Research

Policy Compiler for Secure Agentic Systems

arXiv•February 18, 2026 ()•Nils Palumbo, Sarthak Choudhary, Jihye Choi, Prasad Chalasani, Mihai Christodorescu, Somesh Jha

Professional Abstract

"The increasing deployment of large language model (LLM)-based agents in complex operational contexts necessitates robust mechanisms for enforcing intricate authorization policies. Traditional methods of embedding these policies within prompts lack the necessary enforcement guarantees, leading to potential compliance failures. To address this critical gap, the authors introduce PCAS (Policy Compiler for Agentic Systems), a novel framework designed to ensure deterministic policy enforcement across agentic systems. The core innovation of PCAS lies in its ability to model the state of an agentic system through a dependency graph, which captures the causal relationships among various events, including tool calls, tool results, and inter-agent messages. This approach transcends the limitations of linear message histories, enabling a more comprehensive tracking of information flow and policy adherence. Policies within PCAS are articulated using a Datalog-derived language, allowing for the expression of declarative rules that effectively account for transitive information flow and the provenance of data across agents. A key component of PCAS is its reference monitor, which intercepts all actions taken by the agents, ensuring that any potential policy violations are blocked prior to execution. This mechanism guarantees deterministic enforcement, independent of the reasoning capabilities of the underlying model. The implementation of PCAS is designed to be seamless, allowing existing agent systems to be compiled with policy specifications into a compliant architecture without necessitating significant security-specific restructuring. The efficacy of PCAS is demonstrated through three case studies: the enforcement of information flow policies to defend against prompt injection attacks, the management of approval workflows within a multi-agent pharmacovigilance system, and the application of organizational policies in customer service scenarios. Notably, in the customer service context, the integration of PCAS led to a significant improvement in policy compliance, rising from 48% to an impressive 93%, with no recorded policy violations during instrumented runs. This research not only highlights the pressing need for robust policy enforcement mechanisms in LLM-based systems but also showcases PCAS as a pioneering solution that enhances compliance and security in agentic operations."

Technical Insights

1PCAS (Policy Compiler for Agentic Systems) provides deterministic policy enforcement for LLM-based agents.

2Traditional prompt-based policy embedding lacks enforcement guarantees, leading to compliance risks.

3PCAS models agentic system states as dependency graphs to capture causal relationships among events.

4Policies are expressed in a Datalog-derived language, allowing for declarative rules that consider transitive information flow.

5A reference monitor in PCAS intercepts actions to block policy violations before execution.

6PCAS compiles existing agent implementations with policy specifications into compliant systems without major restructuring.

7The framework was evaluated through three case studies, demonstrating its versatility across different contexts.

8In customer service applications, PCAS improved policy compliance from 48% to 93% with zero policy violations.

9The research underscores the importance of robust policy enforcement in the deployment of LLM-based agents.