π€ AI Summary
Persistent AI agents face an expanded semantic attack surface due to state memory, skill reuse, and tool interaction. This work proposes TokenWall, a novel framework that introduces the concept of semantic firewalls to this domain for the first time. TokenWall provides comprehensive pre-execution mediation by performing boundary-aware semantic auditing of the agentβs internal natural language token streams at runtime. The approach integrates structured source-sink analysis, lightweight local checks, and selective remote arbitration to balance security and usability. Evaluated on CIK-Bench, TokenWall reduces attack success rates to 12.5% while maintaining a 97.4% pass rate for benign tasks, with only a 0.69-second latency overhead.
π Abstract
Persistent AI agents extend large language models (LLMs) beyond single-turn interaction into long-lived software systems. Unlike traditional chat assistants, unsafe content in these agents can propagate through persistent state, reusable skills, and tool-mediated interactions, creating a substantially larger semantic attack surface. We observe that most security-critical interactions in such agents are transmitted through natural-language token flows, including memory updates, tool arguments, retrieved files, and inter-component communications. This observation enables a new security formulation: unsafe behavior can be intercepted as risky semantic flows before reaching privileged runtime sinks. Based on this insight, we propose TokenWall, a runtime defense framework that acts as a semantic firewall over agent token flows. TokenWall performs boundary-aware semantic auditing over these flows, constructing structured source-sink audit records, applying lightweight local inspection before execution, and selectively escalating ambiguous high-risk cases to stronger arbitration modules. Unlike prior approaches that rely on sparse auditing or remote large-model oversight, TokenWall enables full-coverage pre-execution mediation while reducing remote arbitration and latency. Experiments on CIK-Bench show that TokenWall reduces attack success rate to 12.5% while maintaining a 97.4% benign executable pass rate without human confirmation. TokenWall further introduces only 0.69 seconds of additional latency on benign cases, demonstrating that semantic runtime containment can achieve a practical security-utility trade-off for persistent AI agents.