Securing Multi-Tool AI Agent Chains With Dynamic, Real-Time Compositional Policies

📅 2026-07-03
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the risk that multi-tool AI agents may violate organizational security policies when dynamically composing tools due to conflicting or overlapping strategies. To mitigate this, the paper proposes the Dynamic Security Control Composer (DSCC), which establishes a dual-layer defense by integrating static synthesis of the most restrictive policy during session initialization with runtime data taint tracking. This approach ensures that any toolchain extension only tightens—never relaxes—security constraints and enables real-time termination of operations based on actual data sensitivity. DSCC incorporates a Most Restrictive Set (MRS) algorithm, monotonic taint-state tracking, a policy model aligned with NIST SP 800-53, and a chain-aware execution framework. Experiments demonstrate that, across 32 tools and 16 policies, DSCC’s default mode blocks 79.2% of policy-violating two-tool compositions and 95.5% of three-tool violations, effectively balancing security and functionality.
📝 Abstract
Modern AI agent implementations such as frontier coding agents chain multiple tools at runtime that create a security surface that per-tool guardrails are unable to address, as individually permitted tools can violate organizational policies when composed. We propose the Dynamic Security Control Compositor (DSCC), a two-phase approach to compositional security for multi-tool agent chains. In Phase 1, at session checkout, a Most Restrictive Set (MRS) algorithm composes per-tool security policies into a single effective policy with a formal monotonicity invariant that extending a chain can only tighten the result, blocking incompatible combinations before any tool executes. Outputs of any tool call propagate their classification constraints into a session-level taint state, so subsequent invocations must satisfy the most restrictive constraints seen so far. In Phase 2, at runtime, the system tracks the sensitivity of data the agent touches through a monotonic taint state and revokes the session if the accumulated exposure would make a subsequent tool call a policy violation. Together, these phases provide defense in depth, where static composition prevents unsafe chains from starting, and runtime taint tracking catches violations that emerge from the specific data used. We provide a reference implementation on 32 tools governed by 16 NIST SP 800-53 aligned policies and evaluate it under two composition modes. In the default clearance mode, permitted combinations are partitioned into classification-level clusters, blocking 79.2% of policy pairs and 95.5% of triples. The alternative taint mode admits mixed-classification chains within the exfiltration boundary, blocking 42.5% and 60.5% respectively. We discuss the governance implications for organizations deploying multi-tool agents, including the utility-security tradeoff and the changes needed to operationalize chain-aware policies.
Problem

Research questions and friction points this paper is trying to address.

multi-tool AI agents
compositional security
policy violation
tool chaining
security governance
Innovation

Methods, ideas, or system contributions that make the work stand out.

compositional security
dynamic taint tracking
multi-tool AI agents
Most Restrictive Set (MRS)
policy composition
🔎 Similar Papers