Abstract
Autonomous agentic AI systems driven by Large Language Models (LLMs) introduce a new class of security, privacy, and compliance challenges. An agent that can invoke tools, manipulate data, install software, and coordinate with peer agents across organizational boundaries must be constrained not just by authentication and access control, but by the full structure of enterprise governance. This includes specifying what agents are permitted and prohibited from doing, what they are obliged to do after certain actions (e.g., notify the CISO), under what conditions a standing obligation may be waived, and which rules take precedence when policies conflict. This governance problem exceeds what current policy engines provide. Systems such as XACML, Rego, and Cedar address only the permit/prohibit subset of this governance structure. They do not provide obligation lifecycle management, meta-policy conflict resolution, dispensations that waive obligations in specific circumstances, or ontological reasoning over domain class hierarchies commonly found in applications such as healthcare, cybersecurity, or data privacy. We propose AgenticRei, which realizes key governance requirements including obligations, dispensations, policy conflict resolutions, and reasoning over policies, as well as the basic permit/prohibit constraints. We use a deontic policy language built on the Rei framework, expressed as OWL (Web Ontology Language) and evaluated at runtime by a high-performance logic engine entirely outside the LLM. The same pipeline governs both tool invocations by the agent and agent-to-agent messages. We show through examples that deontic policies capture governance constraints around security and privacy that largely cannot be expressed in current production engines. Our approach composes naturally with industry-standard frameworks like A2AS.
1. Introduction
By 2026, the rapid deployment of LLM-driven autonomous agents in enterprise environments—from IT operations and financial services to healthcare and cybersecurity—has underscored a critical gap: existing policy engines were not designed for the dynamic, multi-dimensional governance demands of agents that act, communicate, and reason autonomously. Traditional authentication and access control mechanisms are no longer sufficient. Agents must operate within a comprehensive governance framework that captures not just permissions and prohibitions, but also obligations, conditional waivers, and conflict resolution strategies.
2. The Governance Challenge
Current policy systems such as XACML, Rego, and Cedar excel at specifying “permit” and “prohibit” rules, but they are fundamentally limited. They lack:
- Obligation lifecycle management: The ability to impose, track, waive, or enforce duties (e.g., logging, notifying, or auditing) that arise from agent actions.
- Dispensations: Exceptions that temporarily or permanently waive obligations under specific circumstances.
- Meta-policy conflict resolution: Mechanisms to determine priority when multiple policies apply contradictory directives.
- Ontological reasoning: Support for domain-specific class hierarchies and relationships (common in healthcare, cybersecurity, and data privacy), enabling policies that reason over concepts like “patient” or “classified data.”
3. AgenticRei: A Deontic Policy Approach
We introduce AgenticRei, a runtime governance framework that addresses these limitations. Built on the Rei deontic policy framework, AgenticRei expresses governance constraints using OWL, enabling rich semantic reasoning. Unlike LLM-based policy evaluation, which can be unpredictable and opaque, AgenticRei employs a high-performance logic engine that evaluates policies entirely outside the LLM’s inference loop. This ensures deterministic, auditable decisions for both tool invocations and inter-agent communications.
AgenticRei supports the full deontic spectrum:
- Permitted / Prohibited: Basic access control.
- Obligatory / Dispensable: Duties and their conditional waivers.
- Conflict resolution: Meta-policies that dictate precedence (e.g., “privacy obligations override operational permissions”).
4. Integration with Industry Standards
AgenticRei is designed to compose naturally with frameworks such as A2AS (Agent-to-Agent Streaming), which is gaining traction in 2026 for orchestrating multi-agent systems. By using a standard messaging layer, AgenticRei policies can govern cross-organizational agent interactions without requiring modifications to agent internals.
5. Examples from Security and Privacy
We demonstrate AgenticRei’s expressiveness through practical scenarios:
- Security incident response: An agent that installs a patch is obliged to notify the CISO within 5 minutes. A dispensation can waive this if the patch is classified as “urgent” by an authorized entity.
- Healthcare data access: An agent may query patient records (permitted) but must log every access (obligation). A “break-glass” exception waives logging during emergencies.
- Conflicting policies: A rule that permits data sharing for research conflicts with a privacy policy that prohibits sharing without consent. AgenticRei’s meta-policy engine resolves the conflict by enforcing the privacy rule unless a specific dispensation is active.
6. Conclusion
AgenticRei demonstrates that deontic policies can capture the full complexity of enterprise governance for autonomous AI systems—going far beyond what current production engines offer. As agentic systems proliferate in 2026 and beyond, frameworks like AgenticRei will be essential for ensuring that agents act not only effectively but also lawfully, ethically, and securely.
Comments: 10 pages, 1 figure. To appear in the 2026 IEEE Symposium on Agentic Services (part of the IEEE Conference on Web Services).
Subjects: Artificial Intelligence (cs.AI); Multiagent Systems (cs.MA)
Cite as: arXiv:2606.19464 [cs.AI]
via ArXiv AI