PolicyGuard: Executable Policy Enforcement
- PolicyGuard is a policy-grounded control paradigm that converts textual guidelines into executable enforcement mechanisms across AI systems.
- It employs diverse methodologies including learned access control, Datalog rules, dialogue checklists, and embedding-based detectors for safe behavior.
- Empirical results demonstrate its capability to reduce unsafe outputs through runtime mediation, step-level monitoring, and full trajectory compliance assessments.
PolicyGuard is a policy-grounded control paradigm for AI systems in which policies are made executable rather than left as prompt text or informal guidance. In recent arXiv usage, the label denotes multiple architectures rather than a single algorithm: learned runtime access control for tool-using agents, deterministic policy compilation over dependency graphs, dialogue-grounded sub-agent verification, step-level backdoor detection for reinforcement learning agents, neuro-symbolic compliance review for documents, privacy enforcement for retrieval-augmented generation, and lightweight policy-violation detection for web-agent trajectories (Abaev et al., 15 Jan 2026, Palumbo et al., 18 Feb 2026, Kang et al., 28 Jun 2026, Huang, 11 Jun 2026, Malik et al., 30 Jun 2026, Zafar et al., 16 May 2026, Wen et al., 3 Oct 2025). Taken together, these systems treat “policy” as an operational object—encoded as graph predicates, typed logic rules, learned access predicates, uncertainty thresholds, or trajectory–policy classifiers—and place enforcement at the point where an unsafe action, document decision, or output would otherwise be committed.
1. Scope and terminological usage
By 2025–2026, “PolicyGuard” appears as an overloaded research term spanning several technical traditions. Some works use the name directly, while others explicitly position their framework as a policy-based guard or “PolicyGuard” layer. The common denominator is not a shared implementation, but an insistence that policy adherence should be explicit, inspectable, and enforceable before harmful side effects occur (Abaev et al., 15 Jan 2026, Palumbo et al., 18 Feb 2026, Kang et al., 28 Jun 2026).
| Work | Policy substrate | Primary control point |
|---|---|---|
| AgentGuardian | Learned per-tool predicates plus CFG constraints | Runtime gate beneath agent business logic |
| PCAS-based PolicyGuard | Datalog-derived rules over a dependency graph | Reference monitor before execution |
| Dialogue-grounded POLICYGUARD | Raw policy text plus per-tool checklist | Mutating tool-call verifier |
| RL PolicyGuard | GP posterior variance over clean behavior manifold | Test-time step-level detector |
| Document-review PolicyGuard | Typed relational logic plus atom questions | Symbolic compliance evaluator |
| Privacy Policy Enforcement PolicyGuard | Dual one-class density estimators over fused embeddings | Layer-2 RAG output gate |
| PolicyGuard-4B | Instruction-tuned trajectory–policy classifier | Full-trajectory and prefix-based monitoring |
This breadth matters because the word “policy” is instantiated differently across settings. In agent governance, it usually means authorization conditions over tool calls, provenance, workflow order, or dialogue prerequisites. In document review, it means organization-specific negotiation rules formalized as Boolean logic. In privacy enforcement, it becomes a decision boundary separating safe outputs, unsafe outputs, and abstain regions. In reinforcement learning, it refers not to the agent’s control policy alone, but to a detector that guards that policy at test time (Malik et al., 30 Jun 2026, Zafar et al., 16 May 2026, Huang, 11 Jun 2026).
2. Runtime governance of tool-using agents
One major PolicyGuard line governs agent actions at runtime. AgentGuardian is explicitly positioned as a policy-based guard for AI agents that “learns, expresses, and enforces access-control policies over tool invocations and their orchestration,” with three layers of coverage: input validation, attribute-based constraints, and workflow constraints. During an attack-free staging phase, it monitors benign execution traces, constructs a control-flow graph (CFG), embeds each tool event into a 150D vector, clusters per-tool behaviors, generalizes them into regex predicates and numeric ranges, and then enforces a binary access-control policy at runtime through LiteLLM’s custom feedback hook (Abaev et al., 15 Jan 2026). Its local-and-global decision rule is
so legality requires both a valid leading context in the CFG and satisfaction of at least one learned rule. On two real-world applications, Knowledge Assistant and IT Support, AgentGuardian reported aggregate , , and , detecting $18/20$ violations overall; it also blocked hallucination-driven orchestration errors as “benign execution failures” rather than false positives (Abaev et al., 15 Jan 2026).
