Language-Based Agent Control

TL;DR

This paper presents LBAC, a programming model that uses type systems to enforce security policies in agent-based applications, ensuring safety and expressiveness.

Contribution

It introduces a novel language-based control framework for agents that guarantees policy compliance through static typing and program generation.

Findings

LBAC enforces policies via type-checking before execution.

Agents can perform side-effect-free computation and recursive subagent invocation.

Case studies demonstrate LBAC's effectiveness in sandboxing, provenance, and information flow.

Abstract

This paper introduces language-based agent control (LBAC), a new programming model for agentic applications that brings techniques from programming languages and language-based security to the problem of agent control. In conventional programming, combinations of static typing and runtime enforcement have long been used to guarantee that well-typed programs satisfy user-specified policies, including policies for access control, information flow, data provenance, and more. The key idea behind LBAC is to extend these guarantees to agentic applications by requiring agents to generate programs that are themselves well typed in the context of the surrounding scaffolding code. Unsafe programs are rejected by the type-checker before execution, allowing policies to apply uniformly across the entire application, including both agent-generated behavior and developer-written scaffolding. At the same time, LBAC preserves substantial expressiveness: agents may perform arbitrary side-effect-free computation and recursively invoke subagents, which retain full tool access subject to the same -- or potentially more restrictive -- policies. We demonstrate LBAC with three case studies: I/O sandboxing via filesystem capabilities, data provenance, and information-flow control.