When Agents Control Robots: A Zero Trust Policy Model for Agentic Cyber-Physical Systems
Pith reviewed 2026-06-29 20:34 UTC · model grok-4.3
The pith
Zero Trust Policy Model with physical impact tiers enforces safety at the actuation boundary in agent-controlled robots.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
We analyse this threat landscape through Cobot-Claw, a deployed four-agent system for UR3e robotic arm control, and identify five attack classes specific to agentic cyber-physical systems. We propose ZTPM, a Zero Trust Policy Model comprising 25 typed primitives across five enforcement domains with Physical Impact Tiers as a runtime policy dimension. An empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic, motivating the need for policy-level enforcement at the physical actuation boundary.
What carries the argument
ZTPM, the Zero Trust Policy Model with 25 typed primitives across five enforcement domains and Physical Impact Tiers as a runtime policy dimension, applied at the physical actuation boundary.
If this is right
- Policy enforcement must occur at the physical actuation boundary to handle non-deterministic outputs from different models.
- The five attack classes require dedicated primitives within the five enforcement domains of ZTPM.
- Physical Impact Tiers allow runtime policy decisions scaled to potential real-world consequences.
- Deployments of natural-language robot control by multiple agents need structured policy models beyond standard IT security.
- Security failures in these systems produce physical outcomes, making boundary-level primitives essential.
Where Pith is reading between the lines
- The approach could extend to other agent-controlled physical systems such as autonomous vehicles or drones where model variance creates similar risks.
- Further traces on additional robot hardware would test whether the non-determinism finding holds beyond the UR3e arm.
- Integration of these physical-tier primitives with existing IT zero-trust architectures might create unified policies across digital and physical layers.
- The model-dependence result points to a wider verification challenge for any safety-critical action generated by large foundation models.
Load-bearing premise
The Cobot-Claw four-agent system and the five identified attack classes represent the broader threat landscape for agentic cyber-physical systems.
What would settle it
Showing that actuation parameter selection remains consistent and deterministic across different large foundation model backends would remove the main motivation for policy enforcement at the physical boundary.
Figures
read the original abstract
Multi-agent systems powered by large foundation models (LFMs) are increasingly deployed to control industrial robots through natural language, creating deployments in which security failures produce physical consequences. We analyse this threat landscape through Cobot-Claw, a deployed four-agent system for UR3e robotic arm control, and identify five attack classes specific to agentic cyber-physical systems. We propose ZTPM, a Zero Trust Policy Model comprising 25 typed primitives across five enforcement domains with Physical Impact Tiers as a runtime policy dimension. An empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic, motivating the need for policy-level enforcement at the physical actuation boundary.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript analyzes security threats in multi-agent systems where large foundation models (LFMs) control industrial robots through natural language. Using the deployed Cobot-Claw four-agent system for UR3e robotic arm control as a case study, it identifies five attack classes specific to agentic cyber-physical systems. It proposes ZTPM, a Zero Trust Policy Model with 25 typed primitives across five enforcement domains that incorporates Physical Impact Tiers as a runtime dimension. An empirical evaluation across 60 execution traces on two LFM backends is presented as initial evidence that actuation parameter selection is model-dependent and non-deterministic, motivating policy-level enforcement at the physical actuation boundary.
Significance. If the empirical motivation and attack-class analysis hold, the work could establish a structured zero-trust policy framework tailored to the physical consequences of LFM-driven actuation, filling a gap between conventional zero-trust models and cyber-physical deployments. The explicit enumeration of 25 primitives and the introduction of Physical Impact Tiers provide concrete, enforceable artifacts that future implementations could adopt or extend.
major comments (2)
- [Abstract] Abstract: The assertion that 'an empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic' supplies no information on trace-generation protocol, prompt controls across backends, temperature/sampling settings, number of repetitions per condition, or any statistical test distinguishing model effects from noise. Because this claim is the sole empirical motivation for introducing ZTPM, the absence of these details renders the motivation unverifiable and load-bearing for the central thesis.
- [Threat analysis] Threat analysis section: The representativeness of the Cobot-Claw four-agent system and the five identified attack classes for the broader agentic CPS threat landscape is asserted without additional case studies, literature mapping, or justification. Since the 25 ZTPM primitives are derived directly from these classes and the Cobot-Claw deployment, lack of evidence for representativeness weakens the generality of the proposed model.
Simulated Author's Rebuttal
We thank the referee for their thorough review and constructive comments. We address each major comment below.
read point-by-point responses
-
Referee: [Abstract] Abstract: The assertion that 'an empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic' supplies no information on trace-generation protocol, prompt controls across backends, temperature/sampling settings, number of repetitions per condition, or any statistical test distinguishing model effects from noise. Because this claim is the sole empirical motivation for introducing ZTPM, the absence of these details renders the motivation unverifiable and load-bearing for the central thesis.
