Papers
Topics
Authors
Recent
Search
2000 character limit reached

Deontic Policies for Runtime Governance of Agentic AI Systems

Published 17 Jun 2026 in cs.AI and cs.MA | (2606.19464v1)

Abstract: Autonomous agentic AI systems driven by LLMs introduce a new class of security, privacy, and compliance challenges: an agent that can invoke tools, manipulate data, install software, and coordinate with peer agents across organizational boundaries must be constrained not just by authentication and access control, but by the full structure of enterprise governance. This includes specifying what agents are permitted and prohibited from doing, what they areobliged to do after certain actions (e.g., notify the CISO), under what conditions a standing obligation may be waived, and which rules take precedence when policies conflict. This governance problem exceeds what current policy engines provide. Systems such as XACML, Rego, and Cedar address only the permit/prohibit subset of this governance structure. They do not provide obligation lifecycle management, meta-policy conflict resolution, dispensations that waive obligations in specific circumstances, and ontological reasoning over domain class hierarchies commonly found in applications such as healthcare, cybersecurity, or data privacy. We propose AgenticRei, which realizes key governance requirements such as obligations, dispensations, policy conflict resolutions, and reasoning over policies, as well as the basic permit/prohibit constraints. We use a deontic policy language built on the Rei framework, expressed as OWL (Web Ontology Language) and evaluated at runtime by a high-performance logic engine entirely outside the LLM. The same pipeline governs both tool invocations by the agent and agent-to-agent messages. We show through examples that deontic policies capture governance constraints around security and privacy that mostly cannot be expressed in current production engines. Our approach composes naturally with industry-standard frameworks like A2AS.

Summary

  • The paper presents AgenticRei, a framework using deontic policies for runtime governance of agentic AI systems with sub-10ms query latency.
  • It details a methodology that integrates obligations, principled conflict resolution, and ontology grounding to address the limits of traditional ABAC systems.
  • Findings underscore enhanced cross-organizational trust and auditable compliance, providing a robust foundation for secure enterprise AI deployments.

Deontic Policy Frameworks for Agentic AI Governance

Motivation and Governance Challenges

Deployment of agentic AI systems, primarily orchestrated by LLM-driven planners, fundamentally alters enterprise governance, security, and compliance requirements. These agent frameworks can autonomously invoke external tools, manipulate data, install software, and coordinate multi-agent workflows, introducing non-determinism and operational risk that conventional static guardrails or ABAC/allow-deny policy engines cannot address. The consensus in both cyber policy advisories and industry frameworks (A2AS, Agent Governance Toolkit, MCP policy gateways) is the necessity to enforce governance at the deterministic action boundary, decoupled from the LLM's internal reasoning, to guarantee runtime compliance (2606.19464).

Deontic Policy Requirements

Analysis of real-world regulatory instruments, standards (AIUC-1, NIST AI RMF), and emerging enterprise deployments reveals four governance requirements that flat-list/ABAC engines (e.g., Rego, Cedar, OPA) are structurally incapable of expressing:

  1. Obligations: Attach behavioral duties (e.g., mandatory logging, CISO notification) to permitted actions, rather than mere access decisions. Current engines lack native obligation constructs and rely on ad hoc workaround rules.
  2. Principled Conflict Resolution: Require explicit, auditable policy meta-prioritization when rules from different authorities conflict, not heuristic evaluation-order or integer-weight fields. Deontic frameworks support meta-policy objects (e.g., Rei’s metapolicy:RulePriority).
  3. Semantic Grounding via Ontology: Enforcement must reason over evolving domain class hierarchies. Policies expressed at the ontology class level automatically cover all subclasses, eliminating brittle enumeration.
  4. Cross-Authority Trust and Delegation: Trust relationships and credential verification for agent actions must be policy-expressed (not hard-coded). Dynamic cross-domain composition is essential in multi-organizational settings.

