- The paper presents AgenticRei, a framework using deontic policies for runtime governance of agentic AI systems with sub-10ms query latency.
- It details a methodology that integrates obligations, principled conflict resolution, and ontology grounding to address the limits of traditional ABAC systems.
- Findings underscore enhanced cross-organizational trust and auditable compliance, providing a robust foundation for secure enterprise AI deployments.
Deontic Policy Frameworks for Agentic AI Governance
Motivation and Governance Challenges
Deployment of agentic AI systems, primarily orchestrated by LLM-driven planners, fundamentally alters enterprise governance, security, and compliance requirements. These agent frameworks can autonomously invoke external tools, manipulate data, install software, and coordinate multi-agent workflows, introducing non-determinism and operational risk that conventional static guardrails or ABAC/allow-deny policy engines cannot address. The consensus in both cyber policy advisories and industry frameworks (A2AS, Agent Governance Toolkit, MCP policy gateways) is the necessity to enforce governance at the deterministic action boundary, decoupled from the LLM's internal reasoning, to guarantee runtime compliance (2606.19464).
Deontic Policy Requirements
Analysis of real-world regulatory instruments, standards (AIUC-1, NIST AI RMF), and emerging enterprise deployments reveals four governance requirements that flat-list/ABAC engines (e.g., Rego, Cedar, OPA) are structurally incapable of expressing:
- Obligations: Attach behavioral duties (e.g., mandatory logging, CISO notification) to permitted actions, rather than mere access decisions. Current engines lack native obligation constructs and rely on ad hoc workaround rules.
- Principled Conflict Resolution: Require explicit, auditable policy meta-prioritization when rules from different authorities conflict, not heuristic evaluation-order or integer-weight fields. Deontic frameworks support meta-policy objects (e.g., Rei’s
metapolicy:RulePriority).
- Semantic Grounding via Ontology: Enforcement must reason over evolving domain class hierarchies. Policies expressed at the ontology class level automatically cover all subclasses, eliminating brittle enumeration.
- Cross-Authority Trust and Delegation: Trust relationships and credential verification for agent actions must be policy-expressed (not hard-coded). Dynamic cross-domain composition is essential in multi-organizational settings.
AgenticRei Architecture and Enforcement Model
AgenticRei operationalizes a deontic policy language (built on Rei and OWL/RDF semantics), used for runtime enforcement at the action boundary. The enforcement architecture consists of:
- TripleExtractor: Intercepts invocation/tool-call or agent-to-agent (A2A) messages, extracting structured ⟨subject, action, resource⟩ triples with accompanying credentials.
- PolicyEngine: Evaluates triples against Rei-encoded policies and pluggable ontologies with reasoning (RDFox, OWL/RDFS entailment). Returns PERMIT, PROHIBIT, or DEFAULT-DENY, along with attached obligations.
- Middleware and Audit: Allows execution or blocks with structured violation feedback. Obligations are registered and tracked; decisions are serialized with audit logs including policy KB hashes, credential issuers, and rule provenance.
Empirical measurements indicate sub-10ms latency per query, meeting production sync-action interception requirements.
Policy Modalities and Compositional Expressivity
AgenticRei policies leverage four deontic modalities:
- Permissions and Prohibitions: Expressed in OWL; direct equivalents to allow/deny.
- Obligations: Attached to permissions via
deontic:provision, enforcing behavioral constraints (e.g., CISO notification upon software install).
- Dispensations: Waive obligations under specific conditions (e.g., exempt counterparty in financial context).
- Meta-Policy Priority: Explicit semantic resolution for conflicting rules, governed via named meta-policy objects.
Policy examples in the paper demonstrate:
- Class-level prohibitions automatically extending to all ontology subclasses.
- Obligations firing on permitted actions, deterministically tracked and auditable.
- Credential-gated permissions, with trusted issuer IRIs embedded in policy.
- Cross-policy meta-resolution and auditability, addressing authority creep and diffuse accountability.
Threat Model and Enforcement Scope
AgenticRei enforces deterministic, policy-driven action boundary governance. It is robust against prompt injection and rogue agent behavior at the invocation level, always producing a policy violation or obligation issuance. Defensive scope does not include the agent's reasoning layer, nor detection of adversarial manipulation, but instead analogizes to mandatory access control in OS kernels: enforce at the action, not the reasoning.
Obligation discharge and evidence-based validation (VCs) are tracked for compliance; ongoing work aims at machine-verifiable audit closure and transparent organizational obligation lifecycle management.
AgenticRei builds on and extends the Rei framework 10, 32 and leverages Semantic Web formalisms for ontology-based reasoning. Closely related recent architectures include:
- SEAgent (ABAC enforcement, privilege escalation) [33].
- Veriguard (behavioral policy synthesis/verification) [36].
- Progent, AgentSpec, PCAS (privilege control, trigger-predicate DSL, Datalog enforcement) [37, 38, 39].
- MI9 (multi-layer agent telemetry, conformance, FSM checking) [40].
These do not deliver the compositional deontic modalities, meta-policy prioritization, and ontology-grounded reasoning that AgenticRei provides. Industry frameworks (A2AS, OPA, Cedar, OpenFGA) are limited to deterministically external action enforcement but lack obligations, dispensations, or meta-policy constructs.
Implications, Future Directions, and Open Challenges
AgenticRei demonstrates that runtime governance requirements for agentic systems—obligations, conflict resolution, ontological extension, and credential-driven trust—can be realized with OWL/RDF deontic policies, evaluated at millisecond latency and decoupled from LLM reasoning. The framework synergizes with cryptographic credential infrastructures (A2AS, MCP) for secure cross-organizational agent interaction.
Key open problems include:
- Federated policy delegation and per-authority update protocols, needed for scalable policy base evolution and authority creep prevention.
- Bridging standards-to-runtime translation: formalizing automated (possibly LLM-assisted) policy authoring pipelines with formal verification and conflict analysis.
- Obligation lifecycle governance, leveraging VC data models for machine-verifiable discharge records to ensure non-reproducible decision chains are auditable.
- Integration of policy-authoring tools and static policy quality control to lower adoption barriers.
Conclusion
The deontic policy language and AgenticRei runtime governance framework address essential compliance, security, and privacy requirements in agentic AI systems that are inexpressible in existing ABAC or allow-deny engines. The separation of permission and obligation, compositional ontology reasoning, auditable conflict-resolution, and credential-driven trust establishment are necessary for runtime enforcement in production, open agentic environments. Ongoing research seeks to operationalize standards-to-runtime translation, federated policy bases, and formal obligation discharge with verifiable credentials, supporting robust, deterministic, machine-verifiable governance in agent-driven enterprise systems (2606.19464).