pith. sign in

arxiv: 2606.19464 · v1 · pith:G4BSEVKYnew · submitted 2026-06-17 · 💻 cs.AI · cs.MA

Deontic Policies for Runtime Governance of Agentic AI Systems

Pith reviewed 2026-06-26 21:07 UTC · model grok-4.3

classification 💻 cs.AI cs.MA
keywords deontic policiesagentic AI systemsruntime governanceobligations and dispensationspolicy conflict resolutionOWLLLM agentsenterprise compliance
0
0 comments X

The pith

AgenticRei applies deontic policies in OWL to enforce obligations, dispensations, and conflict resolutions for agentic AI systems outside the LLM.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper sets out to show that governance for LLM-driven agents requires more than permit or prohibit rules and can be achieved by extending a deontic policy language from the Rei framework. This language, written in OWL and checked by an external logic engine, manages obligations that arise after actions, conditions under which those obligations can be waived, and ways to decide which rule wins when policies clash. The same mechanism applies to both an agent's tool calls and messages sent between agents. A reader would care because current engines leave gaps in security and privacy enforcement for systems that can install software or coordinate across boundaries. Examples in the paper illustrate constraints from domains such as healthcare and cybersecurity that cannot be stated in engines limited to access control.

Core claim

We propose AgenticRei, which realizes key governance requirements such as obligations, dispensations, policy conflict resolutions, and reasoning over policies, as well as the basic permit/prohibit constraints. We use a deontic policy language built on the Rei framework, expressed as OWL and evaluated at runtime by a high-performance logic engine entirely outside the LLM. The same pipeline governs both tool invocations by the agent and agent-to-agent messages.

What carries the argument

The deontic policy language built on the Rei framework and expressed in OWL, evaluated at runtime by an external logic engine that manages obligation lifecycles, dispensations, and meta-policy precedence.

If this is right

  • The same policy pipeline applies uniformly to tool invocations and agent-to-agent messages.
  • Governance constraints for security and privacy become expressible that current production engines such as XACML, Rego, and Cedar cannot state.
  • Ontological reasoning over domain class hierarchies is available for applications including healthcare, cybersecurity, and data privacy.
  • The approach composes directly with industry-standard frameworks such as A2AS.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Keeping evaluation outside the LLM could stop agents from bypassing rules through internal model outputs rather than external checks.
  • Real-time policy auditing of agent actions against formal deontic rules becomes feasible for compliance reporting.
  • The separation of policy logic from the model might allow policy updates without retraining or restarting the agents.

Load-bearing premise

The Rei framework can be extended to handle obligation lifecycle management, meta-policy conflict resolution, and dispensations while remaining practical to evaluate at runtime outside the LLM.

What would settle it

A concrete test case in which an agent triggers an obligation, meets a stated dispensation condition, and the external engine either still enforces the obligation or fails to apply the correct precedence among conflicting policies.

Figures

Figures reproduced from arXiv: 2606.19464 by Anupam Joshi, Karuna Pande Joshi, Lalana Kagal, Tim Finin.

Figure 1
Figure 1. Figure 1: AgenticRei runtime architecture. Both tool-call interception and A2A [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
read the original abstract

