Current enterprise policy engines like XACML, Rego, and Cedar only answer two questions: is this action permitted or prohibited? That’s fine for static access control, but useless for a self-driving AI agent that can install software, coordinate with peer agents, and needs to know when it must notify the CISO after taking an action.
AgenticRei, described in a new arXiv paper, tackles the full deontic stack: obligations (you must do X after Y), dispensations (waive that obligation under Z), and conflict resolution (when rule A says permit and rule B says prohibit, which wins?). It builds on the Rei framework, expresses policies in OWL (Web Ontology Language), and evaluates them at runtime using a high-performance logic engine that lives entirely outside the LLM.
No More Half-Baked Governance
LLM-driven agents that invoke tools, manipulate data, and exchange messages with peer agents across organizational boundaries create a new class of security and compliance risks. Password authentication and role-based access control are necessary but not sufficient. You need to specify complex lifecycle rules: after an agent deletes a database record, it is obliged to log the event and notify the security team. If an emergency override comes in, that obligation may be dispensed. If two policies conflict, which one takes precedence?
None of the current production policy engines handle this. AgenticRei demonstrates that deontic logic can be compiled into OWL and evaluated fast enough to govern both tool invocations and agent-to-agent messages in real time. The same pipeline enforces policies regardless of whether the message goes to a tool or another agent.
Concrete Examples, Real Constraints
The paper walks through examples from healthcare and cybersecurity that cannot be expressed in XACML, Rego, or Cedar. For instance, a policy that says “if a patient record is accessed by an agent outside the clinical team, the agent is obliged to attach a data-use justification within 5 minutes” requires obligation lifecycle tracking, not just a static permit/deny. AgenticRei captures that with a few OWL axioms and a logic engine that triggers the obligation and monitors its fulfillment.
Another example: a conflict between a “permit all research agents to read de-identified data” rule and a “prohibit agents in non-HIPAA environments from reading any patient data” rule. AgenticRei’s meta-policy engine resolves the conflict by prioritizing the more specific rule based on ontology class hierarchies.
Outside the LLM, Composable with Standards
By keeping policy evaluation outside the LLM call, AgenticRei avoids the hallucination and jailbreak surface. The logic engine runs on a separate trust boundary and enforces constraints that the LLM cannot override. The framework composes naturally with Google’s Agent-to-Agent (A2AS) protocol, meaning enterprise deployments can plug it into existing multi-agent setups without rewriting the communication layer.
Expect this kind of deontic governance to become table stakes for any production deployment of autonomous AI agents that touch sensitive data or cross organizational lines.
Source: Deontic Policies for Runtime Governance of Agentic AI Systems
Domain: arxiv.org
Comments load interactively on the live page.