Cascaded Policy-Aligned Pipelines (Hi-Guard)

• The paper introduces Hi-Guard, a framework that compiles free-form policy into guard logic to enforce compliance in real-time automated workflows.
• Hi-Guard’s methodology features a two-phase approach: build-time policy mapping and runtime verification, ensuring deterministic and interpretable enforcement.
• Empirical results demonstrate enhanced performance and efficiency in agentic decision-making and multimodal content moderation, outperforming baseline models.

Cascaded Policy-Aligned Pipelines (Hi-Guard) encompass a class of modular, deterministic frameworks engineered to enforce compliance with explicit, often complex, policy requirements in automated workflows. The Hi-Guard paradigm surfaces in both agentic decision-making scenarios—where LLM agents invoke tools in corporate settings—and in multimodal content moderation, requiring high-precision interpretation and transparent alignment with evolving rules. The central tenet is a cascaded, multi-stage enforcement pipeline that (1) compiles unstructured or semi-structured policy into executable guard logic, and (2) interposes these artifacts in front of agent or system actions, ensuring pro-active, interpretable compliance at scale (Zwerdling et al., 22 Jul 2025, Li et al., 5 Aug 2025).

1. Architecture of Cascaded Policy-Aligned Workflows

The Hi-Guard framework adopts a two-phase architecture:

• Build-Time Compilation Phase: Policy documentation—typically in free-form natural language—is mapped to a structured, machine-readable format. Each atomic policy rule is assigned explicitly to affected tools or moderation categories. This mapping yields both a policy-to-action validator (e.g., ToolGuard code or a hierarchy-aligned category path) and concrete compliance/violation examples.
• Runtime Enforcement Phase: Every agent action (e.g., invoking a booking tool, issuing a refund, classifying a multimodal post) is intercepted by the relevant guard function. The guard executes pre-invocation, validating compliance against formalized policy before proceeding. Violations return machine- and human-interpretable reasons, triggering enforced plan revision or reevaluation. This determinism guarantees that, conditional on successful guard generation, violations are prevented at runtime.

This cascaded pipeline structure is instrumental for both business process automation (Zwerdling et al., 22 Jul 2025) and content moderation (Li et al., 5 Aug 2025), where enforcement must generalize to new contexts and policies without introducing false negatives or excessive false positives.

2. Methodology: Build-Time Compilation and Policy Mapping

Agentic Workflow Enforcement

The build-time compiler ingests three inputs: (1) natural language policy documents, (2) formal tool specifications (e.g., OpenAPI), and (3) a system schema including data access APIs. The pipeline, realized in LangGraph or comparable frameworks, executes the following process:

1. Extract candidate policy-tool mappings.
2. Reflectively add missed policies.
3. Decompose composite rules (AND/OR logic) into atomic policies.
4. Merge duplicates.
5. Vet enforceability; archive rules requiring external/unavailable context.
6. Correct reference attribution for auditable tracing.
7. Generate minimal, illustrative compliance/violation examples.
8. Augment with additional unit tests.
9. (Optional) Solicit expert human review via coverage-highlighting GUI.

Evaluation of the mapping leverages standard information retrieval metrics: for reference spans, precision $P$, recall $R$, and $F_1$; for policy-item clustering, the fuzzy RandIndex (FRI). On the $\tau$-bench Airlines domain, GPT-4o achieves $P=0.88$, $R=0.77$, $F_1=0.80$, $FRI=0.83$ (Zwerdling et al., 22 Jul 2025).

Multimodal Content Moderation

For moderation, Hi-Guard maps policy definitions into a multi-level taxonomy, with each fine-grained label represented as a hierarchical path $(y^{(1)}, y^{(2)}, y^{(3)}, y^{(4)})$. Category rules and textual definitions are placed directly in prompts to ensure explicit alignment during both supervised and reinforcement learning phases (Li et al., 5 Aug 2025).

3. Runtime Enforcement: Deterministic and Modular Pipelines

At runtime, agent actions are subject to real-time, pre-invocation checking. In agentic environments, each action

$\text{act}_t(\text{args})$

is only executed if the associated guard function

$$\text{tool\_guard}_t(\text{state, history, args}) = \text{True}$$

otherwise, the violation is intercepted and an alert plus rationale is returned to the agent planner for immediate revision. This structure—enforced at every tool call in a ReAct reasoning loop—ensures there is no possibility for direct violations, conditional on expressive, correct guard construction (Zwerdling et al., 22 Jul 2025).

