Position: A Three-Layer Probabilistic Assume-Guarantee Architecture Is Structurally Required for Safe LLM Agent Deployment

TL;DR

The paper argues for a three-layer probabilistic architecture for safe LLM agent deployment, emphasizing the need for independent safety guarantees across different execution stages.

Contribution

It proposes a contract-based, three-layer architecture with probabilistic guarantees, addressing limitations of single-layer safety approaches for LLM agents.

Findings

A three-layer architecture can provide compositional safety guarantees.

Probabilistic safety bounds can be derived using the chain rule of probability.

Identifies key open problems for deploying this architecture in practice.

Abstract

This position paper argues that enforcing LLM agent safety within a single abstraction layer is not merely suboptimal but categorically insufficient for deployed LLM agents -- a structural consequence of how agent execution works, not a contingent limitation of current systems. The three dimensions that jointly constitute safe operation -- semantic intent and policy compliance, environmental validity, and dynamical feasibility -- each depend on a strictly distinct set of information that becomes available at different stages of execution. No single guardrail can certify all three. We argue that the community must respond with a contract-based architecture in which each safety dimension is enforced by an independently certified layer whose probabilistic guarantee satisfies the next layer's assumption. We sketch such an architecture and derive the compositional system-level safety bounds it admits via the chain rule of probability. Three open problems stand between this and a deployable standard: bound estimation from non-i.i.d.\ traces, graceful degradation of contracts under deployment drift, and extension to multi-agent settings -- the most important unfinished business in LLM agent runtime assurance.