint gates limit aggressive response-space exploration, slightly reducing success rates in edge-cases. This marked security-utility trade-off is fundamental to the architecture and points to the necessity for adaptive, context-aware constraint policies, especially as governance is extended to roles beyond seller agents and transferred to other verticals (auctions, dispute resolution, policy arbitration).

Implications and Perspectives

The introduction of OCL codifies the necessity of a robust, model-agnostic, auditable execution boundary in LLM-agent platforms. Its capacity to decouple proposal and execution not only eliminates prominent safety failure classes but also establishes high-resolution traceability aligned with organizational and regulatory requirements. The observed hard trade-off between flexibility and compliance is intrinsic to governance architectures; future research must explore adaptive gating, escalation personalization, and domain transfer. As LLM agents become more proactive and autonomous, especially in institutional and mission-critical settings, organizational control at the execution boundary is not optionalโ€”it is foundational for reliable system deployment.

Conclusion

This work establishes the Organizational Control Layer as an essential operational primitive for LLM agent environments. OCL systematically reduces risk exposure, guarantees compliance, and enforces strict auditability at the critical execution interfaceโ€”without constraining upstream generative flexibility. The structural separation advocatedโ€”and empirically validatedโ€”in this framework is required for deployment-grade multi-agent AI platforms that interact with complex, economically-significant environments (2606.04306).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.