Autonomous agentic AI systems driven by Large Language Models (LLMs) introduce a new class of security, privacy, and compliance challenges: an agent that can invoke tools, manipulate data, install software, and coordinate with peer agents across organizational boundaries must be constrained not just by authentication and access control, but by the full structure of enterprise governance. This includes specifying what agents are permitted and prohibited from doing, what they areobliged to do after certain actions (e.g., notify the CISO), under what conditions a standing obligation may be waived, and which rules take precedence when policies conflict. This governance problem exceeds what current policy engines provide. Systems such as XACML, Rego, and Cedar address only the permit/prohibit subset of this governance structure. They do not provide obligation lifecycle management, meta-policy conflict resolution, dispensations that waive obligations in specific circumstances, and ontological reasoning over domain class hierarchies commonly found in applications such as healthcare, cybersecurity, or data privacy. We propose AgenticRei, which realizes key governance requirements such as obligations, dispensations, policy conflict resolutions, and reasoning over policies, as well as the basic permit/prohibit constraints. We use a deontic policy language built on the Rei framework, expressed as OWL (Web Ontology Language) and evaluated at runtime by a high-performance logic engine entirely outside the LLM. The same pipeline governs both tool invocations by the agent and agent-to-agent messages. We show through examples that deontic policies capture governance constraints around security and privacy that mostly cannot be expressed in current production engines. Our approach composes naturally with industry-standard frameworks like A2AS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript proposes AgenticRei, a runtime governance system for agentic AI that extends the Rei framework into a deontic policy language expressed in OWL. Policies are evaluated by a high-performance logic engine outside the LLM to enforce obligations, dispensations, meta-policy conflict resolution, ontological reasoning over class hierarchies, and basic permit/prohibit rules. The authors claim this addresses gaps in engines such as XACML, Rego, and Cedar, and that examples demonstrate expressiveness for security and privacy constraints not capturable elsewhere; the same pipeline is said to govern both tool calls and agent-to-agent messages while composing with A2AS.

Significance. If the claimed Rei extensions for obligation lifecycle management, dispensations, and conflict resolution can be realized in OWL and evaluated correctly and efficiently at runtime, the work would fill a recognized gap in policy languages for enterprise governance of autonomous agents. The design choice to keep evaluation entirely outside the LLM is a clear strength for auditability and reliability. No machine-checked proofs, reproducible code, or empirical evaluations are present to credit.

major comments (3)
  1. [Abstract] Abstract: the central claim that 'we show through examples that deontic policies capture governance constraints around security and privacy that mostly cannot be expressed in current production engines' is unsupported; the manuscript supplies neither the examples, the concrete policies, nor any comparison of expressiveness against XACML/Rego/Cedar.
  2. [Abstract] Abstract: no description is provided of the specific extensions to the Rei framework, the OWL axioms or rules added for obligation lifecycle management and dispensations, the chosen high-performance logic engine, or any conflict-resolution mechanics, all of which are required to substantiate the runtime evaluation claim.
  3. [Abstract] Abstract: the assertion that the approach 'realizes key governance requirements such as obligations, dispensations, policy conflict resolutions, and reasoning over policies' rests on an unshown implementation; without the OWL constructs or evaluation details, it is impossible to assess whether the weakest assumption (practical runtime use without performance or expressiveness failure) holds.
minor comments (1)
  1. [Abstract] Abstract: missing space in 'they areobliged'.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments on the abstract. We agree that greater specificity is needed to substantiate the claims and will revise the abstract accordingly.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the central claim that 'we show through examples that deontic policies capture governance constraints around security and privacy that mostly cannot be expressed in current production engines' is unsupported; the manuscript supplies neither the examples, the concrete policies, nor any comparison of expressiveness against XACML/Rego/Cedar.

    Authors: We agree the abstract does not embed the examples or comparisons. The full manuscript supplies concrete OWL policies (e.g., obligation to notify after data access with dispensation under audit conditions) and shows they exceed the permit/prohibit scope of XACML, Rego, and Cedar. We will revise the abstract to include one brief policy example and a one-sentence expressiveness comparison. revision: yes

  2. Referee: [Abstract] Abstract: no description is provided of the specific extensions to the Rei framework, the OWL axioms or rules added for obligation lifecycle management and dispensations, the chosen high-performance logic engine, or any conflict-resolution mechanics, all of which are required to substantiate the runtime evaluation claim.

    Authors: The abstract summarizes rather than details the extensions. The manuscript specifies the Rei extensions in OWL (axioms for obligation states and dispensation conditions), the high-performance logic engine used for external evaluation, and meta-policy rules for conflict resolution. We will revise the abstract to name the engine and briefly characterize the added OWL constructs and conflict mechanics. revision: yes

  3. Referee: [Abstract] Abstract: the assertion that the approach 'realizes key governance requirements such as obligations, dispensations, policy conflict resolutions, and reasoning over policies' rests on an unshown implementation; without the OWL constructs or evaluation details, it is impossible to assess whether the weakest assumption (practical runtime use without performance or expressiveness failure) holds.