A second strand replaces learned policies with declarative compilation. PCAS formulates agentic state as a dependency graph over messages, tool calls, tool results, and approvals, then evaluates Datalog-derived authorization rules over the backward slice of a proposed action. The core enforcement claim is deterministic: a reference monitor intercepts all actions, checks policy before execution, and yields traces satisfying
The paper frames this as a PolicyGuard for secure agentic systems, with recursive provenance via Depends(dst, src) :- Edge(src, dst) and its transitive closure, enabling information-flow control, approval workflows, and organizational policy enforcement across multiple agents (Palumbo et al., 18 Feb 2026). In evaluation, PCAS improved customer-service policy compliance from to across frontier models, achieved zero policy violations in instrumented runs, reduced prompt-injection attack success to 0 under MLS and Toxic Flow policies versus 1 for the non-instrumented anti-exfiltration prompt baseline, and raised pharmacovigilance compliance from 2 to 3 while blocking unauthorized FDA access before execution (Palumbo et al., 18 Feb 2026).
AIRGuard advances a closely related runtime-authority formulation. It normalizes heterogeneous tool calls into 4, derives step-level authority 5 from trusted issuers, labels source and target trust as 6, and then decides allow, audit, ask, inspect, sandbox, quarantine, or block based on a coverage predicate and a risk simulator (Qin et al., 27 May 2026). The defining invariant is that untrusted resources may inform reasoning but must not authorize side effects. On AgentTrap, AIRGuard reduced Claude Sonnet 4.6 attack success from 7 without defense to 8, with 9 benign utility preservation; on DTAP-150, it preserved 0 benign utility with Haiku 4.5, compared with 1 for ARGUS and 2 for MELON (Qin et al., 27 May 2026). This suggests a three-way distinction inside agent-side PolicyGuard research: learned access control from benign traces, symbolic authorization over provenance graphs, and authority-control mediation over normalized actions.
3. Dialogue-grounded adherence and decision-level verification
A distinct PolicyGuard formulation argues that agent compliance failures are often procedural rather than purely authorization-theoretic. The dialogue-grounded POLICYGUARD system is a sub-agent verifier that shares the agent’s view of the full conversation, the pending mutating tool call, prior tool results, the raw policy text, and a per-tool YAML checklist. For each mutating attempt, it marks requirements as MET or [NOT](https://www.emergentmind.com/topics/neural-organ-transplantation-not) MET, returns [PASS](https://www.emergentmind.com/topics/pinching-antenna-systems-pass-5a5ea466-270d-48a7-81e8-bf45cd018280) or BLOCK, and—if blocking—produces a short remediation message that guides the agent’s next turn (Kang et al., 28 Jun 2026). The paper’s motivating statistic is that approximately two-thirds of atomic policy requirements on 3-Bench airline, 4, are process-level and therefore outside the scope of argument-only verifiers. Two prompt instructions are load-bearing: “Only trust values confirmed by tool results, not user-claimed values,” and “If a required action was never performed, treat it as NOT MET” (Kang et al., 28 Jun 2026).
The empirical emphasis is worst-case reliability rather than one-shot accuracy. On airline across GPT-5.4, Claude Sonnet 4.6, and Gemini 2.5 Pro, PG-Checklist improved Pass4 by 5, 6, and 7 percentage points over baseline, respectively; it also achieved perfect policy-violation Pass on all three vendors while blocking substantially less often than ToolGuard (Kang et al., 28 Jun 2026). In per-call analysis, GPT-5.4 under PG-Checklist reached 8 policy-violation recall with Blk% 9, versus ToolGuard’s Blk% 0 and recall 1; Gemini 2.5 Pro improved from ToolGuard’s 2 recall to 3 under PG-Checklist while lowering blocking from 4 to 5 (Kang et al., 28 Jun 2026). Dialogue ablation was decisive: when user and assistant natural-language turns were removed from the verifier’s view, Mut Pass collapsed to 6 on GPT-5.4. The paper therefore treats conversation state, not tool arguments alone, as the load-bearing policy substrate (Kang et al., 28 Jun 2026).
This verifier-centric view is adjacent to decision-level provenance defenses such as MindGuard, which tracks tool-selection influence through a Decision Dependence Graph (DDG) built from attention patterns rather than dialogue semantics. MindGuard frames DDG as a PolicyGuard substrate for MCP Tool Poisoning Attacks, enabling CFI-like and DFI-like predicates over decision provenance, with mean AP approximately 7, detection accuracy approximately 8, attribution accuracy 9–0, processing times under one second, and no additional token cost (Wang et al., 28 Aug 2025). The contrast is structural: dialogue-grounded POLICYGUARD reasons over explicit speech acts and read-only tool evidence, whereas DDG-based approaches reason over influence paths inside the model’s planning context.
