This work addresses the challenge of ensuring deterministic policy enforcement in large language model (LLM) agents operating within complex authorization scenarios—such as customer service, approval workflows, and data access control—where conventional approaches often fail to guarantee compliance. To this end, we propose PCAS, the first policy compiler for agent systems, which models system state via dependency graphs, expresses policies declaratively using Datalog rules, and integrates a reference monitor to intercept policy-violating actions prior to execution. By decoupling policy enforcement from model inference and embedding compliance directly into system construction, PCAS automatically synthesizes policy-compliant agent systems without requiring security-oriented redesign. Evaluation across three real-world scenarios demonstrates that our approach increases policy compliance from 48% to 93% and achieves zero runtime violations.

LLM-based agents are increasingly being deployed in contexts requiring complex authorization policies: customer service protocols, approval workflows, data access restrictions, and regulatory compliance. Embedding these policies in prompts provides no enforcement guarantees. We present PCAS, a Policy Compiler for Agentic Systems that provides deterministic policy enforcement. Enforcing such policies requires tracking information flow across agents, which linear message histories cannot capture. Instead, PCAS models the agentic system state as a dependency graph capturing causal relationships among events such as tool calls, tool results, and messages. Policies are expressed in a Datalog-derived language, as declarative rules that account for transitive information flow and cross-agent provenance. A reference monitor intercepts all actions and blocks violations before execution, providing deterministic enforcement independent of model reasoning. PCAS takes an existing agent implementation and a policy specification, and compiles them into an instrumented system that is policy-compliant by construction, with no security-specific restructuring required. We evaluate PCAS on three case studies: information flow policies for prompt injection defense, approval workflows in a multi-agent pharmacovigilance system, and organizational policies for customer service. On customer service tasks, PCAS improves policy compliance from 48% to 93% across frontier models, with zero policy violations in instrumented runs.