AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-06-26 13:54 UTCgrok-4.3pith:GGDY2ST3record.jsonopen to challenge →
The pith
AgenticOS turns the OS into an intent filter that builds least-privilege environments from agent declarations rather than exposing raw resources.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
AgenticOS reframes the OS from a resource manager into an intent filter: agents submit structured intent declarations from which the system synthesizes a least-privilege environment with mandatory mediation, auditing, and information-flow constraints. The architecture implements this through a four-layer design consisting of Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway, together with the Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for native Skills. The approach consolidates delegable auditable capabilities into OS-native forms without replacing all applications.
What carries the argument
The intent filter that synthesizes least-privilege environments from structured intent declarations using a four-layer architecture and Intent ABI.
If this is right
- Auditing and mediation become mandatory at the level of declared intents rather than raw resource accesses.
- Information-flow constraints are enforced automatically from the intent declarations.
- Existing applications continue to run while agent runtimes receive OS-native capabilities.
- Skills are admitted through a model that integrates directly with the intent synthesis process.
Where Pith is reading between the lines
- The design could limit the damage from prompt injection by restricting what behaviors can be composed from any single intent.
- It might support multi-agent coordination if intents can be negotiated or composed across capsules.
- Real-world validation would require testing whether synthesis misses attack paths in complex tool-use scenarios.
Load-bearing premise
Agents will reliably submit accurate structured intent declarations and the OS can correctly synthesize and enforce a least-privilege environment without missing attack paths.
What would settle it
An experiment in which a compromised agent submits a benign intent yet still reaches unauthorized resources or performs actions outside the synthesized environment after receiving malicious tool output.
Figures
read the original abstract
Traditional OS security models based on "resource exposure plus permission checks" face structural challenges as LLM-driven autonomous agents acquire capabilities for planning, tool use, network access, and code execution. Once an agent runtime is compromised through prompt injection or malicious tool outputs, an attacker can compose POSIX-style resource primitives into behaviors far beyond the user's task authorization. To address this, we propose AgenticOS, an intent-oriented secure OS architecture that consolidates delegable, auditable software capabilities into OS-native ones rather than replacing all applications. The core insight is to reframe the OS from a "resource manager" into an "intent filter": instead of requesting low-level resources directly, agents submit structured intent declarations, from which the system synthesizes a least-privilege environment with mandatory mediation, auditing, and information-flow constraints. At the implementation level, we introduce a four-layer architecture -- Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway -- together with the Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for AgenticOS-native Skills.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes AgenticOS, an intent-oriented secure OS architecture for LLM-driven autonomous agents. It argues that traditional resource-exposure-plus-permission-check models fail when agents are compromised via prompt injection or malicious tools, allowing unauthorized composition of POSIX primitives. The core reframing is to treat the OS as an 'intent filter': agents submit structured intent declarations from which the system synthesizes least-privilege environments enforced via mandatory mediation, auditing, and information-flow constraints. The design introduces a four-layer architecture (Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway) together with an Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for AgenticOS-native Skills.
Significance. If the proposed intent-to-privilege synthesis can be shown to be sound and complete, the architecture would offer a substantive advance in securing agentic systems by shifting enforcement from low-level resource permissions to high-level, auditable intent mediation. The consolidation of delegable capabilities into OS-native mechanisms is a coherent direction that could influence future designs for AI agent runtimes.
major comments (3)
- [Abstract] Abstract (core insight paragraph): the claim that intent declarations enable synthesis of a 'least-privilege environment' that blocks all unauthorized compositions of POSIX primitives is unsupported by any formal model of the intent language, mapping rules, or completeness argument showing that every attack path is covered by the generated constraints.
- [Four-layer architecture description] Four-layer architecture and implementation components: the roles of Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway, Intent ABI, Manifest-Only Runtime, and Weaver generation are described at a naming level only, with no specification of how these layers derive or enforce constraints that remain gap-free after agent compromise.
- [Admission model for AgenticOS-native Skills] Admission model and Skills section: no argument or example is given that the system can still produce correct least-privilege sets when submitted intents are inaccurate (the weakest assumption identified in the design), nor is there discussion of fallback mediation when intent accuracy cannot be guaranteed.
minor comments (1)
- [Terminology] The manuscript introduces multiple novel terms (Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway, Weaver) without relating them to prior OS or capability-system literature, which reduces accessibility.
Simulated Author's Rebuttal
We thank the referee for the constructive and precise comments. The manuscript is an initial architectural proposal rather than a formally verified system, and we agree that several claims require qualification and that additional detail and discussion of limitations are needed. We address each major comment below and will incorporate the suggested changes in the revised version.
read point-by-point responses
-
Referee: [Abstract] Abstract (core insight paragraph): the claim that intent declarations enable synthesis of a 'least-privilege environment' that blocks all unauthorized compositions of POSIX primitives is unsupported by any formal model of the intent language, mapping rules, or completeness argument showing that every attack path is covered by the generated constraints.
Authors: We agree that the abstract overstates the current support for the claim. The paper presents a conceptual architecture without a formal model or completeness argument. We will revise the abstract to state that the design 'aims to' synthesize least-privilege environments and will add a short subsection in the discussion section outlining the requirements for a formal intent language together with a note that completeness arguments remain future work. revision: yes
-
Referee: [Four-layer architecture description] Four-layer architecture and implementation components: the roles of Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway, Intent ABI, Manifest-Only Runtime, and Weaver generation are described at a naming level only, with no specification of how these layers derive or enforce constraints that remain gap-free after agent compromise.