AgenticRei Architecture and Enforcement Model

AgenticRei operationalizes a deontic policy language (built on Rei and OWL/RDF semantics), used for runtime enforcement at the action boundary. The enforcement architecture consists of:

  • TripleExtractor: Intercepts invocation/tool-call or agent-to-agent (A2A) messages, extracting structured ⟨subject, action, resource⟩ triples with accompanying credentials.
  • PolicyEngine: Evaluates triples against Rei-encoded policies and pluggable ontologies with reasoning (RDFox, OWL/RDFS entailment). Returns PERMIT, PROHIBIT, or DEFAULT-DENY, along with attached obligations.
  • Middleware and Audit: Allows execution or blocks with structured violation feedback. Obligations are registered and tracked; decisions are serialized with audit logs including policy KB hashes, credential issuers, and rule provenance.

Empirical measurements indicate sub-10ms latency per query, meeting production sync-action interception requirements.

Policy Modalities and Compositional Expressivity

AgenticRei policies leverage four deontic modalities:

  • Permissions and Prohibitions: Expressed in OWL; direct equivalents to allow/deny.
  • Obligations: Attached to permissions via deontic:provision, enforcing behavioral constraints (e.g., CISO notification upon software install).
  • Dispensations: Waive obligations under specific conditions (e.g., exempt counterparty in financial context).
  • Meta-Policy Priority: Explicit semantic resolution for conflicting rules, governed via named meta-policy objects.

Policy examples in the paper demonstrate:

  • Class-level prohibitions automatically extending to all ontology subclasses.
  • Obligations firing on permitted actions, deterministically tracked and auditable.
  • Credential-gated permissions, with trusted issuer IRIs embedded in policy.
  • Cross-policy meta-resolution and auditability, addressing authority creep and diffuse accountability.

Threat Model and Enforcement Scope

AgenticRei enforces deterministic, policy-driven action boundary governance. It is robust against prompt injection and rogue agent behavior at the invocation level, always producing a policy violation or obligation issuance. Defensive scope does not include the agent's reasoning layer, nor detection of adversarial manipulation, but instead analogizes to mandatory access control in OS kernels: enforce at the action, not the reasoning.

Obligation discharge and evidence-based validation (VCs) are tracked for compliance; ongoing work aims at machine-verifiable audit closure and transparent organizational obligation lifecycle management.

AgenticRei builds on and extends the Rei framework 10, 32 and leverages Semantic Web formalisms for ontology-based reasoning. Closely related recent architectures include:

  • SEAgent (ABAC enforcement, privilege escalation) [33].
  • Veriguard (behavioral policy synthesis/verification) [36].
  • Progent, AgentSpec, PCAS (privilege control, trigger-predicate DSL, Datalog enforcement) [37, 38, 39].
  • MI9 (multi-layer agent telemetry, conformance, FSM checking) [40].

These do not deliver the compositional deontic modalities, meta-policy prioritization, and ontology-grounded reasoning that AgenticRei provides. Industry frameworks (A2AS, OPA, Cedar, OpenFGA) are limited to deterministically external action enforcement but lack obligations, dispensations, or meta-policy constructs.

Implications, Future Directions, and Open Challenges

AgenticRei demonstrates that runtime governance requirements for agentic systems—obligations, conflict resolution, ontological extension, and credential-driven trust—can be realized with OWL/RDF deontic policies, evaluated at millisecond latency and decoupled from LLM reasoning. The framework synergizes with cryptographic credential infrastructures (A2AS, MCP) for secure cross-organizational agent interaction.

Key open problems include:

  • Federated policy delegation and per-authority update protocols, needed for scalable policy base evolution and authority creep prevention.
  • Bridging standards-to-runtime translation: formalizing automated (possibly LLM-assisted) policy authoring pipelines with formal verification and conflict analysis.
  • Obligation lifecycle governance, leveraging VC data models for machine-verifiable discharge records to ensure non-reproducible decision chains are auditable.
  • Integration of policy-authoring tools and static policy quality control to lower adoption barriers.

Conclusion

The deontic policy language and AgenticRei runtime governance framework address essential compliance, security, and privacy requirements in agentic AI systems that are inexpressible in existing ABAC or allow-deny engines. The separation of permission and obligation, compositional ontology reasoning, auditable conflict-resolution, and credential-driven trust establishment are necessary for runtime enforcement in production, open agentic environments. Ongoing research seeks to operationalize standards-to-runtime translation, federated policy bases, and formal obligation discharge with verifiable credentials, supporting robust, deterministic, machine-verifiable governance in agent-driven enterprise systems (2606.19464).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 4 tweets with 2 likes about this paper.