![[2602.16708] Policy Compiler for Secure Agentic Systems](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.16708] Policy Compiler for Secure Agentic Systems
Summary
The article presents PCAS, a Policy Compiler designed to enforce complex authorization policies in LLM-based agents, improving compliance and security in various applications.
Why It Matters
As LLM-based agents are increasingly used in sensitive environments, ensuring robust policy enforcement is critical. PCAS addresses the limitations of current methods by providing a deterministic approach to policy compliance, thus enhancing security and operational integrity across various domains.
Key Takeaways
- PCAS enables deterministic enforcement of complex authorization policies in agentic systems.
- The system uses a dependency graph to track information flow, enhancing security against prompt injection attacks.
- PCAS significantly improves policy compliance rates, achieving up to 93% compliance in customer service applications.
Computer Science > Cryptography and Security arXiv:2602.16708 (cs) [Submitted on 18 Feb 2026] Title:Policy Compiler for Secure Agentic Systems Authors:Nils Palumbo, Sarthak Choudhary, Jihye Choi, Prasad Chalasani, Mihai Christodorescu, Somesh Jha View a PDF of the paper titled Policy Compiler for Secure Agentic Systems, by Nils Palumbo and 5 other authors View PDF HTML (experimental) Abstract:LLM-based agents are increasingly being deployed in contexts requiring complex authorization policies: customer service protocols, approval workflows, data access restrictions, and regulatory compliance. Embedding these policies in prompts provides no enforcement guarantees. We present PCAS, a Policy Compiler for Agentic Systems that provides deterministic policy enforcement. Enforcing such policies requires tracking information flow across agents, which linear message histories cannot capture. Instead, PCAS models the agentic system state as a dependency graph capturing causal relationships among events such as tool calls, tool results, and messages. Policies are expressed in a Datalog-derived language, as declarative rules that account for transitive information flow and cross-agent provenance. A reference monitor intercepts all actions and blocks violations before execution, providing deterministic enforcement independent of model reasoning. PCAS takes an existing agent implementation and a policy specification, and compiles them into an instrumented system that is policy-compliant...
