The reviewed record of science sign in
Pith

arxiv: 2606.21129 · v1 · pith:GGDY2ST3 · submitted 2026-06-19 · cs.CR · cs.OS

AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-06-26 13:54 UTCgrok-4.3pith:GGDY2ST3record.jsonopen to challenge →

classification cs.CR cs.OS
keywords operating system securityAI agentsintent-based access controlleast privilege enforcementautonomous agentsprompt injection defensesecure architecturecapability synthesis
0
0 comments X

The pith

AgenticOS turns the OS into an intent filter that builds least-privilege environments from agent declarations rather than exposing raw resources.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes that autonomous AI agents should not request low-level resources directly because compromise through prompt injection or bad tool outputs lets attackers chain standard OS calls into unauthorized actions. Instead, agents submit structured intent declarations, and the operating system synthesizes a constrained execution environment that includes mandatory mediation, auditing, and information-flow rules. This shifts the OS role from resource manager to intent filter while still allowing existing applications to run. A reader would care because current permission models on exposed primitives cannot contain capable planning agents once the runtime is subverted.

Core claim

AgenticOS reframes the OS from a resource manager into an intent filter: agents submit structured intent declarations from which the system synthesizes a least-privilege environment with mandatory mediation, auditing, and information-flow constraints. The architecture implements this through a four-layer design consisting of Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway, together with the Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for native Skills. The approach consolidates delegable auditable capabilities into OS-native forms without replacing all applications.

What carries the argument

The intent filter that synthesizes least-privilege environments from structured intent declarations using a four-layer architecture and Intent ABI.

If this is right

  • Auditing and mediation become mandatory at the level of declared intents rather than raw resource accesses.
  • Information-flow constraints are enforced automatically from the intent declarations.
  • Existing applications continue to run while agent runtimes receive OS-native capabilities.
  • Skills are admitted through a model that integrates directly with the intent synthesis process.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The design could limit the damage from prompt injection by restricting what behaviors can be composed from any single intent.
  • It might support multi-agent coordination if intents can be negotiated or composed across capsules.
  • Real-world validation would require testing whether synthesis misses attack paths in complex tool-use scenarios.

Load-bearing premise

Agents will reliably submit accurate structured intent declarations and the OS can correctly synthesize and enforce a least-privilege environment without missing attack paths.

What would settle it

An experiment in which a compromised agent submits a benign intent yet still reaches unauthorized resources or performs actions outside the synthesized environment after receiving malicious tool output.

Figures

Figures reproduced from arXiv: 2606.21129 by Jia Wang, Jiexin Gao, Songqiao Tao, Xin Cheng, Yanpeng Zhu, Yu Zhang, Zhen Zhao.

Figure 1
Figure 1. Figure 1: Traditional OS: Permission Based Under this model, the attack surface shifts from “finding ex￾ploitable system-call entries” to “attempting to abuse restricted semantic interfaces.” This does not mean that attacks become impossible; rather, it means that attackers must operate within a narrower, more auditable, and more policy-constrained abstrac￾tion layer. 3 [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: AgenticOS: Intent-Manifest Based 3.2. Four-Layer Architecture Overview AgenticOS adopts a four-layer vertical design, with strict one-way dependencies between layers to provide defense in depth. The four layers have distinct responsibilities. The Ghost Kernel provides the minimal trusted isolation substrate. The Logic Shutter performs intent recognition, policy mediation, capability-token management, and a… view at source ↗
Figure 3
Figure 3. Figure 3: AgenticOS Four-Layer Architecture Diagram [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Intent invocation end-to-end flow—from capsule request to external response. [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Generation and Execution Workflow from Manifest to Dynamic ABI [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
read the original abstract

Traditional OS security models based on "resource exposure plus permission checks" face structural challenges as LLM-driven autonomous agents acquire capabilities for planning, tool use, network access, and code execution. Once an agent runtime is compromised through prompt injection or malicious tool outputs, an attacker can compose POSIX-style resource primitives into behaviors far beyond the user's task authorization. To address this, we propose AgenticOS, an intent-oriented secure OS architecture that consolidates delegable, auditable software capabilities into OS-native ones rather than replacing all applications. The core insight is to reframe the OS from a "resource manager" into an "intent filter": instead of requesting low-level resources directly, agents submit structured intent declarations, from which the system synthesizes a least-privilege environment with mandatory mediation, auditing, and information-flow constraints. At the implementation level, we introduce a four-layer architecture -- Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway -- together with the Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for AgenticOS-native Skills.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The paper proposes AgenticOS, an intent-oriented secure OS architecture for LLM-driven autonomous agents. It argues that traditional resource-exposure-plus-permission-check models fail when agents are compromised via prompt injection or malicious tools, allowing unauthorized composition of POSIX primitives. The core reframing is to treat the OS as an 'intent filter': agents submit structured intent declarations from which the system synthesizes least-privilege environments enforced via mandatory mediation, auditing, and information-flow constraints. The design introduces a four-layer architecture (Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway) together with an Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for AgenticOS-native Skills.

