- The paper introduces deterministic pre-execution gates that block silent policy violations, preventing unrecoverable errors in LLM-based tool agents.
- Empirical results on the τ²-bench airline domain show a 12.4pp performance boost, with precise gate interventions mitigating silent failures.
- Deterministic, stateless gates enforce policy constraints before state mutation, offering a robust approach to enhance agent reliability and safety.
Problem Statement and Failure Mode
The paper addresses a critical trust and reliability failure in LLM-based tool-using agents operating in policy-permissive environments. Standard practice relies on the agent to reason about and respect policy constraints specified in natural language. However, in many agentic AI benchmarks (notably τ2-bench in the airline domain), the action interfaces (tools) are policy-permissive: they perform any syntactically valid action regardless of whether the action violates higher-level domain policy. This leads to silent wrong-state failures, wherein the agent mutates the environment state—in direct violation of policy—without any explicit error or signal. Such failures comprise 78\% of observed agent errors in the studied budget agent setting. Statistically, these failures are consistent and reproducible, not merely random sampling artifacts. The major implication is that the agent and any supervising operator see an apparently successful episode, while the final environment state is silently corrupted.
Deterministic Pre-Execution Gates: Intervention Mechanism
The proposed solution introduces deterministic, read-only pre-execution gates that act as reference monitors on mutating tool calls. Each gate is an explicit, hand-coded predicate over the candidate tool call and current environment state, encoding the intended policy invariants (e.g., cancellation eligibility, baggage allowance compliance, immutable passenger count). Importantly, these gates are stateless and do not query an LLM; they are purely deterministic and intercept mutating actions at the moment of execution. If a gate rejects a call, it blocks the state mutation and returns a structured, reasoned rejection message to the agent.
The gates are not reflection prompts, output guardrails, or LLM-judge ensembles; they operate on the operational state rather than model outputs, and they adjudicate concrete, machine-verifiable violations before state is changed. The mechanism's value and distinctiveness rely on five benchmark/evaluation properties: structured tool actions, permissive tool interfaces, state-decidable policies, final-state evaluation, and a task distribution that induces policy-violating behavior.
Empirical Outcomes
On the τ2-bench airline domain, a suite of four fixed gates was evaluated using both budget (gpt-4o-mini) and frontier (gpt-5.2) models. On the budget agent, pass1​ success increased from 29.6\% to 42.0\% (+12.4pp, P=0.0012), a result which replicated on a 15-seed disjoint set (+12.3pp, P=0.0008). The performance improvement concentrates on tasks where the gates actually fire (+19.2pp on firing tasks), with negligible or non-significant effects where they do not. The dominant lift is attributed to a highly precise cancellation-eligibility gate (100\% precision over 161 blocks). The mechanism is not universally beneficial—some candidate gates regress performance or have low precision, underscoring the necessity of per-policy auditing.
Pre-execution gates provide a deterministic guarantee: whenever a state-decidable, policy-violating action is proposed, the gate will block it for all subsequent executions—removing the reliance on stochastic model compliance. Strong gains persist across passk​ metrics, indicating that the approach yields improved consistency in addition to average performance.
Frontier model evidence (gpt-5.2) shows similar qualitative patterns: a +10.4pp lift (from 61.2\% to 71.6\%, P=0.020), again concentrated in tasks where gates fire (+33.3pp). However, this evidence is presented as suggestive, since it lacks replication and the lower confidence bound approaches zero.
Mechanistic and Practical Boundaries
Gate efficacy depends crucially on the structure of the underlying domain and environment. Two negative controls—the τ2-bench retail domain (where tools already self-enforce critical preconditions), and the BFCL v4 environment (where errors are non-silent)—showed no meaningful improvement, and in some cases regressed performance. This demonstrates that deterministic gates are only useful when there exist silent, state-decidable policy-violating actions not blocked by the tool. Attempts to extend to domains or benchmarks lacking those features yielded no additional positive results, highlighting both the scarcity of suitable environments and the importance of benchmark structure for agent reliability research.
Gate adoption also comes with deployment caveats: deterministic gates must be rigorously constructed and independently validated for their target environment and policy, as over-blocking can degrade performance and may vary with model behavior. Furthermore, blocking an action does not guarantee task recovery; the agent's policy for recovery after rejection still depends on underlying model capabilities.
Theoretical and Practical Implications
This work highlights a nuanced trust failure in current agentic-AI evaluation and deployment: policy enforcement and task success are not strictly antagonistic; enforcing deterministic state constraints in permissive environments can simultaneously increase reliability and measured task success. The main theoretical implication is that run-time, deterministic mediation at the action boundary prevents a class of silent, unrecoverable errors inherently unreachable by purely stochastic, prompt-based modeling approaches. This results in a qualitative safety/reliability guarantee, changing the trust model from probabilistically safe (via more data or larger models) toward deterministically constrained system behavior.
Practically, deployment of LLM-based agents in real-world environments (e.g., customer service automation) must address such silent failure modes to maintain integrity, compliance, and operator trust. The demonstrated mechanism is lightweight, auditable, and compatible with dynamic or evolving model and policy layers, supporting robust agent system engineering.
Limitations and Future Directions
Several limitations temper the generality of the findings:
- Positive results exist for only one benchmark domain; the general prevalence of this failure mode and the transferability of the intervention remain open for empirical investigation.
- Recovery after action rejection is model- and context-dependent, and gates cannot fully guarantee task-level success.
- Gate tuning is non-trivial and must avoid regressions on both current and future models.
- The approach is specific to state-decidable policies; ambiguous, interpretative, or adversarial policy settings are out of scope.
The paper motivates further research on:
- Automatic or semi-automatic generation of high-precision gate predicates for structured applications.
- Construction of additional benchmarks deliberately exposing silent policy-violating errors.
- Integrating deterministic verification with richer plan/repair strategies for improved overall task recovery.
- Systematic auditing frameworks for large-scale deployment of deterministic runtime enforcement in agentic AI.
Conclusion
The introduction of deterministic, pre-execution gates provides a selective but powerful means to raise the reliability and policy compliance of tool-using LLM agents in environments where tools are permissive and policies can be encoded as state predicates. In the τ2-bench airline domain, this yields substantial, reproducible improvements in both average and consistent agent performance by eliminating a major class of silent policy-violation failures. However, the effect is bounded by environment structure and gate quality, and broader validation is contingent on further development of suitable benchmarks and automated gate design methodologies. This work establishes a concrete direction for agent system reliability: formalize boundaries between stochastic policy modeling and deterministic action verification, and ensure that silent errors are targeted explicitly in empirical evaluation.