Read-Only Pre-Execution Gates
- Read-Only Pre-Execution Gates are control layers that intercept and assess tool calls before execution to prevent unintended side effects.
- The system employs deep string extraction, regex-based risk scanning, and JSON Schema validation, achieving 100% blockage on 48 attack cases with a median latency of 8.3 ms.
- It integrates tamper-evident audit trails using SHA-256 and Ed25519 signatures, ensuring a verifiable chain-of-custody for every decision made.
AEGIS is a pre-execution firewall and audit layer for AI agents that mediate tool calls before external side effects occur. The system is designed for agent stacks in which model-generated actions may query databases, execute shell commands, read or write files, or send network requests, and it addresses the architectural gap between tool generation and tool execution by inserting a framework-agnostic control point on the execution path (Yuan et al., 13 Mar 2026). In the reported implementation, AEGIS supports 14 agent frameworks across Python, JavaScript, and Go with lightweight integration, combines deterministic risk scanning with JSON Schema policy enforcement, and records each decision in a tamper-evident audit trail based on Ed25519 signatures and SHA-256 hash chaining (Yuan et al., 13 Mar 2026).
1. Architectural role and security model
AEGIS is positioned as a pre-execution mediation layer rather than a post-execution observability system. Its central claim is architectural: observability can record actions after they occur, but it cannot stop them before side effects occur. AEGIS therefore interposes on the tool-execution path, intercepts the tool invocation emitted by an agent framework, pauses execution, and returns one of three outcomes—ALLOW, BLOCK, or PENDING—before the call reaches the database, shell, file API, or other execution target (Yuan et al., 13 Mar 2026).
The detailed presentation describes the mechanism as a three-stage pre-execution gate. When an agent framework emits a tool_use block such as execute_sql({"query":"…"}), the AEGIS SDK intercepts it and suspends the call. The gateway then performs deep string extraction, content-first risk scanning, and composable policy validation in sequence. If the outcome is PENDING, the SDK pauses the agent and defers control to a human approval workflow; otherwise, the SDK either resumes the call or rejects it (Yuan et al., 13 Mar 2026).
This design places AEGIS within a broader family of pre-execution control systems for agentic AI, but with a distinct emphasis on tool-call interception and auditability. Related systems in the same literature include deterministic lexical and vector-based blockers such as ILION (Chitan, 22 Feb 2026), Hoare-style contract gating over symbolic state in ToolGate (Liu et al., 8 Jan 2026), non-compensatory admissibility predicates in Right-to-Act (Lavi, 27 Apr 2026), robot-command gating in SafeGate (Obi et al., 7 Apr 2026), query-structure validation in CYGNET (Tomczak, 3 Jun 2026), and state-aware deterministic gates for policy-permissive tool environments (Reddy et al., 8 Jul 2026).
2. Three-stage interception pipeline
AEGIS processes each intercepted tool call through a fixed pipeline. The stages are ordered, and each stage contributes signals or constraints used in the final decision (Yuan et al., 13 Mar 2026).
| Stage | Mechanism | Reported purpose |
|---|---|---|
| 1 | Deep string extraction | Surface hidden payloads in nested arguments |
| 2 | Content-first risk scanning | Assign risk signals and severities |
| 3 | Composable policy validation | Enforce JSON Schema policies |
Stage 1 walks the entire argument structure, including objects, arrays, and nested values, to a maximum depth of 32 while collecting every string value. The extraction is capped at 10 000 strings. If the cap is reached, the call is conservatively marked as suspicious, and any truncation or depth exhaustion triggers a “fail-closed” flag so that deeply nested evasion attempts cannot silently slip through. The stated motivation is to surface payloads such as a DROP TABLE hidden inside a JSON blob rather than only scanning top-level fields (Yuan et al., 13 Mar 2026).
Stage 2 applies content-first risk scanning to the flattened string set. The current implementation uses 22 regular-expression patterns spanning seven categories: SQL injection, path traversal, shell injection, prompt injection, sensitive-file access, data exfiltration, and PII leakage. The precedence rule is strict. First, any argument-string match takes highest precedence. Second, if there is no argument-string match, the system looks for keyword matches in the tool name itself, such as delete in execute_shell. Third, a small set of server-side overrides can add or remove labels. Each match yields a risk signal with severity LOW, MEDIUM, HIGH, or CRITICAL. No machine learning model is used today; the stage is purely pattern-based for determinism and auditability, although the architecture allows future plug-ins such as anomaly-detection models (Yuan et al., 13 Mar 2026).
