pith. sign in

arxiv: 2605.25653 · v1 · pith:MTHLVU67new · submitted 2026-05-25 · 💻 cs.DC · cs.MA

When Agents Control Robots: A Zero Trust Policy Model for Agentic Cyber-Physical Systems

Pith reviewed 2026-06-29 20:34 UTC · model grok-4.3

classification 💻 cs.DC cs.MA
keywords zero trust policy modelagentic cyber-physical systemsrobotic arm controllarge foundation modelssecurity primitivesphysical impact tiersmulti-agent systemsactuation boundary
0
0 comments X

The pith

Zero Trust Policy Model with physical impact tiers enforces safety at the actuation boundary in agent-controlled robots.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines risks when large foundation models direct industrial robots through natural language in multi-agent setups. It uses the Cobot-Claw four-agent system for UR3e arm control to identify five attack classes specific to these deployments. The authors introduce ZTPM, a model with 25 typed primitives across five domains and physical impact tiers as a runtime dimension. Tests across 60 execution traces on two backends reveal that actuation parameter selection varies by model and lacks determinism. This evidence supports the need for policy enforcement directly before physical actions occur.

Core claim

We analyse this threat landscape through Cobot-Claw, a deployed four-agent system for UR3e robotic arm control, and identify five attack classes specific to agentic cyber-physical systems. We propose ZTPM, a Zero Trust Policy Model comprising 25 typed primitives across five enforcement domains with Physical Impact Tiers as a runtime policy dimension. An empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic, motivating the need for policy-level enforcement at the physical actuation boundary.

What carries the argument

ZTPM, the Zero Trust Policy Model with 25 typed primitives across five enforcement domains and Physical Impact Tiers as a runtime policy dimension, applied at the physical actuation boundary.

If this is right

  • Policy enforcement must occur at the physical actuation boundary to handle non-deterministic outputs from different models.
  • The five attack classes require dedicated primitives within the five enforcement domains of ZTPM.
  • Physical Impact Tiers allow runtime policy decisions scaled to potential real-world consequences.
  • Deployments of natural-language robot control by multiple agents need structured policy models beyond standard IT security.
  • Security failures in these systems produce physical outcomes, making boundary-level primitives essential.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach could extend to other agent-controlled physical systems such as autonomous vehicles or drones where model variance creates similar risks.
  • Further traces on additional robot hardware would test whether the non-determinism finding holds beyond the UR3e arm.
  • Integration of these physical-tier primitives with existing IT zero-trust architectures might create unified policies across digital and physical layers.
  • The model-dependence result points to a wider verification challenge for any safety-critical action generated by large foundation models.

Load-bearing premise

The Cobot-Claw four-agent system and the five identified attack classes represent the broader threat landscape for agentic cyber-physical systems.

What would settle it

Showing that actuation parameter selection remains consistent and deterministic across different large foundation model backends would remove the main motivation for policy enforcement at the physical boundary.

Figures

Figures reproduced from arXiv: 2605.25653 by Kavishka Fernando, Susan Rea, Tharindu Ranathunga.

Figure 1
Figure 1. Figure 1: Generic MA-CPS architecture for agentic robotic control, showing en [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: ZTPM policy primitives and enforcement outcomes. [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Case study: Cobot-Claw. 5 Evaluation & Discussion 5.1 System Instantiation We evaluate ZTPM by instantiating it on Cobot-Claw, a deployed four-agent robotic control system for natural language operation of a Universal Robots (UR) UR3e industrial robotic arm. This evaluation is a first step toward empirical validation: in this work, we ground ZTPM in a real robotic deployment, map the formal MA-CPS model to… view at source ↗
Figure 4
Figure 4. Figure 4: Runtime PIT behaviour and ZTPM attack coverage. [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
read the original abstract

