- The paper presents an endogenous immune system architecture with a six-layer Immune Tower that integrates non-parametric and parametric defenses for dynamic agent protection.
- The paper proposes a formal taxonomy for agent viruses and vaccines, unifying disparate attack vectors and adaptive immunization mechanisms for individual and collective defense.
- The paper introduces continual immune learning via the Harness Triad, enabling iterative vaccine adaptation and real-time threat mitigation measured by metrics like AIR, CCS, BLI, and EOC.
Agent-Native Immune System: Architecture, Taxonomy, and Engineering
Introduction and Motivation
The rapid evolution of LLMs from static text completion systems to autonomous, collaborative agents has exposed a dramatically expanded attack surface in AI deployments. Contemporary perimeter defenses and training-time alignment constitute external and static measures, leaving active agents vulnerable to sophisticated runtime adversarial strategies. These include memory poisoning, tool-chain manipulation, and coordinated multi-agent exploits—all of which can subvert agent behavior post-alignment, bypassing conventional defense paradigms.
This work introduces the Agent-Native Immune System (ANIS), a biologically inspired endogenous architecture for runtime defense, situated and operational within the cognitive loop of an agent. The ANIS proposal is positioned not as a metaphorical analogy but as a formal, layered, and extensible framework, specifying operational mappings from immunological principles to agent engineering constructs. The goal is to provide autonomous agents with ongoing, dynamic self-protection, health preservation, governance in collectives, and evolvability against novel threats.
Architectural Contributions: The ANIS Immune Tower
A central contribution is the definition of the six-layer Immune Tower (L0–L5):
- L0 (Hardware Trust Root): Chip-level identity, attestations, TEE-rooted trust anchors that ensure provenance and facilitate tamper-evident agent identity.
- L1 (Barrier Immunity): Physical/logical separation, pre-cognitive input sanitization, mandatory sandboxing, and strict API gateways. This layer blocks entire attack classes prior to any agent reasoning, countering vulnerabilities exposed in models such as MCPInspect [li2025mcpinspect].
- L2 (Innate Cognitive Defense): Rule-based, deterministic verification and signature detection, providing microsecond-level rejection of known threats at the reasoning layer.
- L3 (Adaptive Tool Defense): Dynamic generation of parametric vaccines (steering vectors, LoRA adapters), able to counter emerging attack vectors at the tool-chain and action-execution layers.
- L4 (Ecological Governance): Multi-agent protocol guardrails, trust-chain auditing, and ensuring behavioral provenance across interactions.
- L5 (Collective Immunity): Cross-agent synchronization of vaccine payloads, federated threat intelligence, and swarm-level distributed defense mechanisms.
This architecture enforces defense-in-depth by integrating both non-parametric (rules, whitelists) and parametric (learned vectors, adapters) defense mechanisms, supporting local and collective immunogenicity. Unlike previous approaches that rely exclusively on static alignments or exterior monitoring, the Immune Tower operationalizes continuous, endogenous monitoring, recognition, and counter-adaptation.
Taxonomy: Agent Viruses and Vaccines
A formal ontology is developed for both agent viruses and immunization mechanisms:
- Agent Viruses: Defined as tuples specifying attack surface (cognitive, memory, tool, inter-agent), target capability, payload, and exploitation function. This taxonomy unifies previously disparate attack studies, e.g., goal hijacking [chao2024jailbreak], reasoning manipulation [turpin2023say], memory/knowledge base poisoning [chen2024agentpoison, memmorph2026].
- Agent Vaccines: Defensive payloads formally delineated by virus signature, mechanism class (non-parametric vs parametric), parameterization, and scope (individual, collective, universal). Non-parametric defenses (rules, blacklists) provide interpretability and fast reconfigurability, while parametric defenses (steering vectors and LoRA) enable robust, fine-grained, model-internal intervention against unseen adversarial patterns.
The crucial specification is the distinction—and complementarity—between non-parametric and parametric vaccines. This is foundational for supporting both rapid policy updates and the adaptive, learning-based defense needed for evolving threat landscapes.
Continual Immune Learning and the Harness Triad
ANIS repurposes three paradigms from recent harness engineering research for endogenous immune adaptation—the Harness Triad:
- Meta-Harness: Functions as a thymus analog, searching over defensive harness configurations, evaluating new candidate vaccines on efficacy and autoimmunity via the "Thymus Simulator."
- Auto-Harness: Automates code synthesis for harness-embedded defensive logic and constraints, driven by iterative feedback from attack environments.