4. Trajectory- and step-level PolicyGuard in reinforcement learning and web agents
In reinforcement learning, PolicyGuard becomes a test-time detector rather than a tool-call gate. The RL formulation introduces a black-box, step-level backdoor defense that models normal behavior with a sparse additive Gaussian Process over clean trajectory embeddings and uses posterior variance as an uncertainty signal. Because step-level uncertainty depends on sequence context, the method constructs pseudo trajectories by splicing the current suspicious state-action pair into clean reference futures and aggregating per-step uncertainty with the Interquartile Mean:
1
A backdoor is signaled when 2 (Huang, 11 Jun 2026). Across seven RL games, PolicyGuard reported average AUROC 3 for perturbation-based attacks and 4 for adversary-agent attacks; on hard-coded backdoors, it maintained overall AUROC 5 and 6 for the two attack families, where optimization-based baselines collapsed near AUROC 7 (Huang, 11 Jun 2026). The paper’s theoretical basis is that benign points densely covered by the clean manifold drive posterior variance toward zero, while triggered states farther from the inducing points yield larger expected uncertainty.
For autonomous web agents, PolicyGuard is formulated as explicit policy-violation classification over long-horizon trajectories. PolicyGuardBench contains 59,997 balanced trajectory–policy pairs derived from 733 standardized WebArena trajectories with an average of 9.3 actions, 2,195 curated policies, and both within-subdomain and cross-subdomain pairings; the benchmark includes full-trajectory detection and prefix-based detection from the first 8 steps (Wen et al., 3 Oct 2025). PolicyGuard-4B is a Qwen3-4B-Instruct model instruction-tuned on this benchmark. On full trajectories, it achieved Accuracy 9, F1 $18/20$0, latency $18/20$1 ms/example, FLOPs/example $18/20$2 TFLOPs, and EA-F1 $18/20$3, outperforming larger models on efficiency while remaining close to the best open-source F1 values (Wen et al., 3 Oct 2025). In leave-one-domain-out evaluation, average in-domain performance was $18/20$4 Accuracy/F1 and out-of-domain performance was $18/20$5, indicating a relatively small generalization gap (Wen et al., 3 Oct 2025).
These two lines share a trajectory perspective but differ in what constitutes “policy.” In RL, the guarded object is the deployed policy’s test-time behavior under triggers; in web agents, the guarded object is a textual trajectory evaluated against an explicit textual rule. A plausible implication is that PolicyGuard has become a general label for systems that intervene over sequential behavior before complete failure manifests, whether the monitored sequence is a control trajectory, a web workflow, or a multi-turn agent dialogue.
5. Neuro-symbolic document compliance and privacy enforcement
Another major usage of PolicyGuard formalizes organization-specific policy logic as symbolic computation. The document-review PolicyGuard converts policy guidance into typed relational logic rules, atom-level extraction questions, and rule-level validation tests. At review time, an LLM answers local true/false questions using retrieved clause evidence, and a deterministic evaluator implemented with the Z3 SMT solver applies Boolean rule formulas to decide non-compliance (Malik et al., 30 Jun 2026). The representation includes typed predicates, ground atoms, and rules of the form
$18/20$6
with no probabilistic rule weighting in the core evaluator (Malik et al., 30 Jun 2026). In a company-specific NDA case study comprising 95 internal guidelines over five real NDAs, for 475 policy–contract decisions, PolicyGuard achieved average accuracy $18/20$7 and average non-compliance F1 $18/20$8, versus best prompting baselines around $18/20$9 F1; its pass0 to pass1 reliability dropped only from 2 to 3, and 4 of policy–contract decisions were identical across all 10 runs (Malik et al., 30 Jun 2026). The gain is attributed to separation of concerns: local interpretation remains probabilistic, but policy application is deterministic and auditable.
Privacy-oriented PolicyGuard work moves from symbolic rules to density estimation over outputs. The Privacy Policy Enforcement framework for data-sensitive RAG targets contextual leakage through quasi-identifier clusters rather than token-level PII, using fused 3,072-dimensional embeddings from Qwen3-Embedding-0.6B, BGE-M3, and E5-large-v2, together with dual one-class estimators and an abstain region for both-OOD cases (Zafar et al., 16 May 2026). Its discriminator is 5, with abstention when neither safe-side nor unsafe-side density claims the input as in-distribution. The recommended detector, T3+OCSVM-v4, achieved within-distribution AUROC 6, 7, and 8 across medicine, finance, and law; on the more important borderline-safe stress test, it reached AUROC 9, 0, and 1, while the GMM baseline collapsed to 2, 3, and 4 (Zafar et al., 16 May 2026). Borderline FPR95 dropped by 5, 6, and 7 percentage points across the three domains, abstain rates were 8, 9, and 0, and latency was on the order of milliseconds per answer, approximately 1 ms (Zafar et al., 16 May 2026).
