Trustworthy Agentic AI Requires Deterministic Architectural Boundaries

TL;DR

This paper argues that trustworthy agentic AI for scientific workflows requires architectural enforcement mechanisms, such as the Trinity Defense Architecture, to ensure security and deterministic command-data separation, beyond what training alone can achieve.

Contribution

The paper introduces the Trinity Defense Architecture, a novel architectural framework that enforces security through action governance, information-flow control, and privilege separation for trustworthy agentic AI.

Findings

Deterministic architectural enforcement is essential for trustworthy AI in high-stakes science.

Training-based defenses cannot guarantee security without architectural mediation.

The Trinity Defense Architecture effectively mitigates security vulnerabilities in agentic AI systems.

Abstract

Current agentic AI architectures are fundamentally incompatible with the security and epistemological requirements of high-stakes scientific workflows. The problem is not inadequate alignment or insufficient guardrails, it is architectural: autoregressive language models process all tokens uniformly, making deterministic command--data separation unattainable through training alone. We argue that deterministic, architectural enforcement, not probabilistic learned behavior, is a necessary condition for trustworthy AI-assisted science. We introduce the Trinity Defense Architecture, which enforces security through three mechanisms: action governance via a finite action calculus with reference-monitor enforcement, information-flow control via mandatory access labels preventing cross-scope leakage, and privilege separation isolating perception from execution. We show that without unforgeable provenance and deterministic mediation, the ``Lethal Trifecta'' (untrusted inputs, privileged data access, external action capability) turns authorization security into an exploit-discovery problem: training-based defenses may reduce empirical attack rates but cannot provide deterministic guarantees. The ML community must recognize that alignment is insufficient for authorization security, and that architectural mediation is required before agentic AI can be safely deployed in consequential scientific domains.