In moderation, Hi-Guard deploys a cascaded filter: a low-cost binary model first screens for risk (Stage 1), followed by a resource-intensive, path-aware classifier for nuanced classification (Stage 2). Only content flagged as “risky” is routed to the second stage, optimizing both computational efficiency and label granularity (Li et al., 5 Aug 2025).

4. Empirical Results and Evaluation Metrics

Agentic Workflow Enforcement

Testing on $\tau$-bench Airlines (14 tools, 50 multi-turn tasks), Hi-Guard was benchmarked against prompt-based and policy-reflection baselines using the pass$^k$ metric (fraction of tasks where $k$ of 10 runs succeeded). Automated ToolGuard integration yielded pass$^1 = 0.685$, pass$^{10} = 0.500$, a +20 percentage point advantage over prompt-only baselines (pass$^1=0.450$, pass$^{10}=0.227$) (Zwerdling et al., 22 Jul 2025). Violation-alert counts showed automated guards (217 alerts in 14 task types) balanced sensitivity and specificity, avoiding excessive false positives observed in naive policy doc re-injection (786 alerts in 21 types).

Content Moderation

On zero-shot generalization (unseen taxonomy paths), the cascaded Hi-Guard moderation pipeline achieved 84.11% accuracy, precision 52.7%, recall 59.4%, outstripping SFT and single-stage RL baselines by 12–22 percentage points (Li et al., 5 Aug 2025). Hardware costs were reduced (22.7% lower GPU time), and human preference for generated Chain-of-Thought (CoT) explanations reached 73.3%. In a 10-day A/B experiment, Hi-Guard produced 85.06% accuracy on “risky” posts, reducing manual review by 56.4% with a final human-in-the-loop share at 0.24%.

5. Optimization: Test-Driven Development and Policy-Aligned RL

Automated guard code generation employs test-driven development workflows. Each compliance or violation example from policy mapping becomes a unit test; LLMs synthesize candidate guard functions verified via static (Pyright) and dynamic (pytest) checks. A “red–green–refactor” cycle continues until all tests pass or maximum iterations are reached. With a manual mapping, GPT-4.1 achieved mean test-pass rate (TPR) of 0.82; the fully automated pipeline (GPT-4o mapping, GPT-4.1 codegen) produced TPR = 0.75, with failures clustered on compliance logic incompleteness (Zwerdling et al., 22 Jul 2025).

For moderation, Hi-Guard introduces Group Relative Policy Optimization (GRPO). Each risky input generates $G$ output samples; rewards for format, taxonomic path accuracy (with level-dependent soft penalties), and group-normalized advantage $A_i$ direct the optimization:

$$\mathcal{L}_{\rm GRPO} = -\frac{1}{G}\sum_{i=1}^G A_i \log\pi_{\theta_2}(\hat P_i\mid N)$$

where $A_i = \frac{R_i - \mu_R}{\sigma_R}$ normalizes rewards across the group ($\hat P_i$ sampled path, $R_i$ reward). This design stabilizes reward landscapes and supports the injection of semantic hierarchy into structured decision outputs (Li et al., 5 Aug 2025).

6. Limitations, Scalability, and Extensions

Current Hi-Guard deployments constrain enforcement to “pre-invocation” gating—preventing execution of disallowed tool calls or unsafe classifications, but not ensuring omissions (e.g., required actions not taken) are detected (Zwerdling et al., 22 Jul 2025). Domain generalization is non-trivial; recall dropped by 10–18% $F_1$ when irrelevant or out-of-domain policy corpora were appended, indicating limits to LLM mapping and codegen at scale.

Proposed future extensions include:

• Compiling policies into temporal logic constraints $G_t(s,s')$ over state transitions, enabling model checking for the absence of policy violations across execution traces.
• Integrating liveness checks to ensure all mandatory actions are eventually triggered given certain preconditions.
• Enhanced audit trails: systematic logging of all guard invocations and outcomes for traceable compliance reporting.
• A plausible implication is that hierarchical, modular guard architectures may lend themselves to formal verification—if transition-level policy constraints can be encoded with sufficient fidelity.

7. Significance and Impact

Hi-Guard exemplifies a new paradigm for transparent, test-driven policy enforcement in both agentic tool-use and scalable content moderation. The cascaded architecture, with explicit alignment to policy text and deterministic runtime guarantees, advances state-of-the-art performance on challenging real-world benchmarks. Its use of atomic rule fragmentation, human-interpretable explanations, and reinforcement-aligned optimization provides a foundation for robust, auditable deployment in enterprise and safety-critical contexts (Zwerdling et al., 22 Jul 2025, Li et al., 5 Aug 2025).