Authors: The referee correctly observes that the layer descriptions remain high-level. We will expand the architecture section with additional paragraphs and a figure that illustrate the information-flow and mediation steps performed by each layer. We will also add an explicit limitations paragraph stating that gap-free enforcement after compromise has not been formally shown and would require implementation-level verification. revision: yes
-
Referee: [Admission model for AgenticOS-native Skills] Admission model and Skills section: no argument or example is given that the system can still produce correct least-privilege sets when submitted intents are inaccurate (the weakest assumption identified in the design), nor is there discussion of fallback mediation when intent accuracy cannot be guaranteed.
Authors: We acknowledge the absence of this discussion. We will insert a new paragraph in the admission-model section that states the accuracy assumption, gives an example of how an inaccurate intent could produce an over- or under-privileged set, and describes two fallback mechanisms: (1) conservative default privilege synthesis and (2) optional human review for high-risk actions. revision: yes
Circularity Check
No circularity: purely architectural proposal without derivations or fitted quantities
full rationale
The paper is an architectural design proposal introducing new OS layers, an Intent ABI, Manifest-Only Runtime, and Weaver-based generation. It contains no equations, no parameter fitting, no predictions of quantities, and no derivation chains that reduce to inputs by construction. The central reframing of OS as 'intent filter' is a definitional proposal, not a claim derived from prior results via self-citation or ansatz. No load-bearing steps match any of the enumerated circularity patterns. The absence of a formal soundness proof for intent-to-privilege synthesis is a completeness concern, not circularity.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption Agents can and will submit structured, accurate intent declarations that capture their task authorization.
- domain assumption The OS can correctly synthesize and enforce least-privilege environments plus information-flow constraints from those declarations.
invented entities (4)
-
Ghost Kernel
no independent evidence
-
Logic Shutter
no independent evidence
-
Agent Capsule
no independent evidence
-
Semantic Boundary Gateway
no independent evidence
Reference graph
Works this paper leans on
-
[1]
J. H. Saltzer, M. D. Schroeder, The protection of infor- mation in computer systems, Proceedings of the IEEE 63 (1975) 1278–1308
1975
-
[2]
B. W. Lampson, A note on the confinement problem, Communications of the ACM 16 (1973) 613–615
1973
-
[3]
Hardy, Keykos architecture, ACM SIGOPS Operating Systems Review 19 (1985) 8–25
N. Hardy, Keykos architecture, ACM SIGOPS Operating Systems Review 19 (1985) 8–25
1985
-
[4]
J. S. Shapiro, J. M. Smith, D. J. Farber, Eros: a fast capa- bility system, in: Proceedings of the seventeenth ACM symposium on Operating systems principles, 1999, pp. 170–185
1999
-
[5]
R. N. Watson, J. Anderson, B. Laurie, K. Kennaway, Capsicum: Practical capabilities for{UNIX}, in: 19th USENIX Security Symposium (USENIX Security 10), 2010
2010
-
[6]
R. N. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, et al., Cheri: A hybrid capability-system ar- chitecture for scalable software compartmentalization, in: 2015 IEEE Symposium on Security and Privacy, IEEE, 2015, pp. 20–37
2015
-
[7]
Klein, K
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, et al., sel4: Formal verifica- tion of an os kernel, in: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, 2009, pp. 207–220
2009
-
[8]
Wahbe, S
R. Wahbe, S. Lucco, T. E. Anderson, S. L. Graham, Effi- cient software-based fault isolation, in: Proceedings of the fourteenth ACM symposium on Operating systems princi- ples, 1993, pp. 203–216
1993
-
[9]
Abadi, M
M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti, Control- flow integrity principles, implementations, and applica- tions, ACM Transactions on Information and System Se- curity (TISSEC) 13 (2009) 1–40
2009
-
[10]
A. Haas, A. Rossberg, D. L. Schuff, B. L. Titzer, M. Hol- man, D. Gohman, L. Wagner, A. Zakai, J.-F. Bastien, Bringing the web up to speed with webassembly, in: Pro- ceedings of the 38th ACM SIGPLAN conference on pro- gramming language design and implementation, 2017, pp. 185–200
2017
-
[11]
D. E. Denning, A lattice model of secure information flow, Communications of the ACM 19 (1976) 236–243
1976
-
[12]
Sabelfeld, A
A. Sabelfeld, A. C. Myers, Language-based information- flow security, IEEE Journal on selected areas in commu- nications 21 (2003) 5–19
2003
-
[13]
Greshake, S
K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, M. Fritz, Not what you’ve signed up for: Compromis- ing real-world llm-integrated applications with indirect prompt injection, in: Proceedings of the 16th ACM work- shop on artificial intelligence and security, 2023, pp. 79– 90
2023
-
[14]
S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, Y . Cao, React: Synergizing reasoning and acting in lan- guage models, arXiv preprint arXiv:2210.03629 (2022)
work page internal anchor Pith review Pith/arXiv arXiv 2022
-
[15]
Schick, J
T. Schick, J. Dwivedi-Yu, R. Dessì, R. Raileanu, M. Lomeli, E. Hambro, L. Zettlemoyer, N. Cancedda, T. Scialom, Toolformer: Language models can teach themselves to use tools, Advances in neural information processing systems 36 (2023) 68539–68551. 11
2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.