Significance. If the proposed intent-to-privilege synthesis can be shown to be sound and complete, the architecture would offer a substantive advance in securing agentic systems by shifting enforcement from low-level resource permissions to high-level, auditable intent mediation. The consolidation of delegable capabilities into OS-native mechanisms is a coherent direction that could influence future designs for AI agent runtimes.

major comments (3)
  1. [Abstract] Abstract (core insight paragraph): the claim that intent declarations enable synthesis of a 'least-privilege environment' that blocks all unauthorized compositions of POSIX primitives is unsupported by any formal model of the intent language, mapping rules, or completeness argument showing that every attack path is covered by the generated constraints.
  2. [Four-layer architecture description] Four-layer architecture and implementation components: the roles of Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway, Intent ABI, Manifest-Only Runtime, and Weaver generation are described at a naming level only, with no specification of how these layers derive or enforce constraints that remain gap-free after agent compromise.
  3. [Admission model for AgenticOS-native Skills] Admission model and Skills section: no argument or example is given that the system can still produce correct least-privilege sets when submitted intents are inaccurate (the weakest assumption identified in the design), nor is there discussion of fallback mediation when intent accuracy cannot be guaranteed.
minor comments (1)
  1. [Terminology] The manuscript introduces multiple novel terms (Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway, Weaver) without relating them to prior OS or capability-system literature, which reduces accessibility.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and precise comments. The manuscript is an initial architectural proposal rather than a formally verified system, and we agree that several claims require qualification and that additional detail and discussion of limitations are needed. We address each major comment below and will incorporate the suggested changes in the revised version.

read point-by-point responses
  1. Referee: [Abstract] Abstract (core insight paragraph): the claim that intent declarations enable synthesis of a 'least-privilege environment' that blocks all unauthorized compositions of POSIX primitives is unsupported by any formal model of the intent language, mapping rules, or completeness argument showing that every attack path is covered by the generated constraints.

    Authors: We agree that the abstract overstates the current support for the claim. The paper presents a conceptual architecture without a formal model or completeness argument. We will revise the abstract to state that the design 'aims to' synthesize least-privilege environments and will add a short subsection in the discussion section outlining the requirements for a formal intent language together with a note that completeness arguments remain future work. revision: yes

  2. Referee: [Four-layer architecture description] Four-layer architecture and implementation components: the roles of Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway, Intent ABI, Manifest-Only Runtime, and Weaver generation are described at a naming level only, with no specification of how these layers derive or enforce constraints that remain gap-free after agent compromise.

    Authors: The referee correctly observes that the layer descriptions remain high-level. We will expand the architecture section with additional paragraphs and a figure that illustrate the information-flow and mediation steps performed by each layer. We will also add an explicit limitations paragraph stating that gap-free enforcement after compromise has not been formally shown and would require implementation-level verification. revision: yes

  3. Referee: [Admission model for AgenticOS-native Skills] Admission model and Skills section: no argument or example is given that the system can still produce correct least-privilege sets when submitted intents are inaccurate (the weakest assumption identified in the design), nor is there discussion of fallback mediation when intent accuracy cannot be guaranteed.

    Authors: We acknowledge the absence of this discussion. We will insert a new paragraph in the admission-model section that states the accuracy assumption, gives an example of how an inaccurate intent could produce an over- or under-privileged set, and describes two fallback mechanisms: (1) conservative default privilege synthesis and (2) optional human review for high-risk actions. revision: yes

Circularity Check

0 steps flagged

No circularity: purely architectural proposal without derivations or fitted quantities

full rationale

The paper is an architectural design proposal introducing new OS layers, an Intent ABI, Manifest-Only Runtime, and Weaver-based generation. It contains no equations, no parameter fitting, no predictions of quantities, and no derivation chains that reduce to inputs by construction. The central reframing of OS as 'intent filter' is a definitional proposal, not a claim derived from prior results via self-citation or ansatz. No load-bearing steps match any of the enumerated circularity patterns. The absence of a formal soundness proof for intent-to-privilege synthesis is a completeness concern, not circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 4 invented entities