Multi-agent systems powered by large foundation models (LFMs) are increasingly deployed to control industrial robots through natural language, creating deployments in which security failures produce physical consequences. We analyse this threat landscape through Cobot-Claw, a deployed four-agent system for UR3e robotic arm control, and identify five attack classes specific to agentic cyber-physical systems. We propose ZTPM, a Zero Trust Policy Model comprising 25 typed primitives across five enforcement domains with Physical Impact Tiers as a runtime policy dimension. An empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic, motivating the need for policy-level enforcement at the physical actuation boundary.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The manuscript analyzes security threats in multi-agent systems where large foundation models (LFMs) control industrial robots through natural language. Using the deployed Cobot-Claw four-agent system for UR3e robotic arm control as a case study, it identifies five attack classes specific to agentic cyber-physical systems. It proposes ZTPM, a Zero Trust Policy Model with 25 typed primitives across five enforcement domains that incorporates Physical Impact Tiers as a runtime dimension. An empirical evaluation across 60 execution traces on two LFM backends is presented as initial evidence that actuation parameter selection is model-dependent and non-deterministic, motivating policy-level enforcement at the physical actuation boundary.

Significance. If the empirical motivation and attack-class analysis hold, the work could establish a structured zero-trust policy framework tailored to the physical consequences of LFM-driven actuation, filling a gap between conventional zero-trust models and cyber-physical deployments. The explicit enumeration of 25 primitives and the introduction of Physical Impact Tiers provide concrete, enforceable artifacts that future implementations could adopt or extend.

major comments (2)
  1. [Abstract] Abstract: The assertion that 'an empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic' supplies no information on trace-generation protocol, prompt controls across backends, temperature/sampling settings, number of repetitions per condition, or any statistical test distinguishing model effects from noise. Because this claim is the sole empirical motivation for introducing ZTPM, the absence of these details renders the motivation unverifiable and load-bearing for the central thesis.
  2. [Threat analysis] Threat analysis section: The representativeness of the Cobot-Claw four-agent system and the five identified attack classes for the broader agentic CPS threat landscape is asserted without additional case studies, literature mapping, or justification. Since the 25 ZTPM primitives are derived directly from these classes and the Cobot-Claw deployment, lack of evidence for representativeness weakens the generality of the proposed model.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thorough review and constructive comments. We address each major comment below.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The assertion that 'an empirical evaluation across 60 execution traces on two LFM backends provides initial evidence that actuation parameter selection is model-dependent and non-deterministic' supplies no information on trace-generation protocol, prompt controls across backends, temperature/sampling settings, number of repetitions per condition, or any statistical test distinguishing model effects from noise. Because this claim is the sole empirical motivation for introducing ZTPM, the absence of these details renders the motivation unverifiable and load-bearing for the central thesis.

    Authors: We agree that additional details are required to substantiate the empirical claim. In the revised version, we will provide a detailed description of the trace-generation protocol, including how prompts were controlled across backends, the temperature and sampling settings used, the number of repetitions per condition, and any statistical tests applied to distinguish model effects. This information will be incorporated into the methods section and referenced in the abstract. revision: yes

  2. Referee: [Threat analysis] Threat analysis section: The representativeness of the Cobot-Claw four-agent system and the five identified attack classes for the broader agentic CPS threat landscape is asserted without additional case studies, literature mapping, or justification. Since the 25 ZTPM primitives are derived directly from these classes and the Cobot-Claw deployment, lack of evidence for representativeness weakens the generality of the proposed model.

    Authors: The analysis is grounded in the Cobot-Claw deployment as a concrete case study. To address the concern regarding generality, we will add a discussion in the threat analysis section that maps the identified attack classes to related work in cyber-physical systems security and multi-agent systems literature, providing justification for their broader applicability. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical traces presented as independent motivation for proposed policy model

full rationale

The paper contains no equations, derivations, or mathematical claims. ZTPM is introduced as a new policy model after analyzing the Cobot-Claw system and identifying five attack classes; the 60 execution traces are described only as supplying 'initial evidence' that motivates policy enforcement at the actuation boundary. No step reduces a claimed result to its own inputs by construction, no fitted parameters are relabeled as predictions, and no self-citation chain is invoked to justify uniqueness or core premises. The central argument is therefore self-contained as a threat-modeling exercise plus an empirical observation offered as motivation rather than a derived quantity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The central claim rests on the domain assumption that LFM-powered multi-agent systems are increasingly deployed for robot control and on the invention of ZTPM and Physical Impact Tiers without independent evidence of their effectiveness beyond the 60 traces.

