Large language model (LLM) agents frequently violate policies, disrupt workflows, and introduce security vulnerabilities when executing stateful, complex tasks—primarily due to insufficient visibility into and control over internal data flows. To address this, we propose data flow control (DFC) as a system-level infrastructure embedded within agent architectures, inspired by integrity constraints and access control mechanisms in database management systems (DBMS). We design a portable DFC module and policy engine enabling dynamic monitoring, runtime policy injection, and real-time flow interruption. A prototype system is implemented for database-centric scenarios. Furthermore, we introduce the first comprehensive DFC research framework tailored to the LLM agent ecosystem. Our work establishes both theoretical foundations and practical tools for building secure, compliant, and controllable intelligent agent systems.

The promise of Large Language Model (LLM) agents is to perform complex, stateful tasks. This promise is stunted by significant risks - policy violations, process corruption, and security flaws - that stem from the lack of visibility and mechanisms to manage undesirable data flows produced by agent actions. Today, agent workflows are responsible for enforcing these policies in ad hoc ways. Just as data validation and access controls shifted from the application to the DBMS, freeing application developers from these concerns, we argue that systems should support Data Flow Controls (DFCs) and enforce DFC policies natively. This paper describes early work developing a portable instance of DFC for DBMSes and outlines a broader research agenda toward DFC for agent ecosystems.