Stage 3 validates the original arguments against one or more JSON Schema policies. Policies are written in standard JSON Schema, compiled once via AJV, and cached in memory. The paper’s example is an SQL read-only enforcement policy that rejects queries matching INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE in the query field. If any policy’s not clause is violated, the system immediately blocks. Otherwise, AEGIS maps the aggregate risk level to ALLOW, BLOCK, or PENDING (Yuan et al., 13 Mar 2026).
A defining property of this pipeline is composability. The system does not rely on a single monolithic policy or a single risk score; instead, extracted content, regex-based risk signals, and JSON Schema validation are layered as separate control surfaces. This suggests a design intended to preserve both local interpretability and operational extensibility.
3. Read-only enforcement, side effects, and human escalation
AEGIS explicitly distinguishes harmless queries from side-effecting commands through policy rather than by trusting tool names alone. In the paper’s model, a “read-only gate” is a policy that forbids WRITE verbs such as INSERT, UPDATE, and DELETE inside a SELECT-style tool. Stage 2 flags destructive keywords, and Stage 3 then applies the JSON Schema rule to convert the call into BLOCK or, for very high risk cases such as shell rm –rf /, into PENDING (Yuan et al., 13 Mar 2026).
The PENDING state defines the human-approval boundary. When the gateway returns PENDING, the SDK pauses the agent and polls the Compliance Cockpit every two seconds for up to five minutes until a human reviewer returns ALLOW or BLOCK. Only after explicit sign-off does the agent resume or fail. This escalation protocol makes human review part of the pre-execution path rather than a post-incident or post-hoc audit mechanism (Yuan et al., 13 Mar 2026).
The operational consequence is that AEGIS treats admissibility as a property of the proposed action before execution. In that respect it aligns conceptually with the non-compensatory logic described in Right-to-Act, where execution is halted if any required condition is unmet (Lavi, 27 Apr 2026), and with ToolGate’s rule that a tool is not invoked unless its precondition over symbolic state holds (Liu et al., 8 Jan 2026). A plausible implication is that AEGIS belongs to the strand of agent-safety systems that shift control from model intention or self-report to externally checkable action-boundary constraints.
4. Tamper-evident audit trail and chain of custody
AEGIS couples enforcement with a cryptographic audit layer. Every incoming tool call and every gateway decision is recorded in a chain of records in which each new entry commits to the previous one. The system computes a SHA-256 hash chain,
with or a predefined genesis constant, and then signs the new hash using the agent’s private Ed25519 key,
Because each and depends on the full prior history, any post-hoc modification of record invalidates all subsequent hashes and signatures, making tampering trivially detectable (Yuan et al., 13 Mar 2026).
The audit function is not ancillary. In the textual architecture diagram, the request and decision stream is fed simultaneously into an Audit Layer while the gateway is deciding whether to permit execution. The stored record is intended for later forensic export, and the design goal is a cryptographically verifiable chain of custody for every action (Yuan et al., 13 Mar 2026).
This linkage between enforcement and inspectability parallels other governance-oriented runtime proposals. Verify-gated completion in a governed multi-agent runtime, for example, uses packetized admission records and a fail-closed verifier to make completion decisions inspectable (Nguyen et al., 18 May 2026). The AEGIS design differs in object of verification—tool invocations rather than completion claims—but the shared pattern is a read-only control decision paired with durable audit artifacts.
5. Empirical evaluation
The paper reports three quantitative results. First, on a curated set of 48 real-world attack instances spanning SQL injections, path traversals, shell exploits, prompt injections, PII leaks, and exfiltration, AEGIS blocked 100% of them before any execution. Second, on 500 benign tool calls drawn from typical SELECTs, file reads, web searches, and API requests, only six were mis-flagged, corresponding to a 1.2% false positive rate; all six false positives were caused by OR-in-WHERE clauses triggering the SQL-injection pattern. Third, over 1 000 consecutive interceptions, end-to-end interception adds a median 8.3 ms latency, with ms and ms (Yuan et al., 13 Mar 2026).
The reported latency is contextualized against typical LLM inference times of 1 000–30 000 ms. The paper therefore characterizes the interception overhead as negligible relative to inference latency and argues that pre-execution mediation can be practical, low-overhead, and directly deployable (Yuan et al., 13 Mar 2026).
