Papers
Topics
Authors
Recent
Search
2000 character limit reached

Reason Less, Verify More: Deterministic Gates Recover a Silent Policy-Violation Failure Mode in Tool-Using LLM Agents

Published 8 Jul 2026 in cs.AI and cs.CR | (2607.07405v1)

Abstract: Tool-using LLM agents can violate the very policies they are deployed to enforce while appearing to complete the task successfully. In policy-permissive environments, a tool may execute any well-formed call even when the corresponding state transition is forbidden by domain policy. The result is a silent wrong state (a booking cancelled, a passenger count changed, a claim acted on without verification) that neither the tool nor the agent's self-report exposes. We study this failure mode in the $τ2$-bench airline domain. On a budget agent, 78% of observed failures are silent wrong-state failures with no tool error, and the aggregate failure rate is reproducible across disjoint seeds, not sampling noise. We then evaluate a lightweight intervention: deterministic, read-only pre-execution gates that inspect the proposed call and current state before allowing a write. A four-gate suite raises full-benchmark success from 29.6% to 42.0% on gpt-4o-mini (+12.4pp; paired task-level bootstrap P=0.0012), and the lift reproduces on a disjoint 15-seed set (+12.3pp; P=0.0008). The effect is concentrated where the gates fire: on the 26/50 firing tasks, success rises by +19.2pp, while movement on the 24 non-firing tasks does not exclude zero. Two negative controls (a self-enforcing retail domain and BFCL) bound the mechanism: gates help when tools are policy-permissive and add little where tools already self-enforce. As suggestive evidence, not a central claim, the same failure mode persists at the frontier: gpt-5.2 at default reasoning still attempts policy-violating writes, and the same suite improves success from 61.2% to 71.6% (+10.4pp; P=0.020; n=5, no replication). The contribution is a bounded evaluation and reliability result: deterministic gates do not guarantee task success, but they can deterministically prevent a known class of silent policy-violating writes at the action boundary.

Summary

  • The paper introduces deterministic pre-execution gates that block silent policy violations, preventing unrecoverable errors in LLM-based tool agents.
  • Empirical results on the τ²-bench airline domain show a 12.4pp performance boost, with precise gate interventions mitigating silent failures.
  • Deterministic, stateless gates enforce policy constraints before state mutation, offering a robust approach to enhance agent reliability and safety.

Deterministic Policy Gates for Reliable Tool-Using LLM Agents: Recovery of Silent Policy-Violation Failures

Problem Statement and Failure Mode

The paper addresses a critical trust and reliability failure in LLM-based tool-using agents operating in policy-permissive environments. Standard practice relies on the agent to reason about and respect policy constraints specified in natural language. However, in many agentic AI benchmarks (notably τ2\tau^2-bench in the airline domain), the action interfaces (tools) are policy-permissive: they perform any syntactically valid action regardless of whether the action violates higher-level domain policy. This leads to silent wrong-state failures, wherein the agent mutates the environment state—in direct violation of policy—without any explicit error or signal. Such failures comprise 78\% of observed agent errors in the studied budget agent setting. Statistically, these failures are consistent and reproducible, not merely random sampling artifacts. The major implication is that the agent and any supervising operator see an apparently successful episode, while the final environment state is silently corrupted.

Deterministic Pre-Execution Gates: Intervention Mechanism

The proposed solution introduces deterministic, read-only pre-execution gates that act as reference monitors on mutating tool calls. Each gate is an explicit, hand-coded predicate over the candidate tool call and current environment state, encoding the intended policy invariants (e.g., cancellation eligibility, baggage allowance compliance, immutable passenger count). Importantly, these gates are stateless and do not query an LLM; they are purely deterministic and intercept mutating actions at the moment of execution. If a gate rejects a call, it blocks the state mutation and returns a structured, reasoned rejection message to the agent.

The gates are not reflection prompts, output guardrails, or LLM-judge ensembles; they operate on the operational state rather than model outputs, and they adjudicate concrete, machine-verifiable violations before state is changed. The mechanism's value and distinctiveness rely on five benchmark/evaluation properties: structured tool actions, permissive tool interfaces, state-decidable policies, final-state evaluation, and a task distribution that induces policy-violating behavior.

