Sovereign Agentic Loops: Decoupling AI Reasoning from Execution in Real-World Systems

arXiv: 2604.22136 · PDF

Authors: Jun He, Deying Yu

Affiliations: OpenKedge.io

Primary category: cs.CR · all: cs.CR, cs.LG

Matched keywords: large language model, llm, agent, agentic, reasoning, latency

TL;DR

Sovereign Agentic Loops (SAL) is a control-plane architecture that decouples LLM reasoning from execution: models emit structured intents with justifications, which a control plane validates against real system state and policy before any API call mutates a system.

Key Ideas

• Passing stochastic LLM outputs directly to execution layers is unsafe because correctness, context awareness, and alignment cannot be assumed at execution time.
• Agents should emit structured intents with justifications rather than raw API calls.
• An obfuscation membrane limits model access to identity-sensitive state.
• A cryptographically linked Evidence Chain enables auditability and deterministic replay.
• Formal guarantees: policy-bounded execution, identity isolation, deterministic replay.

Approach

SAL inserts a control plane between the LLM and execution layer. The model produces structured intents annotated with justifications; the control plane checks them against true system state and policy. The obfuscation membrane restricts what identity-sensitive state the model can see, and the Evidence Chain cryptographically links every intent, validation, and execution step for replay and audit. The authors formalize the architecture and prove the three guarantees above under stated assumptions.

Experiments

Evaluated via the OpenKedge prototype for cloud infrastructure management. The benchmark measures: fraction of unsafe intents blocked at policy layer, fraction rejected by consistency checks, rate of unsafe executions that slip through, and added latency overhead. Baselines and dataset details are not specified in the abstract.

Results

• 93% of unsafe intents blocked at the policy layer.
• Remaining 7% rejected via consistency checks.
• Zero unsafe executions in the benchmark.
• 12.4 ms median added latency. Abstract reports claims hold up within the prototype; generalization beyond OpenKedge is not quantified.

Why It Matters

For agent and AI-infra practitioners building LLM agents that mutate production systems (cloud ops, databases, finance), SAL offers a concrete pattern to bound blast radius without trusting model outputs. Structured intents + policy validation + cryptographic audit log is a deployable template for safer agentic automation.

Connections to Prior Work

• Tool-using / ReAct-style agents — SAL constrains their execution path.
• Policy-as-code / admission control (Kubernetes OPA, IAM) — applied to agent intents.
• Confidential computing & capability-based security — echoed in the obfuscation membrane.
• Provenance / tamper-evident logs (Merkle chains, transparency logs) — Evidence Chain analogue.
• Constitutional AI & guardrail frameworks — SAL pushes checks to execution time rather than training.

Open Questions

• How are policies authored and kept in sync with evolving systems?
• What is the failure mode when legitimate intents are falsely rejected (the 7% path)?
• How does SAL scale to multi-agent or long-horizon workflows beyond single API calls?
• Robustness against adversarial models crafting justifications to slip past validators.
• Generality beyond OpenKedge’s cloud-infrastructure domain.

Original abstract

Large language model (LLM) agents increasingly issue API calls that mutate real systems, yet many current architectures pass stochastic model outputs directly to execution layers. We argue that this coupling creates a safety risk because model correctness, context awareness, and alignment cannot be assumed at execution time. We introduce Sovereign Agentic Loops (SAL), a control-plane architecture in which models emit structured intents with justifications, and the control plane validates those intents against true system state and policy before execution. SAL combines an obfuscation membrane, which limits model access to identity-sensitive state, with a cryptographically linked Evidence Chain for auditability and replay. We formalize SAL and show that, under the stated assumptions, it provides policy-bounded execution, identity isolation, and deterministic replay. In an OpenKedge prototype for cloud infrastructure, SAL blocks 93% of unsafe intents at the policy layer, rejects the remaining 7% via consistency checks, prevents unsafe executions in our benchmark, and adds 12.4 ms median latency.