Papers
Topics
Authors
Recent
Search
2000 character limit reached

AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents

Published 19 Jun 2026 in cs.CR and cs.OS | (2606.21129v1)

Abstract: Traditional OS security models based on "resource exposure plus permission checks" face structural challenges as LLM-driven autonomous agents acquire capabilities for planning, tool use, network access, and code execution. Once an agent runtime is compromised through prompt injection or malicious tool outputs, an attacker can compose POSIX-style resource primitives into behaviors far beyond the user's task authorization. To address this, we propose AgenticOS, an intent-oriented secure OS architecture that consolidates delegable, auditable software capabilities into OS-native ones rather than replacing all applications. The core insight is to reframe the OS from a "resource manager" into an "intent filter": instead of requesting low-level resources directly, agents submit structured intent declarations, from which the system synthesizes a least-privilege environment with mandatory mediation, auditing, and information-flow constraints. At the implementation level, we introduce a four-layer architecture -- Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway -- together with the Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for AgenticOS-native Skills.

Summary

  • The paper introduces an architecture that reconceptualizes the OS as an intent filter, replacing resource primitives with manifest-bound intents.
  • It establishes a four-layer design, including the Ghost Kernel and Logic Shutter, to ensure formal isolation and robust capability mediation.
  • The approach mitigates risks like prompt injection and supply-chain poisoning by binding agent operations to strictly declared intents and human oversight.

AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents

Introduction and Motivation

AgenticOS addresses the structural inadequacies of legacy resource-permission-based operating systems in the context of LLM-driven autonomous agents. As agents routinely perform multi-step planning, external tool invocation, code execution, and complex network interactions, the POSIX model exposes resource primitives (files, network, processes) that create broad, hard-to-audit capabilities. This mismatch between user-authorized task intent and OS-exposed resources undermines efforts to confine agents strictly within user-sanctioned behavioral bounds. Common attacks—including prompt injection, supply-chain poisoning, and protocol abuse—demonstrate that simple reduction in granted permissions is insufficient; the operating system must understand and constrain external effects in line with declared mission intent, not simply resource access.

From Resource Manager to Intent Filter

The core paradigm shift in AgenticOS is the elevation of the OS role from a resource manager to an explicit intent filter. Agents interface with the system through structured declarative “intents” that describe high-level task objectives rather than requesting resource primitives. These intents are encapsulated in per-execution Manifests which serve as the root of all runtime authorization. The OS synthesizes a constrained semantic capability set specifically matched to the manifest, ensuring least privilege and strict containment of agent externalities. Figure 1

Figure 1: Legacy OS security is permission-centric, granting processes access to resource primitives based on permissions, with limited relation to task semantics.

Figure 2

Figure 2: AgenticOS establishes a semantic boundary, admitting only explicitly declared task intents and enforcing structured mediation.

Under this architecture, the attack surface transitions from exploiting general-purpose system calls to operating under strict, auditable, policy-constrained semantic interfaces. Arbitrary behaviors emergent from the composition of low-level primitives are precluded by design.

AgenticOS Architecture

Four-Layer Design

AgenticOS imposes defense-in-depth via strict vertical decomposition:

  • Ghost Kernel: Minimal, formally-verifiable trusted computing base providing only encrypted memory, deterministic scheduling, and measured attestation roots. No direct runtime service interfaces.
  • Logic Shutter: Mediates all semantic requests, parsing intents, enforcing policy, managing capability tokens, annotating information-flow, and generating comprehensive audit logs.
  • Agent Capsule: Constrained agent runtime, admitting only Manifest-bound, statically-provisioned interface stubs, with the exclusion of POSIX primitives, direct network access, and byte streams.
  • Semantic Boundary Gateway: Hosts protocol endpoints, credentials, and normalizes all external system outputs. Converts authorized intents into tightly controlled external effects, independent of agent-exposed protocol semantics. Figure 3

    Figure 3: The AgenticOS four-layer architecture delineates containment boundaries, mapping semantic requests to external effects under policy control.

This multi-layer model severely restricts lateral movement, privilege escalation, and covert exfiltration by decomposing authority and auditing control points.

Runtime Semantics and Intent Flow

Intents traverse the stack as signed, schema-validated requests. The semantic call flow—capsule to Logic Shutter, policy mediation, token validation, gateway execution, structured response—guarantees that external effects are always matched to manifest-declared intents and dynamically provisioned capabilities. Figure 4

Figure 4: An end-to-end illustration of an intent request, from agent capsule through Logic Shutter mediation to a normalized external system response.