- Self-Harness: Continuously audits agent execution, mines for failure traces, proposes harness edits, and validates defense upgrades through closed-loop regression testing.
This Triad operationalizes Continual Immune Learning (CIL): the agent iteratively detects, counters, and adapts to attacks, distributing successful vaccine payloads across collectives (L5). Each loop cycle includes detection (anomaly clustering), candidate generation (defensive edits/proposals), meta-evaluation (measuring autoimmunity, efficacy), and deployment.
A critical addition is the formal evaluation of Autoimmunity Rate (AIR)—quantifying unintended blockage/overfitting by new vaccines, and ensuring functional safety.
Security, Health, Order: Unifying Semantics and Metrics
The paper advances a semantic unification of security (defense against "non-self"), health (preservation of "self"), and order (collective stability), proposing explicit operational metrics for each:
- Cognitive Consistency Score (CCS): Logical coherence of agent reasoning with declared goals.
- Behavioral Legitimacy Index (BLI): Ratio of authorized tool use relative to total actions, sensitivity-weighted.
- Ecological Order Coefficient (EOC): Swarm-level health variance, indicating disorder or harmony.
These formalizations are pivotal for agent-internal self-assessment, enabling programmatic monitoring for both intrusion and goal drift, and for the deployment of corrective vaccines in real-time.
Practical Engineering Elements and Protocols
The framework specifies practical requirements for vaccine format standardization, secure cross-layer attestation, and efficient parametric vaccine deployment (e.g., steering vector calculation, LoRA versioning, hot-swapping). Protocols for vaccine message exchange include hardware-rooted attestation and expiration/rotation, essential for robust multi-agent collective security.
The paper addresses the need for protocol standardization—highlighting persistent risks in model context protocol (MCP) ecosystems [li2025mcpinspect, hou2025mcp] and advocating for community action to define interoperable schema for audit logs, immune message exchange, and threat signature hashes.
Comparison with Traditional Paradigms
A tabular comparison to perimeter guardrails and training-time alignment elucidates key strengths of ANIS:
- Endogenous, bidirectional runtime defense versus static/one-shot pre-training or external filters.
- Integrated metrication and rapid, vaccine-driven adaptation to unknown threats.
- Symbiotic relationship with the agent cognitive substrate, rather than an exclusively external monitor or static code patch.
Model alignment provides a constitutional basis for value adherence; ANIS is the "runtime law enforcement" and emergency response system necessary for agents to survive and function robustly under real-world challenge and attack. The framework is explicit: alignment and immunity must co-exist, as neither by themselves provide robust guarantees.
Implications, Limitations, and Directions for Future Research
ANIS reframes autonomous agent security and health maintenance as an evolutionary, co-adaptive contest, urging systematic empirical research on (1) parametric vaccine efficacy/latency/overhead; (2) protocol and vaccine standardization; (3) cross-modal (visual, auditory) immune mechanisms; (4) immune governance and liability frameworks.
The proposed engineering paradigm exposes new axes of tradeoff and open questions—including computational feasibility for large-scale deployments, risk and mitigation of autoimmunity, and emergent dynamics in collective settings as highlighted by SIR-like epidemiological modeling.
Key Implications
- Defensive capability must become native to the agent cognitive substrate—external alignment or filtering is insufficient for evolving and adaptive attacks.
- Metrication and formalization enable rigorous, quantitative evaluation of agent health at all operational levels.
- Collective agents require protocols for defense payload dissemination and attestation, or else order and stability cannot be maintained under sophisticated multi-agent exploits.
Limitations
The framework is conceptual and architectural; empirical validation with comprehensive benchmarks, real-time AIR/lifecycle measurements, and large-scale immune simulations are necessary future work. The tradeoffs between immune system complexity, attack surface reduction, latency, and functional safety are inherent and require fielded experimentation.
Conclusion
The Agent-Native Immune System framework constitutes a formal, operational, and extensible paradigm for runtime agent defense, complementing but not replacing alignment mechanisms. By embedding immunological principles, taxonomies, and learning-based adaptation directly into the agentic core, it provides a strategy for scalable, evolvable, and sustainable AI deployment in adversarial and open-world settings. The progression from static, externalized security to endogenous, dynamic immunity represents a fundamental inflection in the engineering of robust autonomous intelligent systems.
Reference: "Agent-Native Immune System: Architecture, Taxonomy, and Engineering" (2606.28270)