    Authors: We accept that the abstract does not display the OWL constructs or runtime metrics. The manuscript presents the OWL axioms realizing obligations, dispensations, and conflict resolution together with the external evaluation pipeline. We will revise the abstract to reference the relevant sections containing the constructs and evaluation approach. revision: yes

Circularity Check

0 steps flagged

No derivations or equations present; proposal does not reduce to its inputs

full rationale

The manuscript is a system proposal describing AgenticRei as an extension of the existing Rei framework expressed in OWL and evaluated externally. No equations, first-principles derivations, fitted parameters, or predictions appear in the abstract or described full text. The central claim is an engineering architecture whose correctness rests on concrete OWL axioms and runtime evaluation (not supplied here), not on any self-referential reduction. No load-bearing self-citations, ansatzes, or renamings are exhibited. This is the normal non-finding for a descriptive proposal paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Review based on abstract only; no detailed axioms, parameters, or entities can be extracted beyond the high-level proposal.

axioms (1)
  • domain assumption OWL-based deontic reasoning suffices for runtime policy evaluation outside the LLM
    Invoked when stating that policies are expressed as OWL and evaluated by a logic engine
invented entities (1)
  • AgenticRei no independent evidence
    purpose: Realizes deontic governance requirements for agentic AI
    New named system proposed to address gaps in existing engines

pith-pipeline@v0.9.1-grok · 5838 in / 1316 out tokens · 21740 ms · 2026-06-26T21:07:57.392931+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

60 extracted references · 12 canonical work pages · 3 internal anchors

  1. [1]

    Experiences of using agentic AI to fill tooling gaps in a security operations center,

    K. Banstola, F. Al Faisal, and X. Ou, “Experiences of using agentic AI to fill tooling gaps in a security operations center,” inWorkshop on SOC Operations and Construction (WOSOC), co-located with NDSS 2026, 2026. [Online]. Available: https: //www.ndss-symposium.org/wp-content/uploads/wosoc26-02.pdf

  2. [2]

    Open-source large language models in radiology: a review and tutorial for practical research and clinical deployment,

    C. H. Savage, A. Kanhere, V . Parekh, C. P. Langlotz, A. Joshi, H. Huang, and F. X. Doo, “Open-source large language models in radiology: a review and tutorial for practical research and clinical deployment,” Radiology, vol. 314, no. 1, p. e241073, 2025

  3. [3]

    Impostors among us: An agentic approach to identifying and resolving conflicts in collaborative network environments,

    S. S. L. Chukkapalli, D. Ledbetter, A. Joshi, T. Finin, and J. Freeman, “Impostors among us: An agentic approach to identifying and resolving conflicts in collaborative network environments,” inIEEE Military Communications Conference, 2025

  4. [4]

    A2AS: Agentic ai runtime security and self-defense,

    E. Neelou, I. Novikov, M. Moroz, O. Narayan, T. Saade, M. Ayenson, I. Kabanov, J. Ozmen, E. Lee, V . S. Narajala, E. Guilherme Junior, K. Huang, H. Gulsin, J. Ross, M. Vyshegorodtsev, A. Travers, I. Habler, and R. Jadav, “A2AS: Agentic ai runtime security and self-defense,”

  5. [5]

    Available: https://arxiv.org/abs/2510.13825

    [Online]. Available: https://arxiv.org/abs/2510.13825

  6. [6]

    Introducing the agent governance toolkit: Open-source runtime security for AI agents,

    Microsoft Open Source, “Introducing the agent governance toolkit: Open-source runtime security for AI agents,” https://opensource.mic rosoft.com/blog/2026/04/02/introducing-the-agent-governance-toolkit- open-source-runtime-security-for-ai-agents/, 2026

  7. [7]