Manifest-Only Runtime and the Intent ABI

The Manifest-Only Runtime principle underpins AgenticOS containment. All agent-exposable interface stubs are generated at runtime by Weaver, strictly in accordance with the Manifest. No POSIX interfaces such as open, read, write, socket, execve, or fork are ever present in the capsule binary. Each semantic primitive is non-generalizable and labeled by required capability tokens, information-flow tags, and resource budgets.

Notably, capability expansion is one-way: skills and semantic interfaces must be generated statically, reviewed, registered, and signed before admission. Agents cannot obtain new capabilities by runtime composition, reflection, or self-elevation. Figure 5

Figure 5: The dynamic workflow, linking agent code, Manifest, and policy-checked semantic libraries to ABI stubs, producing the agent’s runtime interface table.

Security Analysis

System-Call Attack Surface Removal

Removal of direct system calls from agent capsules and the radical minimization of Ghost Kernel services (inspired by formally-verified kernels such as seL4) structurally eliminate privilege-escalation vectors typical of container escape and in-kernel resource management bugs. Only minimal, statically provisioned resources are available, and mediation is strictly single-path via the Logic Shutter.

Composition and Capability Attacks

The architecture recognizes that security cannot rely on single-call policies, as interleaving of apparently-benign ABIs may allow for unintended exfiltration or escalation (e.g., call chains linking data fetch, model summarization, artifact upload). AgenticOS policy engine employs intent-interaction graph analysis, information-flow labeling, and human approval triggers to harden against composition attacks, with runtime behavior baselines and output normalization further constraining adversarial control.

Intent Drift and Agent Non-Trust

Untrusted agents, and the undecidability of arbitrary intent in code, receive layered mitigations including restriction to DSLs, static analysis default-deny, and enforcement of explicit human approval for high-risk paths. The architecture explicitly does not aim for full “semantic understanding”—rather, it converts intent mismatches into denied or human-mediated effects, with robust auditability for all externalities.

Covert Channels and Residual Risk

While direct byte channels are removed, residual covert channels (timing, output size, presence, content selection) are addressed via request normalization, output padding, template schema enforcement, and channel bandwidth limitation. The explicit goal is to compress such risks to low-bandwidth, modelable, and detectable patterns.

TCB Hardening

Logic Shutter and Weaver are subject to decomposition for TCB minimization and must be realized in memory-safe languages. All critical-path binaries are cryptographically validated; builds are reproducible, and code-intent proofs are verified at admission. Formal verification of prohibited-interface and policy-engine functionality is prescribed for critical assurance.

Application Capability Migration and Skill Ecosystem

AgenticOS proposes gradual migration from monolithic applications toward system-native, audited, composable, and revocable skills. Skills encapsulate distinct business functions, each with manifestable input/output schemas and information-flow rules. The agent runtime may grow in skill but not in underlying authority, with all skill expansion passing through rigorous review, signature, and registration. The OS thus hosts declarable capability units, shifting longstanding boundaries of what constitutes a first-class OS resource.

Discussion and Implications

The primary limitation is practical completeness of intent specification: automated, precise manifest derivation is undecidable. Usability and performance trade-offs arise from extensive mediation and multiple context switches, which may affect interaction latency. POSIX migration costs are acknowledged—AgenticOS is not intended as a universal substrate, but targets the progressive consolidation of delegable, semantically bounded software capabilities.

Responsibility for high-consequence operations is explicitly bound to human confirmation, with RequestHumanApprovalRequestHumanApproval as a first-class, audited Intent ABI primitive. This clarifies responsibility boundaries and maintains audit trails for all authorizations.

Conclusion

AgenticOS establishes a security abstraction paradigmatically suitable for operating systems that host autonomous AI agents. By fusing intent-oriented mediation, semantic capability synthesis, formal isolation, and dynamic ABI generation, it addresses emerging composition and supply-chain threats that cannot be solved by permission reduction alone. The architecture reconceptualizes the OS as a governance platform for audited, composable, least-authority task execution. Long-term, such intent-oriented systems will underpin deployable, responsible, and manageable autonomous agent infrastructure in complex and multiparty environments.

Reference: "AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents" (2606.21129).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.