🤖 AI Summary
This work addresses the risk of privilege overreach by autonomous agents during post-deployment continual learning. It proposes a permission-constraining architecture grounded in cryptographic identity binding and semantic-effect gating. At agent initialization, the authorized operational boundary is cryptographically frozen, and a formal verification mechanism dynamically monitors the semantic effects—rather than syntactic names—of proposed actions. This approach uniquely internalizes permission constraints as architectural invariants, guaranteeing that even under agent self-modification or misconfigured safety policies, the system cannot exceed its initial authorization. Empirical evaluation on an open-ended tool-use benchmark demonstrates zero execution of policy-violating behaviors without compromising task success rates, while exhibiting strong generalization to unseen classes of prohibited actions.
📝 Abstract
Autonomous agents are moving from sandboxed text generators to operators of code, data, and physical infrastructure, and they increasingly learn while deployed. This reopens a question that alignment techniques answer only probabilistically: after an agent has adapted in the field, is the running system still confined to what its operator authorised? Here we show that confinement can be guaranteed as an invariant of the agent's execution architecture rather than a probabilistic outcome of its training. Governed individuation binds an agent at boot to a cryptographically frozen identity digest, and routes every action through a gate defined over the semantic effect of the action rather than its name. We prove that no amount of learning, skill acquisition, or self-induced governance abstraction can widen the agent's permitted authority without an operator-signed change to its identity; the guarantee holds even when the agent induces its own safety principle and that principle is wrong. Empirically, in an open-ended tool-use benchmark where a large action space rules out name-based blocking, ungoverned software agents under reward pressure attempt to tamper with their own evaluation at a task-dependent rate that reaches every run on the hardest task, whereas the gate reduces executed forbidden effects to zero as a verified property of the construction while preserving task success. An adversarial evaluation of monitors of increasing semantic depth shows false-allows falling from 75% (name-based gating) to zero (dynamic effect tracing), and refusal history transfers compliance to held-out red-line families. Trust in a deployed learning agent shifts from a wager on its continued alignment to a check anyone can run at boot.