axioms (1)
  • domain assumption Multi-agent systems powered by large foundation models are increasingly deployed to control industrial robots through natural language, creating deployments in which security failures produce physical consequences.
    Opening premise of the abstract that frames the entire threat analysis and model proposal.
invented entities (2)
  • ZTPM no independent evidence
    purpose: Zero Trust Policy Model comprising 25 typed primitives across five enforcement domains
    Newly proposed construct whose effectiveness is motivated but not independently verified beyond the described traces.
  • Physical Impact Tiers no independent evidence
    purpose: Runtime policy dimension within ZTPM
    Introduced as a novel dimension; no external validation supplied.

pith-pipeline@v0.9.1-grok · 5654 in / 1398 out tokens · 39342 ms · 2026-06-29T20:34:08.741918+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

17 extracted references · 4 canonical work pages · 1 internal anchor

  1. [1]

    Amazon Web Services: Cedar Policy Language Specification.https:// cedarpolicy.com/(2024)

  2. [2]

    Anthropic: Model Context Protocol: Authorization Specification.https:// modelcontextprotocol.io/specification/(2025)

  3. [3]

    RT-2: Vision-Language-Action Models Transfer Web Knowledge to Robotic Control

    Brohan, A., et al.: RT-2: Vision-Language-Action Models Transfer Web Knowledge to Robotic Control. arXiv:2307.15818 (2023)

  4. [4]

    Cloud Security Alliance: Agentic AI Threat Modeling Framework: MAESTRO.https://cloudsecurityalliance.org/blog/2025/02/06/ agentic-ai-threat-modeling-framework-maestro(Feb 2025)

  5. [5]

    IEC Standard Series (2021)

    International Electrotechnical Commission: IEC 62443 Series: Security for Indus- trial Automation and Control Systems. IEC Standard Series (2021)

  6. [6]

    International Organization for Standardization: Robots and robotic devices — col- laborative robots (2016)

  7. [7]

    Mi- crosoft Security Blog,https://www.microsoft.com/en-us/security/blog/(Mar 2026)

    Microsoft Security: New Tools and Guidance: Announcing Zero Trust for AI. Mi- crosoft Security Blog,https://www.microsoft.com/en-us/security/blog/(Mar 2026)

  8. [8]

    MITRE: MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems.https://atlas.mitre.org(2024)

  9. [9]

    OA- SIS Standard,https://docs.oasis-open.org/xacml/3.0/(2013)

    OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0. OA- SIS Standard,https://docs.oasis-open.org/xacml/3.0/(2013)

  10. [10]

    Open Policy Agent: OPA Documentation.https://www.openpolicyagent.org/ (2023)

  11. [11]

    OWASP GenAI Security Project: OWASP Top 10 for Large Language Model Ap- plications and Agentic AI.https://genai.owasp.org/(2025)

  12. [12]

    In: Proceedings of EMNLP 2023: System Demonstrations (2023)

    Rebedea, T., Dinu, R., Sreedhar, M.N., Parisien, C., Cohen, J.: NeMo Guardrails: A Toolkit for Controllable and Safe LLM Applications with Programmable Rails. In: Proceedings of EMNLP 2023: System Demonstrations (2023)

  13. [13]

    https://next.redhat.com/(Feb 2026)

    Red Hat Emerging Technologies: Zero Trust for Autonomous Agentic AI Systems. https://next.redhat.com/(Feb 2026)

  14. [14]

    Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero Trust Architecture. Tech. Rep. NIST Special Publication 800-207, National Institute of Standards and Tech- nology (2020).https://doi.org/10.6028/NIST.SP.800-207

  15. [15]

    Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A.: Guide to ICS Security. Tech. Rep. NIST Special Publication 800-82 Rev. 3, National Institute of Standards and Technology (2023).https://doi.org/10.6028/NIST.SP.800-82r3

  16. [16]

    Cloud Security Alliance Technical Report (Feb 2026)

    Woodruff, J.: The Agentic Trust Framework: Zero Trust Governance for AI Agents. Cloud Security Alliance Technical Report (Feb 2026)

  17. [17]

    arXiv:2502.13175 (2025)

    Xing, W., Li, M., Li, M., Han, M.: Towards Robust and Secure Embodied AI: A Survey on Vulnerabilities and Attacks. arXiv:2502.13175 (2025)