Authors: We agree that additional details are required to substantiate the empirical claim. In the revised version, we will provide a detailed description of the trace-generation protocol, including how prompts were controlled across backends, the temperature and sampling settings used, the number of repetitions per condition, and any statistical tests applied to distinguish model effects. This information will be incorporated into the methods section and referenced in the abstract. revision: yes
-
Referee: [Threat analysis] Threat analysis section: The representativeness of the Cobot-Claw four-agent system and the five identified attack classes for the broader agentic CPS threat landscape is asserted without additional case studies, literature mapping, or justification. Since the 25 ZTPM primitives are derived directly from these classes and the Cobot-Claw deployment, lack of evidence for representativeness weakens the generality of the proposed model.
Authors: The analysis is grounded in the Cobot-Claw deployment as a concrete case study. To address the concern regarding generality, we will add a discussion in the threat analysis section that maps the identified attack classes to related work in cyber-physical systems security and multi-agent systems literature, providing justification for their broader applicability. revision: yes
Circularity Check
No circularity; empirical traces presented as independent motivation for proposed policy model
full rationale
The paper contains no equations, derivations, or mathematical claims. ZTPM is introduced as a new policy model after analyzing the Cobot-Claw system and identifying five attack classes; the 60 execution traces are described only as supplying 'initial evidence' that motivates policy enforcement at the actuation boundary. No step reduces a claimed result to its own inputs by construction, no fitted parameters are relabeled as predictions, and no self-citation chain is invoked to justify uniqueness or core premises. The central argument is therefore self-contained as a threat-modeling exercise plus an empirical observation offered as motivation rather than a derived quantity.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Multi-agent systems powered by large foundation models are increasingly deployed to control industrial robots through natural language, creating deployments in which security failures produce physical consequences.
invented entities (2)
-
ZTPM
no independent evidence
-
Physical Impact Tiers
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Amazon Web Services: Cedar Policy Language Specification.https:// cedarpolicy.com/(2024)
2024
-
[2]
Anthropic: Model Context Protocol: Authorization Specification.https:// modelcontextprotocol.io/specification/(2025)
2025
-
[3]
RT-2: Vision-Language-Action Models Transfer Web Knowledge to Robotic Control
Brohan, A., et al.: RT-2: Vision-Language-Action Models Transfer Web Knowledge to Robotic Control. arXiv:2307.15818 (2023)
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[4]
Cloud Security Alliance: Agentic AI Threat Modeling Framework: MAESTRO.https://cloudsecurityalliance.org/blog/2025/02/06/ agentic-ai-threat-modeling-framework-maestro(Feb 2025)
2025
-
[5]
IEC Standard Series (2021)
International Electrotechnical Commission: IEC 62443 Series: Security for Indus- trial Automation and Control Systems. IEC Standard Series (2021)
2021
-
[6]
International Organization for Standardization: Robots and robotic devices — col- laborative robots (2016)
2016
-
[7]
Mi- crosoft Security Blog,https://www.microsoft.com/en-us/security/blog/(Mar 2026)
Microsoft Security: New Tools and Guidance: Announcing Zero Trust for AI. Mi- crosoft Security Blog,https://www.microsoft.com/en-us/security/blog/(Mar 2026)
2026
-
[8]
MITRE: MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems.https://atlas.mitre.org(2024)
2024
-
[9]
OA- SIS Standard,https://docs.oasis-open.org/xacml/3.0/(2013)
OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0. OA- SIS Standard,https://docs.oasis-open.org/xacml/3.0/(2013)
2013
-
[10]
Open Policy Agent: OPA Documentation.https://www.openpolicyagent.org/ (2023)
2023
-
[11]
OWASP GenAI Security Project: OWASP Top 10 for Large Language Model Ap- plications and Agentic AI.https://genai.owasp.org/(2025)
2025
-
[12]
In: Proceedings of EMNLP 2023: System Demonstrations (2023)
Rebedea, T., Dinu, R., Sreedhar, M.N., Parisien, C., Cohen, J.: NeMo Guardrails: A Toolkit for Controllable and Safe LLM Applications with Programmable Rails. In: Proceedings of EMNLP 2023: System Demonstrations (2023)
2023
-
[13]
https://next.redhat.com/(Feb 2026)
Red Hat Emerging Technologies: Zero Trust for Autonomous Agentic AI Systems. https://next.redhat.com/(Feb 2026)
2026
-
[14]
Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero Trust Architecture. Tech. Rep. NIST Special Publication 800-207, National Institute of Standards and Tech- nology (2020).https://doi.org/10.6028/NIST.SP.800-207
-
[15]
Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A.: Guide to ICS Security. Tech. Rep. NIST Special Publication 800-82 Rev. 3, National Institute of Standards and Technology (2023).https://doi.org/10.6028/NIST.SP.800-82r3
-
[16]
Cloud Security Alliance Technical Report (Feb 2026)
Woodruff, J.: The Agentic Trust Framework: Zero Trust Governance for AI Agents. Cloud Security Alliance Technical Report (Feb 2026)
2026
-
[17]
Xing, W., Li, M., Li, M., Han, M.: Towards Robust and Secure Embodied AI: A Survey on Vulnerabilities and Attacks. arXiv:2502.13175 (2025)
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.