← Home

Deontic Policies for Runtime Governance of Agentic AI

By James Trappett · 21 June 2026

4 min read

As LLM-driven agents move from demos into production, the governance problem they create has sharpened considerably. An agent that can call APIs, install software, exfiltrate data, and delegate tasks to peer agents across organisational boundaries is not well-served by the same policy machinery that governs a REST endpoint. This paper, available on arXiv, makes a precise and well-motivated case that current production policy engines, specifically OPA, Cedar, and XACML, are structurally insufficient for agentic governance, and proposes AgenticRei as a richer alternative grounded in deontic logic and OWL semantics.

The core argument is not that existing engines are poorly implemented; it is that their expressive power is categorically limited. They answer one question: is this action permitted or denied? Agentic governance requires at least three more: what obligations does permitting this action create? Under what conditions can those obligations be waived? And when two policies conflict, which takes precedence and by whose authority? These are not edge cases. They map directly onto regulatory requirements in healthcare, finance, and cybersecurity, where a permitted data access routinely triggers mandatory audit notifications, breach disclosures, or retention controls.

Key Contributions

The paper identifies four governance properties that flat-list engines cannot provide and that AgenticRei addresses:

The implementation, AgenticRei, builds on the Rei deontic policy framework, encodes policies in OWL/RDF, and evaluates them at runtime using RDFox, a high-performance description-logic reasoner. Crucially, the LLM has no role in policy evaluation. The architecture intercepts every outbound action at the middleware boundary, extracts a subject-action-resource triple, queries the policy engine, and either allows execution (appending any obligations to the result) or returns a structured violation message. Every internal failure defaults to deny.

Architecture and Performance

The three-step extract-evaluate-apply pipeline is clean and the design choices are defensible. Credential verification happens before the policy engine sees the request, discarding untrusted credentials early. Audit records log attribute names rather than values, which is a reasonable privacy trade-off, though the authors acknowledge this limits full decision reproducibility. The KB hash approach, recording which policy version was active at decision time, is a practical forensic mechanism that production teams will appreciate.

The performance numbers are preliminary but encouraging. End-to-end latency per decision is under 10 ms on a single RHEL 9 host with RDFox 7.5, with the RDFox query itself completing in under a millisecond. The remaining overhead is HTTP round-trip to the engine over localhost. Because governance rules are stable (they do not change per agent session), the description-logic reasoner can materialise conclusions at load time and reduce per-action queries to triple-pattern lookups. This is a genuine architectural advantage over approaches that must re-evaluate full rule sets per request.

The paper also makes a useful point about scope. AgenticRei governs what a deployed agent may do, not whether the agent's reasoning has been compromised by prompt injection. The analogy to mandatory access control in an operating system is apt: kernel policy does not prevent a user from being socially engineered, but it constrains what a malicious program can do once it runs. The two layers are complementary, and the paper is careful not to oversell what deterministic boundary enforcement can achieve.

Limitations and Open Questions

Several limitations deserve attention. Credential verification is currently simulated through trusted-issuer matching rather than cryptographic signature checking. Integration with A2A protocol and the Microsoft Agent Framework is described as ongoing work. These are not minor gaps; in a threat model that includes compromised agents, the integrity of credential presentation at the policy boundary is load-bearing.

Obligation discharge sits in an acknowledged grey area. Issuance is deterministic, but whether the agent actually fulfils an obligation is a behavioural property monitored via deadline tracking and audit. The paper notes this honestly, but it does mean that the governance guarantees for obligations are weaker than for permissions and prohibitions. Automated obligation enforcement is listed as future work.

The policy authoring problem is not addressed. Rei policies encoded in OWL/RDF are expressive but not easily written by the compliance officers and security architects who would own them in practice. The paper's examples are illustrative, but the tooling question, how non-experts specify, test, and maintain deontic policies over evolving domain ontologies, is left open. This is a real barrier to adoption and the field has not solved it for any sufficiently expressive policy language.

The comparison with related work is thorough. The paper correctly distinguishes AgenticRei from trajectory-based approaches like ShieldAgent (which verifies global action sequences rather than individual actions) and from Progent and AgentSpec (which share the per-action deterministic enforcement premise but lack deontic constructs). The positioning relative to MI9, a financial-services runtime governance framework combining telemetry, drift detection, and finite-state-machine conformance, is particularly interesting. The authors suggest MI9's behavioural signals could trigger AgenticRei policy evaluation, which points toward a genuinely useful integration architecture.

Implications for the Field

The paper's central claim, that permit/deny engines are categorically insufficient for agentic governance, is well-supported. The regulatory motivation is real: HIPAA breach notification, GDPR data subject access obligations, and SOC 2 audit requirements all involve post-permission duties that cannot be expressed as access control rules. The fact that CISA, NSA, and allied agencies have independently recommended per-invocation policy evaluation validates the architectural direction, even if the specific language choice remains open.

Whether deontic logic and OWL are the right substrate is a harder question. The expressive power is clearly there. The runtime performance appears viable. The open questions are around tooling, scalability to large policy knowledge bases, and the governance of the ontologies themselves (who owns the class hierarchy, and what happens when it changes?). These are solvable problems, but they are not trivial ones.

For teams building or evaluating governance infrastructure for production agentic systems, this paper is worth reading carefully. It provides the clearest published account of why current engines fall short and a concrete prototype demonstrating that the alternative is practically feasible. The full paper is available at arxiv.org/abs/2606.19464.

AI SecurityPolicy EnforcementAgentic AIDeontic LogicLLM Governance

Related Articles

DeXposure-Claw: Agentic LLM Supervision for DeFi RiskDiffusion Language Models: A Systematic Benchmark AnalysisDeepSeek-V4: Million-Token Context via Hybrid Sparse Attention