Bounded Autonomy for Enterprise AI: Typed Action Contracts and Consumer-Side Execution

TL;DR

This paper introduces a bounded-autonomy architecture for enterprise AI that constrains language model actions with typed contracts and validation, enhancing safety and reliability in enterprise applications.

Contribution

It proposes a novel execution architecture combining typed action contracts, permission controls, and consumer-side validation to safely deploy language models in enterprise settings.

Findings

Bounded-autonomy system completed 23/25 tasks with zero unsafe executions.

Unconstrained AI completed only 17/25 tasks and hallucinated successes.

Safety properties were enforced by code, intercepting violations regardless of model output.

Abstract

Large language models are increasingly used as natural-language interfaces to enterprise software, but their direct use as system operators remains unsafe. Model errors can propagate into unauthorized actions, malformed requests, cross-workspace execution, and other costly failures. We argue this is primarily an execution architecture problem. We present a bounded-autonomy architecture in which language models may interpret intent and propose actions, but all executable behavior is constrained by typed action contracts, permission-aware capability exposure, scoped context, validation before side effects, consumer-side execution boundaries, and optional human approval. The enterprise application remains the source of truth for business logic and authorization, while the orchestration engine operates over an explicit published actions manifest. We evaluate the architecture in a deployed multi-tenant enterprise application across three conditions: manual operation, unconstrained AI with safety layers disabled, and full bounded autonomy. Across 25 scenario trials spanning seven failure families, the bounded-autonomy system completed 23 of 25 tasks with zero unsafe executions, while the unconstrained configuration completed only 17 of 25. Two wrong-entity mutations escaped all consumer-contributed layers; only disambiguation and confirmation mechanisms intercept this class. Both AI conditions delivered 13-18x speedup over manual operation. Critically, removing safety layers made the system less useful: structured validation feedback guided the model to correct outcomes in fewer turns, while the unconstrained system hallucinated success. Several safety properties are structurally enforced by code and intercepted all targeted violations regardless of model output. The result is a practical, deployed architecture for making imperfect language models operationally useful in enterprise systems.