    Cisco reimagines security for the agentic workforce,

    Cisco, “Cisco reimagines security for the agentic workforce,” https: //newsroom.cisco.com/c/r/newsroom/en/us/a/y2026/m03/cisco-reimagin es-security-for-the-agentic-workforce.html, 2026

  8. [8]

    Careful adoption of agentic AI services,

    ASD’s ACSC, CISA, NSA, Canadian Centre for Cyber Security, NCSC-NZ, and NCSC-UK, “Careful adoption of agentic AI services,” United States Cybersecurity and Infrastructure Security Agency, Tech. Rep., April 2026. [Online]. Available: http://bit.ly/49JP3wm

  9. [9]

    Open policy agent (opa) – philosophy and rego language reference,

    Styra, “Open policy agent (opa) – philosophy and rego language reference,” 2025. [Online]. Available: https://www.openpolicyagent.org/ docs/

  10. [10]

    Cedar: A new language for expressive, fast, safe, and analyzable authorization,

    J. W. Cutler, C. Disselkoen, A. Eline, S. He, K. Headley, M. Hicks, K. Hietala, E. Ioannidis, J. Kastner, A. Mamat, D. McAdams, M. Mc- Cutchen, N. Rungta, E. Torlak, and A. M. Wells, “Cedar: A new language for expressive, fast, safe, and analyzable authorization,” in Proceedings of OOPSLA, 2024, pp. 670–697

  11. [11]

    A policy language for a pervasive computing environment,

    L. Kagal, T. Finin, and A. Joshi, “A policy language for a pervasive computing environment,” inIEEE 4th International Workshop on Poli- cies for Distributed Systems and Networks. IEEE, 2003, pp. 63–74

  12. [12]

    Semantic web in a pervasive context- aware architecture,

    H. Chen, T. Finin, and A. Joshi, “Semantic web in a pervasive context- aware architecture,” inWorkshop on Artificial Intelligence in Mobile System, 5th Annual Conf. on Ubiquitous Computing, A. Kr ¨uger and R. Malaka, Eds. IEEE, 2003, pp. 33–40

  13. [13]

    Enforcing policies in pervasive environments,

    A. Patwardhan, V . Korolev, L. Kagal, and A. Joshi, “Enforcing policies in pervasive environments,” inThe First Annual International Confer- ence on Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004, 2004, pp. 299–308

  14. [14]

    Owl - semantic web standards - w3c,

    World Wide Web Consortium, “Owl - semantic web standards - w3c,” https://www.w3.org/OWL/, 2026, accessed: 2026-06-12

  15. [15]

    AI agents in action: Foundations for evaluation and governance,

    World Economic Forum and Capgemini, “AI agents in action: Foundations for evaluation and governance,” Nov. 2025. [Online]. Available: https://reports.weforum.org/docs/WEF AI Agents in Actio n Foundations for Evaluation and Governance 2025.pdf

  16. [16]

    Supervisory guidance on model risk management,

    Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, “Supervisory guidance on model risk management,” Board of Governors of the Federal Reserve System, Tech. Rep. SR Letter 26-2, Attachment, Apr. 2026, footnote 3 explicitly excludes generative and agentic AI models from sco...

  17. [17]

    AI agent standards initiative, center for AI standards and innovation (CAISI),

    National Institute of Standards and Technology, “AI agent standards initiative, center for AI standards and innovation (CAISI),” 2026. [Online]. Available: https://www.nist.gov/artificial-intelligence/ai-agen t-standards-initiative

  18. [18]

    Agentic AI governance lessons from financial services,

    R. Saxena, “Agentic AI governance lessons from financial services,” Responsible AI Institute; republished in the PLI Chronicle, Apr. 2026. [Online]. Available: https://www.responsible.ai/news/agentic-ai-governa nce-lessons-from-financial-services/

  19. [19]

    AIUC-1: A certification standard for AI agents,

    AIUC-1 Consortium, “AIUC-1: A certification standard for AI agents,” 2026, six control families: data/privacy, security, safety, reliability, accountability, and society; crosswalks to NIST AI RMF, MITRE ATLAS, ISO 42001, and OW ASP agentic lists. [Online]. Available: https://www.aiuc-1.com/

