Token-Flow Firewall: Semantic Runtime Auditing for Persistent AI Agents

πŸ“… 2026-07-09
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
Persistent AI agents face an expanded semantic attack surface due to state memory, skill reuse, and tool interaction. This work proposes TokenWall, a novel framework that introduces the concept of semantic firewalls to this domain for the first time. TokenWall provides comprehensive pre-execution mediation by performing boundary-aware semantic auditing of the agent’s internal natural language token streams at runtime. The approach integrates structured source-sink analysis, lightweight local checks, and selective remote arbitration to balance security and usability. Evaluated on CIK-Bench, TokenWall reduces attack success rates to 12.5% while maintaining a 97.4% pass rate for benign tasks, with only a 0.69-second latency overhead.
πŸ“ Abstract
Persistent AI agents extend large language models (LLMs) beyond single-turn interaction into long-lived software systems. Unlike traditional chat assistants, unsafe content in these agents can propagate through persistent state, reusable skills, and tool-mediated interactions, creating a substantially larger semantic attack surface. We observe that most security-critical interactions in such agents are transmitted through natural-language token flows, including memory updates, tool arguments, retrieved files, and inter-component communications. This observation enables a new security formulation: unsafe behavior can be intercepted as risky semantic flows before reaching privileged runtime sinks. Based on this insight, we propose TokenWall, a runtime defense framework that acts as a semantic firewall over agent token flows. TokenWall performs boundary-aware semantic auditing over these flows, constructing structured source-sink audit records, applying lightweight local inspection before execution, and selectively escalating ambiguous high-risk cases to stronger arbitration modules. Unlike prior approaches that rely on sparse auditing or remote large-model oversight, TokenWall enables full-coverage pre-execution mediation while reducing remote arbitration and latency. Experiments on CIK-Bench show that TokenWall reduces attack success rate to 12.5% while maintaining a 97.4% benign executable pass rate without human confirmation. TokenWall further introduces only 0.69 seconds of additional latency on benign cases, demonstrating that semantic runtime containment can achieve a practical security-utility trade-off for persistent AI agents.
Problem

Research questions and friction points this paper is trying to address.

Persistent AI Agents
Semantic Attack Surface
Token Flow
Runtime Security
Unsafe Content Propagation
Innovation

Methods, ideas, or system contributions that make the work stand out.

Token-Flow Firewall
Semantic Runtime Auditing
Persistent AI Agents
Source-Sink Analysis
Pre-execution Mediation
πŸ”Ž Similar Papers
P
Puji Wang
State Key Laboratory of AI Safety, Institute of Computing Technology, Chinese Academy of Sciences, University of Chinese Academy of Sciences, Beijing, China
Y
Yingchen Zhang
State Key Laboratory of AI Safety, Institute of Computing Technology, Chinese Academy of Sciences, University of Chinese Academy of Sciences, Beijing, China
Ruqing Zhang
Ruqing Zhang
Institute of Computing Technology, Chinese Academy of Sciences
Information RetrievalNatural Language ProcessingLarge Language Models
Jiafeng Guo
Jiafeng Guo
Professor, Institute of Computing Techonology, CAS
Information RetrievalMachine LearningText AnalysisNeuIR
Xueqi Cheng
Xueqi Cheng
Ph.D. student, Florida State University
Data miningLLMGNNComputational social science