Existing agent systems lack a unified and reliable enforcement of user-defined security policies, such as access control, information flow control, and data provenance. This work proposes the Language-Based Agent Control (LBAC) model, which systematically integrates programming language–level security mechanisms into agent governance for the first time. LBAC employs a static type system to constrain code generated by agents and combines it with runtime enforcement and a capability-based filesystem sandbox to intercept policy violations before execution, all while preserving expressive power. The model uniformly enforces security policies across both agent-generated code and developer-provided scaffolding, supports recursive delegation to sub-agents, and maintains policy consistency throughout. Three case studies—capability-based I/O sandboxing, data provenance tracking, and information flow control—demonstrate LBAC’s ability to provide end-to-end policy guarantees without compromising core functionality.

This paper introduces language-based agent control (LBAC), a new programming model for agentic applications that brings techniques from programming languages and language-based security to the problem of agent control. In conventional programming, combinations of static typing and runtime enforcement have long been used to guarantee that well-typed programs satisfy user-specified policies, including policies for access control, information flow, data provenance, and more. The key idea behind LBAC is to extend these guarantees to agentic applications by requiring agents to generate programs that are themselves well typed in the context of the surrounding scaffolding code. Unsafe programs are rejected by the type-checker before execution, allowing policies to apply uniformly across the entire application, including both agent-generated behavior and developer-written scaffolding. At the same time, LBAC preserves substantial expressiveness: agents may perform arbitrary side-effect-free computation and recursively invoke subagents, which retain full tool access subject to the same -- or potentially more restrictive -- policies. We demonstrate LBAC with three case studies: I/O sandboxing via filesystem capabilities, data provenance, and information-flow control.