  20. [20]

    Artificial intelligence risk management framework (AI RMF 1.0),

    National Institute of Standards and Technology, “Artificial intelligence risk management framework (AI RMF 1.0),” National Institute of Standards and Technology, Tech. Rep. NIST AI 100-1, 2023

  21. [21]

    Authenticated delegation and authorized AI agents,

    T. South, S. Marro, T. Hardjono, R. Mahari, C. D. Whitney, D. Greenwood, A. Chan, and A. Pentland, “Authenticated delegation and authorized AI agents,” 2025. [Online]. Available: https://arxiv.org/ abs/2501.09674

  22. [22]

    ODRL information model 2.2,

    W3C ODRL Community Group, “ODRL information model 2.2,” W3C, 2018. [Online]. Available: https://w3.org/TR/odrl-model/

  23. [23]

    Rdfox: A highly-scalable rdf store,

    Y . Nenov, R. Piro, B. Motik, I. Horrocks, Z. Wu, and J. Banerjee, “Rdfox: A highly-scalable rdf store,” inThe Semantic Web - ISWC 2015. Springer International Publishing, 2015

  24. [24]

    Financial industry business ontology (FIBO),

    EDM Council, “Financial industry business ontology (FIBO),” https: //edmcouncil.org/frameworks/industry-models/fibo/, 2024

  25. [25]

    Financial regulation ontology (FinRegOnt): Semantic compliance in finance,

    Jayzed Data Models Inc., “Financial regulation ontology (FinRegOnt): Semantic compliance in finance,” https://finregont.com/, 2024

  26. [26]

    The financial regulation XBRL ontology,

    ——, “The financial regulation XBRL ontology,” https://finregont.com /xbrl-ontology/, 2024

  27. [27]

    Agent-fence: Mapping security vulnerabilities across deep research agents,

    S. Puppala, I. Hossain, M. J. Alam, Y . Lee, J. Yoo, T. Ahad, S. B. Alam, and S. Talukder, “Agent-fence: Mapping security vulnerabilities across deep research agents,” arxiv:2602.07652, 2026. [Online]. Available: https://arxiv.org/abs/2602.07652

  28. [28]

    AI agents under threat: A survey of key security challenges and future pathways,

    Z. Deng, Y . Guo, C. Han, W. Ma, J. Xiong, S. Wen, and Y . Xiang, “AI agents under threat: A survey of key security challenges and future pathways,”ACM Computing Surveys, vol. 57, no. 7, 2025

  29. [29]

    AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,

    E. Debenedetti, J. Zhang, M. Balunovi ´c, L. Beurer-Kellner, M. Fischer, and F. Tram `er, “AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,” inAdvances in Neural Information Processing Systems 37 (NeurIPS 2024) Datasets and Benchmarks Track, 2024. [Online]. Available: https: //openreview.net/forum?id=m1YYAQjO3w

  30. [30]

    InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents,

    Q. Zhan, Z. Liang, Z. Ying, and D. Kang, “InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents,” inFindings of the Association for Computational Linguistics. Bangkok, Thailand: ACL, 2024, pp. 10 471–10 506. [Online]. Available: https://aclanthology.org/2024.findings-acl.624

  31. [31]

    Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,

    H. Zhang, J. Huang, K. Mei, Y . Yao, Z. Wang, C. Zhan, H. Wang, and Y . Zhang, “Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,” in13th Int. Conference on Learning Representations), 2025. [Online]. Available: https://openreview.net/forum?id=KbwJPDKimp

  32. [32]

    Cloak, honey, trap: Proactive defenses against LLM agents,

    D. Ayzenshteyn, R. Weiss, and Y . Mirsky, “Cloak, honey, trap: Proactive defenses against LLM agents,” inProceeddings of the 34th USENIX Security Symposium. Seattle, W A, USA: USENIX Association, 2025, pp. 8095–8114. [Online]. Available: https://usenix.org/conference/usen ixsecurity25/presentation/ayzenshteyn