Both systems are policy-grounded but differ in execution semantics. The NDA system compiles policy into logic and then gathers evidence. The RAG privacy system instead operationalizes policy as a calibrated boundary in embedding space, with safe, flag, or abstain actions. This suggests that “PolicyGuard” is not tied to symbolic or statistical enforcement alone; rather, it denotes a design goal in which policy becomes the primary interface between organizational requirements and model outputs.
6. Common design patterns, benchmarking infrastructure, and limitations
Across these papers, several recurring design patterns emerge. First, policies are externalized from the model: as CFG-constrained per-tool predicates in AgentGuardian, Datalog rules in PCAS, YAML checklists plus raw policy text in dialogue-grounded POLICYGUARD, typed relational logic in document review, or explicit thresholds and abstain regions in privacy and RL detection (Abaev et al., 15 Jan 2026, Palumbo et al., 18 Feb 2026, Kang et al., 28 Jun 2026, Malik et al., 30 Jun 2026, Zafar et al., 16 May 2026, Huang, 11 Jun 2026). Second, the enforcement point is pushed as close as possible to the irreversible event: before a tool call, before an environment mutation, before a document compliance label is finalized, or before a suspicious RL action executes. Third, provenance or context is usually richer than a single input string: CFG paths, dependency graphs, dialogue history, pseudo trajectories, or full agent trajectories are treated as necessary state.
A broader policy-grounded ecosystem has also emerged around testing and data construction. GUARD operationalizes government-issued guidelines from the EU Trustworthy AI Assessment List, UK Illustrative AI Risks, and NIST Risks Unique to GAI into guideline-violating questions and jailbreak diagnostics, using multi-role generation and GUARD-JD scenario optimization (Jin et al., 28 Aug 2025). GuardSet-X, also described as PolyGuard in the paper, grounds over 100k guardrail instances in more than 150 authentic policy documents, more than 400 risk categories, and 1,000 safety rules across eight domains, and shows that all 19 evaluated guardrail models remain vulnerable to optimized adversarial attacks (Kang et al., 18 Jun 2025). These datasets do not themselves enforce policy, but they supply the policy-grounded corpora, benchmarks, and stress tests from which many PolicyGuard-like systems can be trained or audited.
The limitations are correspondingly diverse. Learned policy systems assume attack-free staging and representative benign traces; AgentGuardian explicitly warns that contaminated staging can encode unsafe behaviors, that too few samples yield over-permissive regexes, and that limited CFG coverage can increase false rejections (Abaev et al., 15 Jan 2026). Dependency-graph compilers require complete mediation and accurate policy specifications; PCAS notes that uninstrumented channels, covert channels, and the effort of translating natural language policy into Datalog remain open issues (Palumbo et al., 18 Feb 2026). Runtime authority control depends on robust risk recognition and pre-action hooks; AIRGuard reports residual failures dominated by missed risk recognition at the decisive action and cannot protect tools executed outside mediation (Qin et al., 27 May 2026). Dialogue-grounded verification adds one LLM call per mutating attempt and relies on LLM-generated checklists, honest-user workflows, and reliable tool results; it also shows domain-structure limits outside airline (Kang et al., 28 Jun 2026). The RL detector requires a clean environment for reference collection and is sensitive to distribution shift and large random perturbations (Huang, 11 Jun 2026). The NDA system is evaluated on one company’s playbook and cannot release raw data because of confidentiality (Malik et al., 30 Jun 2026). The privacy guard inherits synthetic-data biases and shows a finance-specific residual where borderline FPR at 2 remains 3 (Zafar et al., 16 May 2026). PolicyGuardBench, finally, depends on automated annotation and benchmark serialization choices that may induce artifacts even though cross-domain generalization remains strong (Wen et al., 3 Oct 2025).
Taken together, these works define PolicyGuard not as a single model family but as a research program: translating policy from prose into executable structure, attaching that structure to the right state representation, and enforcing it at the moment where model reasoning would otherwise become an external commitment. The field’s internal variation—symbolic versus learned, runtime mediation versus post-hoc classification, dialogue grounding versus provenance graphs, binary blocking versus abstention or remediation—indicates that policy-grounded control is now being treated as a systems problem rather than merely a prompting problem.