- The paper introduces an architecture that reconceptualizes the OS as an intent filter, replacing resource primitives with manifest-bound intents.
- It establishes a four-layer design, including the Ghost Kernel and Logic Shutter, to ensure formal isolation and robust capability mediation.
- The approach mitigates risks like prompt injection and supply-chain poisoning by binding agent operations to strictly declared intents and human oversight.
AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents
Introduction and Motivation
AgenticOS addresses the structural inadequacies of legacy resource-permission-based operating systems in the context of LLM-driven autonomous agents. As agents routinely perform multi-step planning, external tool invocation, code execution, and complex network interactions, the POSIX model exposes resource primitives (files, network, processes) that create broad, hard-to-audit capabilities. This mismatch between user-authorized task intent and OS-exposed resources undermines efforts to confine agents strictly within user-sanctioned behavioral bounds. Common attacks—including prompt injection, supply-chain poisoning, and protocol abuse—demonstrate that simple reduction in granted permissions is insufficient; the operating system must understand and constrain external effects in line with declared mission intent, not simply resource access.
From Resource Manager to Intent Filter
The core paradigm shift in AgenticOS is the elevation of the OS role from a resource manager to an explicit intent filter. Agents interface with the system through structured declarative “intents” that describe high-level task objectives rather than requesting resource primitives. These intents are encapsulated in per-execution Manifests which serve as the root of all runtime authorization. The OS synthesizes a constrained semantic capability set specifically matched to the manifest, ensuring least privilege and strict containment of agent externalities.
Figure 1: Legacy OS security is permission-centric, granting processes access to resource primitives based on permissions, with limited relation to task semantics.
Figure 2: AgenticOS establishes a semantic boundary, admitting only explicitly declared task intents and enforcing structured mediation.
Under this architecture, the attack surface transitions from exploiting general-purpose system calls to operating under strict, auditable, policy-constrained semantic interfaces. Arbitrary behaviors emergent from the composition of low-level primitives are precluded by design.
AgenticOS Architecture
Four-Layer Design
AgenticOS imposes defense-in-depth via strict vertical decomposition:
This multi-layer model severely restricts lateral movement, privilege escalation, and covert exfiltration by decomposing authority and auditing control points.
Runtime Semantics and Intent Flow
Intents traverse the stack as signed, schema-validated requests. The semantic call flow—capsule to Logic Shutter, policy mediation, token validation, gateway execution, structured response—guarantees that external effects are always matched to manifest-declared intents and dynamically provisioned capabilities.
Figure 4: An end-to-end illustration of an intent request, from agent capsule through Logic Shutter mediation to a normalized external system response.
Manifest-Only Runtime and the Intent ABI
The Manifest-Only Runtime principle underpins AgenticOS containment. All agent-exposable interface stubs are generated at runtime by Weaver, strictly in accordance with the Manifest. No POSIX interfaces such as open, read, write, socket, execve, or fork are ever present in the capsule binary. Each semantic primitive is non-generalizable and labeled by required capability tokens, information-flow tags, and resource budgets.
Notably, capability expansion is one-way: skills and semantic interfaces must be generated statically, reviewed, registered, and signed before admission. Agents cannot obtain new capabilities by runtime composition, reflection, or self-elevation.
Figure 5: The dynamic workflow, linking agent code, Manifest, and policy-checked semantic libraries to ABI stubs, producing the agent’s runtime interface table.
Security Analysis
System-Call Attack Surface Removal
Removal of direct system calls from agent capsules and the radical minimization of Ghost Kernel services (inspired by formally-verified kernels such as seL4) structurally eliminate privilege-escalation vectors typical of container escape and in-kernel resource management bugs. Only minimal, statically provisioned resources are available, and mediation is strictly single-path via the Logic Shutter.
Composition and Capability Attacks
The architecture recognizes that security cannot rely on single-call policies, as interleaving of apparently-benign ABIs may allow for unintended exfiltration or escalation (e.g., call chains linking data fetch, model summarization, artifact upload). AgenticOS policy engine employs intent-interaction graph analysis, information-flow labeling, and human approval triggers to harden against composition attacks, with runtime behavior baselines and output normalization further constraining adversarial control.
Intent Drift and Agent Non-Trust
Untrusted agents, and the undecidability of arbitrary intent in code, receive layered mitigations including restriction to DSLs, static analysis default-deny, and enforcement of explicit human approval for high-risk paths. The architecture explicitly does not aim for full “semantic understanding”—rather, it converts intent mismatches into denied or human-mediated effects, with robust auditability for all externalities.
Covert Channels and Residual Risk
While direct byte channels are removed, residual covert channels (timing, output size, presence, content selection) are addressed via request normalization, output padding, template schema enforcement, and channel bandwidth limitation. The explicit goal is to compress such risks to low-bandwidth, modelable, and detectable patterns.
TCB Hardening
Logic Shutter and Weaver are subject to decomposition for TCB minimization and must be realized in memory-safe languages. All critical-path binaries are cryptographically validated; builds are reproducible, and code-intent proofs are verified at admission. Formal verification of prohibited-interface and policy-engine functionality is prescribed for critical assurance.
Application Capability Migration and Skill Ecosystem
AgenticOS proposes gradual migration from monolithic applications toward system-native, audited, composable, and revocable skills. Skills encapsulate distinct business functions, each with manifestable input/output schemas and information-flow rules. The agent runtime may grow in skill but not in underlying authority, with all skill expansion passing through rigorous review, signature, and registration. The OS thus hosts declarable capability units, shifting longstanding boundaries of what constitutes a first-class OS resource.
Discussion and Implications
The primary limitation is practical completeness of intent specification: automated, precise manifest derivation is undecidable. Usability and performance trade-offs arise from extensive mediation and multiple context switches, which may affect interaction latency. POSIX migration costs are acknowledged—AgenticOS is not intended as a universal substrate, but targets the progressive consolidation of delegable, semantically bounded software capabilities.
Responsibility for high-consequence operations is explicitly bound to human confirmation, with RequestHumanApproval as a first-class, audited Intent ABI primitive. This clarifies responsibility boundaries and maintains audit trails for all authorizations.
Conclusion
AgenticOS establishes a security abstraction paradigmatically suitable for operating systems that host autonomous AI agents. By fusing intent-oriented mediation, semantic capability synthesis, formal isolation, and dynamic ABI generation, it addresses emerging composition and supply-chain threats that cannot be solved by permission reduction alone. The architecture reconceptualizes the OS as a governance platform for audited, composable, least-authority task execution. Long-term, such intent-oriented systems will underpin deployable, responsible, and manageable autonomous agent infrastructure in complex and multiparty environments.
Reference: "AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents" (2606.21129).