  33. [33]

    Security and privacy challenges in open and dynamic environments,

    L. Kagal, T. Finin, A. Joshi, and S. Greenspan, “Security and privacy challenges in open and dynamic environments,”IEEE Computer, vol. 39, no. 6, pp. 89–91, Jun. 2006

  34. [34]

    Taming various privilege escalation in llm-based agent systems: A mandatory access control framework,

    Z. Ji, D. Wu, W. Jiang, P. Ma, Z. Li, Y . Gao, S. Wang, and Y . Li, “Taming various privilege escalation in llm-based agent systems: A mandatory access control framework,”arXiv preprint arXiv:2601.11893, 2026

  35. [35]

    Shieldagent: Shielding agents via verifiable safety policy reasoning,

    Z. Chen, M. Kang, and B. Li, “Shieldagent: Shielding agents via verifiable safety policy reasoning,”arXiv preprint arXiv:2503.22738, 2025

  36. [36]

    SAGA: A security architecture for governing AI agentic systems,

    G. Syros, A. Suri, J. Ginesin, C. Nita-Rotaru, and A. Oprea, “SAGA: A security architecture for governing AI agentic systems,” inNetwork and Distributed System Security (NDSS) Symposium, 2026. [Online]. Available: https://arxiv.org/abs/2504.21034

  37. [37]

    Veriguard: Enhancing llm agent safety via verified code generation,

    L. Miculicich, M. Parmar, H. Palangi, K. D. Dvijotham, M. Montanari, T. Pfister, and L. Le, “Veriguard: Enhancing llm agent safety via verified code generation,” 2025

  38. [38]

    Progent: Securing AI Agents with Privilege Control

    T. Shi, J. He, Z. Wang, L. Wu, H. Li, W. Guo, and D. Song, “Progent: Programmable privilege control for LLM agents,”arXiv preprint arXiv:2504.11703, 2025. [Online]. Available: https://arxiv.org/ abs/2504.11703

  39. [39]

    AgentSpec: Customizable Runtime Enforcement for Safe and Reliable LLM Agents

    H. Wang, C. M. Poskitt, and J. Sun, “AgentSpec: Customizable runtime enforcement for safe and reliable LLM agents,” inProceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE 2026), 2026. [Online]. Available: https://arxiv.org/abs/2503.18666

  40. [40]

    Policy compiler for secure agentic systems,

    N. Palumbo, S. Choudhary, J. Choi, P. Chalasani, M. Christodorescu, and S. Jha, “Policy compiler for secure agentic systems,” 2026

  41. [41]

    MI9 — agent intelligence protocol: Runtime governance for agentic AI systems,

    C. L. Wang, T. Singhal, A. Kelkar, and J. Tuo, “MI9 — agent intelligence protocol: Runtime governance for agentic AI systems,”arXiv preprint arXiv:2508.03858, 2025

  42. [42]

    Model context protocol (MCP) security: Secure design patterns for agentic systems,

    CoSAI / OASIS Workstream 4, “Model context protocol (MCP) security: Secure design patterns for agentic systems,” https://github.com/cosai-o asis/ws4-secure-design-agentic-systems, 2025

  43. [43]

    The Ponder policy specification language,

    N. Damianou, N. Dulay, E. Lupu, and M. Sloman, “The Ponder policy specification language,” inPolicies for Distributed Systems and Networks (POLICY 2001), ser. Lecture Notes in Computer Science, vol. 1995. Berlin, Heidelberg: Springer, 2001, pp. 18–38

  44. [44]

    eXtensible Access Control Markup Language (XACML) version 3.0,

    OASIS, “eXtensible Access Control Markup Language (XACML) version 3.0,” OASIS Standard, 2013. [Online]. Available: https: //docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

  45. [45]

    XACML policy evalu- ation with dynamic context handling,

    N. Ammar, Z. Malik, E. Bertino, and A. Rezgui, “XACML policy evalu- ation with dynamic context handling,”IEEE Transactions on Knowledge and Data Engineering, 2015

