AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the structural security risks posed by large language model–driven autonomous agents to traditional operating systems, whose “resource exposure plus permission check” model proves inadequate—once compromised, attackers can abuse low-level resources to perform privilege-escalated operations. To mitigate this, the paper proposes AgenticOS, an intent-centric secure operating system architecture that treats structured agent intents as the entry point for system calls. The kernel synthesizes a least-privilege execution environment and enforces mandatory mediation, end-to-end auditing, and information flow control. Built upon a four-layer design—comprising the Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway—and leveraging an Intent ABI, Manifest-Only Runtime, and Weaver capability mechanism, AgenticOS redefines the OS role from resource manager to intent filter, enabling semantic-level security governance of AI behaviors and substantially reducing the risk of resource misuse following agent hijacking.
📝 Abstract
Traditional OS security models based on "resource exposure plus permission checks" face structural challenges as LLM-driven autonomous agents acquire capabilities for planning, tool use, network access, and code execution. Once an agent runtime is compromised through prompt injection or malicious tool outputs, an attacker can compose POSIX-style resource primitives into behaviors far beyond the user's task authorization. To address this, we propose AgenticOS, an intent-oriented secure OS architecture that consolidates delegable, auditable software capabilities into OS-native ones rather than replacing all applications. The core insight is to reframe the OS from a "resource manager" into an "intent filter": instead of requesting low-level resources directly, agents submit structured intent declarations, from which the system synthesizes a least-privilege environment with mandatory mediation, auditing, and information-flow constraints. At the implementation level, we introduce a four-layer architecture -- Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway -- together with the Intent ABI, Manifest-Only Runtime, Weaver-based capability generation, and an admission model for AgenticOS-native Skills.
Problem

Research questions and friction points this paper is trying to address.

autonomous AI agents
operating system security
intent-oriented architecture
privilege escalation
resource primitives
Innovation

Methods, ideas, or system contributions that make the work stand out.

intent-oriented security
autonomous AI agents
capability-based OS
least-privilege synthesis
structured intent declaration
Z
Zhen Zhao
Tencent Cloud Computing (Beijing) Co., Ltd., Beijing 100080, China
Yu Zhang
Yu Zhang
University of Science and Technology of China
Efficient AI SystemsProgramming SystemsProgram AnalysisMulti-Modal Perception
Y
Yanpeng Zhu
Tencent Cloud Computing (Beijing) Co., Ltd. Shanghai Branch, Shanghai 200030, China
J
Jia Wang
Shenzhen Tencent Computer System Co., Ltd., Shenzhen 518057, China
S
Songqiao Tao
Shenzhen Tencent Computer System Co., Ltd., Shenzhen 518057, China
X
Xin Cheng
Shenzhen Tencent Computer System Co., Ltd., Shenzhen 518057, China
J
Jiexin Gao
Office of Informatization Development and Management, South-Central Minzu University, Wuhan 430074, China