The Non-Identifiability Theorem shows admissible behavior space A0 is not identifiable from local enforcement signals g under the Local Observability Assumption, so the paper introduces an Invariant Measurement Layer to detect admission-time drift.
Agent Control Protocol: Admission Control for Agent Actions
5 Pith papers cite this work. Polarity classification is still indexing.
5
Pith papers citing it
abstract
Autonomous agents can produce harmful behavioral patterns from individually valid requests -- a threat class per-request policy evaluation cannot address, because stateless engines evaluate each request in isolation. We present ACP, a temporal admission control protocol enforcing behavioral properties over execution traces via static risk scoring combined with stateful signals (anomaly accumulation, cooldown) through a LedgerQuerier abstraction. ACP blocks execution based on deterministic, history-aware risk scoring -- not anomaly detection. Under a 500-request workload where every request is individually valid (RS=35), a stateless engine approves all 500; ACP limits autonomous execution to 2 out of 500 (0.4%), escalating after 3 actions and denying after 11. We identify a state-mixing vulnerability in ACP-RISK-2.0 (cross-context false denials) and introduce ACP-RISK-3.0, scoping anomaly signals to PatternKey(agentID, capability, resource). Decision evaluation: 739-832 ns (p50); throughput 1,720,000 req/s. Safety and liveness model-checked via TLA+ (11 invariants + 4 temporal properties, 0 violations) across 4,294,930,695 distinct states. We formalize deviation collapse -- enforcement active but never exercised due to upstream constraints -- and introduce Boundary Activation Rate (BAR) as its detection mechanism. An adversary suppressing BAR to 0.00 is detected via DeltaBAR before collapse (BAR_C=1.00). N coordinated agents accumulate risk independently; coordination window CW_appr=2N with zero deviation: activity scales linearly, preventing superlinear amplification. ACP is Paper 1 of a 6-paper Agent Governance Series: P0 -- atomic decision boundaries; P2 -- behavioral drift detection (IML); P3/4 -- governance structure, fair allocation, and irreducibility; P5 -- runtime execution validity (RAM, arXiv:2604.22898); P6 -- operationalization of RAM.
citation-role summary
other 1
citation-polarity summary
years
2026 5roles
other 1polarities
unclear 1representative citing papers
Atomic decision boundaries are required to guarantee execution-time admissibility because split evaluation systems allow environmental interleaving that no policy can prevent.
RAM separates integrity from coverage and uses a reconstruction gate over proven state, assumptions, and unobservable residuals to block invalid executions, achieving zero invalid rates in synthetic tests where attestation fails.
The paper systematizes security for LLM agents in agentic commerce into five threat dimensions, identifies 12 cross-layer attack vectors, and proposes a layered defense architecture.
LLM agent progress depends on externalizing cognitive functions into memory, skills, protocols, and harness engineering that coordinates them reliably.
citing papers explorer
-
From Admission to Invariants: Measuring Deviation in Delegated Agent Systems
The Non-Identifiability Theorem shows admissible behavior space A0 is not identifiable from local enforcement signals g under the Local Observability Assumption, so the paper introduces an Invariant Measurement Layer to detect admission-time drift.
-
Atomic Decision Boundaries: A Structural Requirement for Guaranteeing Execution-Time Admissibility in Autonomous Systems
Atomic decision boundaries are required to guarantee execution-time admissibility because split evaluation systems allow environmental interleaving that no policy can prevent.
-
Reconstructive Authority Model: Runtime Execution Validity Under Partial Observability
RAM separates integrity from coverage and uses a reconstruction gate over proven state, assumptions, and unobservable residuals to block invalid executions, achieving zero invalid rates in synthetic tests where attestation fails.
-
SoK: Security of Autonomous LLM Agents in Agentic Commerce
The paper systematizes security for LLM agents in agentic commerce into five threat dimensions, identifies 12 cross-layer attack vectors, and proposes a layered defense architecture.
-
Externalization in LLM Agents: A Unified Review of Memory, Skills, Protocols and Harness Engineering
LLM agent progress depends on externalizing cognitive functions into memory, skills, protocols, and harness engineering that coordinates them reliably.