Empirical Outcomes

On the τ2\tau^2-bench airline domain, a suite of four fixed gates was evaluated using both budget (gpt-4o-mini) and frontier (gpt-5.2) models. On the budget agent, pass1_1 success increased from 29.6\% to 42.0\% (+12.4pp, P=0.0012P=0.0012), a result which replicated on a 15-seed disjoint set (+12.3pp, P=0.0008P=0.0008). The performance improvement concentrates on tasks where the gates actually fire (+19.2pp on firing tasks), with negligible or non-significant effects where they do not. The dominant lift is attributed to a highly precise cancellation-eligibility gate (100\% precision over 161 blocks). The mechanism is not universally beneficial—some candidate gates regress performance or have low precision, underscoring the necessity of per-policy auditing.

Pre-execution gates provide a deterministic guarantee: whenever a state-decidable, policy-violating action is proposed, the gate will block it for all subsequent executions—removing the reliance on stochastic model compliance. Strong gains persist across passk_k metrics, indicating that the approach yields improved consistency in addition to average performance.

Frontier model evidence (gpt-5.2) shows similar qualitative patterns: a +10.4pp lift (from 61.2\% to 71.6\%, P=0.020P=0.020), again concentrated in tasks where gates fire (+33.3pp). However, this evidence is presented as suggestive, since it lacks replication and the lower confidence bound approaches zero.

Mechanistic and Practical Boundaries

Gate efficacy depends crucially on the structure of the underlying domain and environment. Two negative controls—the τ2\tau^2-bench retail domain (where tools already self-enforce critical preconditions), and the BFCL v4 environment (where errors are non-silent)—showed no meaningful improvement, and in some cases regressed performance. This demonstrates that deterministic gates are only useful when there exist silent, state-decidable policy-violating actions not blocked by the tool. Attempts to extend to domains or benchmarks lacking those features yielded no additional positive results, highlighting both the scarcity of suitable environments and the importance of benchmark structure for agent reliability research.

Gate adoption also comes with deployment caveats: deterministic gates must be rigorously constructed and independently validated for their target environment and policy, as over-blocking can degrade performance and may vary with model behavior. Furthermore, blocking an action does not guarantee task recovery; the agent's policy for recovery after rejection still depends on underlying model capabilities.

Theoretical and Practical Implications

This work highlights a nuanced trust failure in current agentic-AI evaluation and deployment: policy enforcement and task success are not strictly antagonistic; enforcing deterministic state constraints in permissive environments can simultaneously increase reliability and measured task success. The main theoretical implication is that run-time, deterministic mediation at the action boundary prevents a class of silent, unrecoverable errors inherently unreachable by purely stochastic, prompt-based modeling approaches. This results in a qualitative safety/reliability guarantee, changing the trust model from probabilistically safe (via more data or larger models) toward deterministically constrained system behavior.

Practically, deployment of LLM-based agents in real-world environments (e.g., customer service automation) must address such silent failure modes to maintain integrity, compliance, and operator trust. The demonstrated mechanism is lightweight, auditable, and compatible with dynamic or evolving model and policy layers, supporting robust agent system engineering.

Limitations and Future Directions

Several limitations temper the generality of the findings:

  • Positive results exist for only one benchmark domain; the general prevalence of this failure mode and the transferability of the intervention remain open for empirical investigation.
  • Recovery after action rejection is model- and context-dependent, and gates cannot fully guarantee task-level success.
  • Gate tuning is non-trivial and must avoid regressions on both current and future models.
  • The approach is specific to state-decidable policies; ambiguous, interpretative, or adversarial policy settings are out of scope.

The paper motivates further research on:

  • Automatic or semi-automatic generation of high-precision gate predicates for structured applications.
  • Construction of additional benchmarks deliberately exposing silent policy-violating errors.
  • Integrating deterministic verification with richer plan/repair strategies for improved overall task recovery.
  • Systematic auditing frameworks for large-scale deployment of deterministic runtime enforcement in agentic AI.

Conclusion

The introduction of deterministic, pre-execution gates provides a selective but powerful means to raise the reliability and policy compliance of tool-using LLM agents in environments where tools are permissive and policies can be encoded as state predicates. In the τ2\tau^2-bench airline domain, this yields substantial, reproducible improvements in both average and consistent agent performance by eliminating a major class of silent policy-violation failures. However, the effect is bounded by environment structure and gate quality, and broader validation is contingent on further development of suitable benchmarks and automated gate design methodologies. This work establishes a concrete direction for agent system reliability: formalize boundaries between stochastic policy modeling and deterministic action verification, and ensure that silent errors are targeted explicitly in empirical evaluation.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.