  46. [46]

    A policy system for control of data fusion processes and derived data,

    E. Bertino, D. Verma, and S. Calo, “A policy system for control of data fusion processes and derived data,” in21st International Conference on Information Fusion, 2018, pp. 807–813

  47. [47]

    Advice from Belnap policies,

    C. Hankin, F. Nielson, and H. R. Nielson, “Advice from Belnap policies,” inProceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF 2009). IEEE, 2009, pp. 234–247

  48. [48]

    Access control via Belnap logic: Intuitive, expressive, and analyzable policy composition,

    G. Bruns and M. Huth, “Access control via Belnap logic: Intuitive, expressive, and analyzable policy composition,”ACM Transactions on Information and System Security, vol. 14, no. 1, pp. 9:1–9:27, 2011

  49. [49]

    Autonomous agents and policy com- pliance: A framework for reasoning about penalties,

    V . Tummala and D. Inclezan, “Autonomous agents and policy com- pliance: A framework for reasoning about penalties,”arXiv preprint arXiv:2512.03931, 2025, under consideration in Theory and Practice of Logic Programming (TPLP)

  50. [50]

    Artificial intelligence risk management framework: Generative artificial intelligence profile,

    National Institute of Standards and Technology, “Artificial intelligence risk management framework: Generative artificial intelligence profile,” National Institute of Standards and Technology, Tech. Rep. NIST AI 600-1, Jul. 2024

  51. [51]

    ATLAS: Adversarial threat landscape for artificial-intelligence systems,

    MITRE, “ATLAS: Adversarial threat landscape for artificial-intelligence systems,” https://atlas.mitre.org/, 2025

  52. [52]

    AI risk atlas,

    IBM, “AI risk atlas,” 2025. [Online]. Available: https://www.ibm.com/ docs/en/watsonx/saas?topic=ai-risk-atlas

  53. [53]

    Responsible scaling policy, version 3.0,

    Anthropic, “Responsible scaling policy, version 3.0,” 2026, effective February 24, 2026. [Online]. Available: https://www.anthropic.com/re sponsible-scaling-policy

  54. [54]

    From Governance Norms to Enforceable Controls: A Layered Translation Method for Runtime Guardrails in Agentic AI

    C. Koch, “From governance norms to enforceable controls: A layered translation method for runtime guardrails in agentic ai,” arxiv:2604.05229, 2026. [Online]. Available: https://arxiv.org/abs/2604 .05229

  55. [55]

    R owl bac: representing role based access control in owl,

    T. Finin, A. Joshi, L. Kagal, J. Niu, R. Sandhu, W. Winsborough, and B. Thuraisingham, “R owl bac: representing role based access control in owl,” inProceedings of the 13th ACM symposium on Access control models and technologies. ACM, 2008, pp. 73–82

  56. [56]

    Representing attribute based access control policies in owl,

    N. K. Sharma and A. Joshi, “Representing attribute based access control policies in owl,” in2016 IEEE Tenth International Conference on Semantic Computing (ICSC). IEEE, 2016, pp. 333–336

  57. [57]

    Verifiable credentials data model 2.0,

    W3C, “Verifiable credentials data model 2.0,” W3C Recommendation, 2024

  58. [58]

    The challenge of access control policies quality,

    E. Bertino, A. Abu Jabal, S. Calo, C. Makaya, M. Touma, D. Verma, and C. Williams, “The challenge of access control policies quality,”ACM Journal of Data and Information Quality, vol. 10, no. 2, pp. 6:1–6:6, 2018

  59. [59]

    Policy-as-prompt: Turning AI governance rules into guardrails for AI agents,

    G. Kholkar and R. Ahuja, “Policy-as-prompt: Turning AI governance rules into guardrails for AI agents,” inWorkshop on Regulatable ML, 39th Conference on Neural Information Processing Systems (NeurIPS),

  60. [60]

    and Ahuja, R

    [Online]. Available: https://arxiv.org/abs/2509.23994