The proposal rests on domain assumptions about agent behavior and OS mediation capability rather than new mathematical entities or fitted parameters.

axioms (2)
  • domain assumption Agents can and will submit structured, accurate intent declarations that capture their task authorization.
    Invoked in the core insight paragraph; required for the intent-filter synthesis step.
  • domain assumption The OS can correctly synthesize and enforce least-privilege environments plus information-flow constraints from those declarations.
    Central to the reframing claim; no mechanism details given.
invented entities (4)
  • Ghost Kernel no independent evidence
    purpose: One of the four layers in the architecture
    Named component with no independent evidence or prior citation
  • Logic Shutter no independent evidence
    purpose: One of the four layers in the architecture
    Named component with no independent evidence or prior citation
  • Agent Capsule no independent evidence
    purpose: One of the four layers in the architecture
    Named component with no independent evidence or prior citation
  • Semantic Boundary Gateway no independent evidence
    purpose: One of the four layers in the architecture
    Named component with no independent evidence or prior citation

pith-pipeline@v0.9.1-grok · 5732 in / 1408 out tokens · 17432 ms · 2026-06-26T13:54:46.761056+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

15 extracted references · 1 canonical work pages · 1 internal anchor

  1. [1]

    J. H. Saltzer, M. D. Schroeder, The protection of infor- mation in computer systems, Proceedings of the IEEE 63 (1975) 1278–1308

  2. [2]

    B. W. Lampson, A note on the confinement problem, Communications of the ACM 16 (1973) 613–615

  3. [3]

    Hardy, Keykos architecture, ACM SIGOPS Operating Systems Review 19 (1985) 8–25

    N. Hardy, Keykos architecture, ACM SIGOPS Operating Systems Review 19 (1985) 8–25

  4. [4]

    J. S. Shapiro, J. M. Smith, D. J. Farber, Eros: a fast capa- bility system, in: Proceedings of the seventeenth ACM symposium on Operating systems principles, 1999, pp. 170–185

  5. [5]

    R. N. Watson, J. Anderson, B. Laurie, K. Kennaway, Capsicum: Practical capabilities for{UNIX}, in: 19th USENIX Security Symposium (USENIX Security 10), 2010

  6. [6]

    R. N. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, et al., Cheri: A hybrid capability-system ar- chitecture for scalable software compartmentalization, in: 2015 IEEE Symposium on Security and Privacy, IEEE, 2015, pp. 20–37

  7. [7]

    Klein, K

    G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, et al., sel4: Formal verifica- tion of an os kernel, in: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, 2009, pp. 207–220

  8. [8]

    Wahbe, S

    R. Wahbe, S. Lucco, T. E. Anderson, S. L. Graham, Effi- cient software-based fault isolation, in: Proceedings of the fourteenth ACM symposium on Operating systems princi- ples, 1993, pp. 203–216

  9. [9]

    Abadi, M

    M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti, Control- flow integrity principles, implementations, and applica- tions, ACM Transactions on Information and System Se- curity (TISSEC) 13 (2009) 1–40

  10. [10]

    A. Haas, A. Rossberg, D. L. Schuff, B. L. Titzer, M. Hol- man, D. Gohman, L. Wagner, A. Zakai, J.-F. Bastien, Bringing the web up to speed with webassembly, in: Pro- ceedings of the 38th ACM SIGPLAN conference on pro- gramming language design and implementation, 2017, pp. 185–200

  11. [11]

    D. E. Denning, A lattice model of secure information flow, Communications of the ACM 19 (1976) 236–243

  12. [12]

    Sabelfeld, A

    A. Sabelfeld, A. C. Myers, Language-based information- flow security, IEEE Journal on selected areas in commu- nications 21 (2003) 5–19

  13. [13]

    Greshake, S

    K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, M. Fritz, Not what you’ve signed up for: Compromis- ing real-world llm-integrated applications with indirect prompt injection, in: Proceedings of the 16th ACM work- shop on artificial intelligence and security, 2023, pp. 79– 90

  14. [14]

    S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, Y . Cao, React: Synergizing reasoning and acting in lan- guage models, arXiv preprint arXiv:2210.03629 (2022)

  15. [15]

    Schick, J

    T. Schick, J. Dwivedi-Yu, R. Dessì, R. Raileanu, M. Lomeli, E. Hambro, L. Zettlemoyer, N. Cancedda, T. Scialom, Toolformer: Language models can teach themselves to use tools, Advances in neural information processing systems 36 (2023) 68539–68551. 11