Language-Based Agent Control
For developers of agentic applications, LBAC provides a principled way to enforce security policies uniformly across both agent-generated and developer-written code.
This paper introduces language-based agent control (LBAC), a programming model that uses static typing and runtime enforcement to guarantee user-specified policies in agentic applications, rejecting unsafe agent-generated programs before execution. Case studies demonstrate I/O sandboxing, data provenance, and information-flow control.
This paper introduces language-based agent control (LBAC), a new programming model for agentic applications that brings techniques from programming languages and language-based security to the problem of agent control. In conventional programming, combinations of static typing and runtime enforcement have long been used to guarantee that well-typed programs satisfy user-specified policies, including policies for access control, information flow, data provenance, and more. The key idea behind LBAC is to extend these guarantees to agentic applications by requiring agents to generate programs that are themselves well typed in the context of the surrounding scaffolding code. Unsafe programs are rejected by the type-checker before execution, allowing policies to apply uniformly across the entire application, including both agent-generated behavior and developer-written scaffolding. At the same time, LBAC preserves substantial expressiveness: agents may perform arbitrary side-effect-free computation and recursively invoke subagents, which retain full tool access subject to the same -- or potentially more restrictive -- policies. We demonstrate LBAC with three case studies: I/O sandboxing via filesystem capabilities, data provenance, and information-flow control.