Sovereign Agentic Loops: Decoupling AI Reasoning from Execution in Real-World Systems

Authors: Jun He, Deying Yu

Affiliations: OpenKedge.io

Primary category: cs.CR · all: cs.CR, cs.LG

Matched keywords: large language model, llm, agent, agentic, reasoning, latency

TL;DR

Sovereign Agentic Loops (SAL) is a control-plane architecture that decouples LLM reasoning from execution: models emit structured intents with justifications, which are validated against true system state and policy before any mutation. A prototype blocks unsafe actions with 12.4 ms median overhead.

Key Ideas

Direct coupling of stochastic LLM outputs to execution layers is unsafe; model correctness and alignment cannot be assumed at runtime.
Models should emit structured intents with justifications, not raw API calls.
An obfuscation membrane limits model access to identity-sensitive state.
A cryptographically linked Evidence Chain enables auditability and deterministic replay.
Formal guarantees: policy-bounded execution, identity isolation, deterministic replay.

Approach

SAL inserts a control plane between the LLM and execution layer. The model produces structured intents plus justifications; the control plane validates each intent against true system state and policy before dispatching it. The obfuscation membrane mediates what identity-sensitive state the model can observe, and every decision is recorded in a cryptographically chained Evidence Log that supports replay. The authors formalize the architecture and prove the safety properties under stated assumptions.

Experiments

Evaluated in an OpenKedge prototype for cloud infrastructure. The benchmark measures: (i) fraction of unsafe intents blocked at the policy layer, (ii) fraction caught by consistency checks, (iii) whether any unsafe execution slips through, and (iv) added latency. Baselines and dataset details are not specified in the abstract.

Results

93% of unsafe intents blocked at the policy layer.
Remaining 7% rejected via consistency checks.
Zero unsafe executions in the benchmark.
12.4 ms median added latency.

Claims are internally consistent; external comparison is not reported in the abstract.

Why It Matters

SAL gives agent/infra practitioners a concrete pattern for safely wiring LLMs into mutating APIs: keep the model in an advisory role, centralize policy and state checks, and make every action replayable. The low latency overhead suggests this pattern is viable for production cloud control planes, not just research demos.

Connections to Prior Work

Relates to tool-use / function-calling agents, policy-as-code and OPA-style authorization, capability-based security, confidential computing / identity isolation, and audit log integrity via hash chains (akin to Merkle/ledger techniques). The intent-plus-justification pattern echoes constitutional / guarded decoding but shifts enforcement out of the model.

Open Questions

How are policies authored, versioned, and kept in sync with system state?
What is the false-positive rate on legitimate intents, and how does latency scale with policy complexity?
Robustness to adversarial justifications that superficially satisfy checks.
Generality beyond cloud infrastructure (e.g., code, finance, robotics).
Details of the OpenKedge benchmark and comparison against alternative guardrails.

Figures

Figure 1: Page 2 (rendered)

Figure 2: Page 3 (rendered)

Figure 3: Page 4 (rendered)

Original abstract

Large language model (LLM) agents increasingly issue API calls that mutate real systems, yet many current architectures pass stochastic model outputs directly to execution layers. We argue that this coupling creates a safety risk because model correctness, context awareness, and alignment cannot be assumed at execution time. We introduce Sovereign Agentic Loops (SAL), a control-plane architecture in which models emit structured intents with justifications, and the control plane validates those intents against true system state and policy before execution. SAL combines an obfuscation membrane, which limits model access to identity-sensitive state, with a cryptographically linked Evidence Chain for auditability and replay. We formalize SAL and show that, under the stated assumptions, it provides policy-bounded execution, identity isolation, and deterministic replay. In an OpenKedge prototype for cloud infrastructure, SAL blocks 93% of unsafe intents at the policy layer, rejects the remaining 7% via consistency checks, prevents unsafe executions in our benchmark, and adds 12.4 ms median latency.