These results should be interpreted within the paper’s stated evaluation frame. The attack suite is curated, the benign set contains 500 tool calls, and the conclusions are tied to the current pattern library and policy configuration rather than to a claim of universal attack coverage. This suggests that AEGIS demonstrates bounded effectiveness for the tested categories rather than a proof of complete execution safety.
6. Position within the pre-execution gating literature
AEGIS is one instance of a broader research movement that places deterministic or formally constrained gates between generative models and action execution. The differences among these systems are substantive.
ILION is a deterministic execution gate that classifies proposed actions as BLOCK or ALLOW through a five-component cascade—Transient Identity Imprint, Semantic Vector Reference Frame, Identity Drift Control, Identity Resonance Score, and Consensus Veto Layer—without statistical training or API dependencies, reporting mean latency of 143 microseconds and on ILION-Bench v2 (Chitan, 22 Feb 2026). ToolGate instead maintains a typed key-value symbolic state and formalizes each tool as a Hoare-style contract , where the read-only precondition gates invocation and the postcondition governs state commitment (Liu et al., 8 Jan 2026). SafeGate operates on natural-language robot commands, extracts safety-relevant properties using a neurosymbolic pipeline, applies deterministic allow/defer/reject rules aligned with ISO 13482, and compiles Task Safety Contracts enforced with Z3 (Obi et al., 7 Apr 2026). CYGNET focuses on Cypher generation for Neo4j, using a four-backend structural validator chain and a planner-based cost gate before production execution, with a reported 5.576 ms median latency for the full pipeline (Tomczak, 3 Jun 2026).
A distinct but related line of work studies when deterministic gates improve end-to-end task reliability. In a policy-permissive airline domain, a four-gate deterministic suite was shown to block a class of silent policy-violating writes and raise full-benchmark success from 29.6% to 42.0% on gpt-4o-mini, with gains concentrated on tasks where the gates fired (Reddy et al., 8 Jul 2026). ScopeJudge addresses a different problem—request-conditioned scope enforcement for offensive security agents—by using a trusted LLM judge that reads the user’s intent and the proposed tool call before execution, concluding that static policy alone is structurally insufficient for scope enforcement (Caldwell et al., 8 Jul 2026).
Against this backdrop, AEGIS can be read as a hybrid between policy firewalling and execution mediation. It is not a formal symbolic verifier in the ToolGate sense, not a learned or judge-based classifier in the ScopeJudge sense, and not a domain-specific structural validator like CYGNET. Its defining combination is deep argument extraction, pattern-based risk scanning, JSON Schema validation, human escalation, and cryptographically chained audit logging (Yuan et al., 13 Mar 2026).
7. Limitations, misconceptions, and significance
A common misconception is that observability after tool execution is enough for agent safety. The AEGIS paper directly rejects this premise by distinguishing recording from prevention: post-execution observability cannot stop side effects before they occur, whereas pre-execution mediation can block or defer the action at the boundary (Yuan et al., 13 Mar 2026).
Another misconception is that tool safety can be reduced to simple name-based allowlists or to ordinary text moderation. The AEGIS design scans deeply nested argument content, applies precedence rules that privilege argument-string matches over tool names, and validates the original structured arguments against JSON Schema policies. This emphasis on content-first inspection is consistent with the observation, also made in ILION, that existing text-safety infrastructure is architecturally unsuitable for evaluating whether a proposed action falls within an agent’s authorized operational scope (Chitan, 22 Feb 2026).
The principal limitations are also explicit. The risk scanner is currently regex-based, not model-based; the evaluation uses a curated suite of 48 attacks; and false positives can arise from pattern ambiguity, as shown by benign OR-in-WHERE clauses (Yuan et al., 13 Mar 2026). The architecture allows future plug-ins, but the present claims are bounded to determinism, auditability, lightweight integration, and the reported evaluation.
The broader significance of AEGIS lies in the control abstraction it exemplifies. The system treats tool calls as admissibility decisions to be mediated before execution, combines machine-readable policy with fail-closed behavior, and preserves a tamper-evident record of each decision. Within the emerging literature on agent runtime governance, this suggests a model in which the action boundary—not only the model output—is the primary locus of safety enforcement (Yuan et al., 13 Mar 2026).