Faramesh: A Protocol-Agnostic Execution Control Plane for Autonomous Agent Systems

• URL: http://arxiv.org/abs/2601.17744v1
• Date: Sun, 25 Jan 2026 08:27:27 GMT
• Title: Faramesh: A Protocol-Agnostic Execution Control Plane for Autonomous Agent Systems
• Authors: Amjad Fatmi,
• Abstract summary: Faramesh is a protocol-agnostic execution control plane that enforces execution-time authorization for agent-driven actions.<n>We show how these primitives yield enforceable, predictable governance for autonomous execution.
• Score: 0.0
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Autonomous agent systems increasingly trigger real-world side effects: deploying infrastructure, modifying databases, moving money, and executing workflows. Yet most agent stacks provide no mandatory execution checkpoint where organizations can deterministically permit, deny, or defer an action before it changes reality. This paper introduces Faramesh, a protocol-agnostic execution control plane that enforces execution-time authorization for agent-driven actions via a non-bypassable Action Authorization Boundary (AAB). Faramesh canonicalizes agent intent into a Canonical Action Representation (CAR), evaluates actions deterministically against policy and state, and issues a decision artifact (PERMIT/DEFER/DENY) that executors must validate prior to execution. The system is designed to be framework- and model-agnostic, supports multi-agent and multi-tenant deployments, and remains independent of transport protocols (e.g., MCP). Faramesh further provides decision-centric, append-only provenance logging keyed by canonical action hashes, enabling auditability, verification, and deterministic replay without re-running agent reasoning. We show how these primitives yield enforceable, predictable governance for autonomous execution while avoiding hidden coupling to orchestration layers or observability-only approaches.

Related papers

• Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime [0.0]
  This paper introduces Autonomous Action Management (AARM), an open specification for securing AI-driven actions at runtime.<n>AARM intercepts actions before execution, accumulates session context, evaluates against policy and intent alignment, enforces authorization decisions, and records tamper-evident receipts for forensic reconstruction.<n>AARM is model-agnostic, framework-agnostic, and vendor-neutral, treating action execution as the stable security boundary.
  arXiv  Detail & Related papers  (2026-02-10T05:57:30Z)
• CausalArmor: Efficient Indirect Prompt Injection Guardrails via Causal Attribution [49.689452243966315]
  AI agents equipped with tool-calling capabilities are susceptible to Indirect Prompt Injection (IPI) attacks.<n>We propose CausalArmor, a selective defense framework that computes lightweight, leave-one-out attributions at privileged decision points.<n> Experiments on AgentDojo and DoomArena demonstrate that CausalArmor matches the security of aggressive defenses.
  arXiv  Detail & Related papers  (2026-02-08T11:34:08Z)
• AgentGuardian: Learning Access Control Policies to Govern AI Agent Behavior [20.817336331051752]
  AgentGuardian governs and protects AI agent operations by enforcing context-aware access-control policies.<n>It effectively detects malicious or misleading inputs while preserving normal agent functionality.
  arXiv  Detail & Related papers  (2026-01-15T14:33:36Z)
• CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents [60.98294016925157]
  AI agents are vulnerable to prompt injection attacks, where malicious content hijacks agent behavior to steal credentials or cause financial loss.<n>We introduce Single-Shot Planning for CUAs, where a trusted planner generates a complete execution graph with conditional branches before any observation of potentially malicious content.<n>Although this architectural isolation successfully prevents instruction injections, we show that additional measures are needed to prevent Branch Steering attacks.
  arXiv  Detail & Related papers  (2026-01-14T23:06:35Z)
• Executable Ontologies in Game Development: From Algorithmic Control to Semantic World Modeling [51.56484100374058]
  We argue that Executable Ontologies (EO) represent a transition from algorithmic behavior programming to semantic world modeling.<n>We show how EO achieves prioritybased task interruption through dataflow conditions rather than explicit preemption logic.
  arXiv  Detail & Related papers  (2026-01-12T19:57:35Z)
• A Blockchain-Monitored Agentic AI Architecture for Trusted Perception-Reasoning-Action Pipelines [0.0]
  The application of agentic AI systems in autonomous decision-making is growing in the areas of healthcare, smart cities, digital forensics, and supply chain management.<n>The paper suggests a single architecture model comprising of LangChain-based multi-agent system with a permissioned blockchain to guarantee constant monitoring, policy enforcement, and immutable auditability of agentic action.
  arXiv  Detail & Related papers  (2025-12-24T06:20:28Z)
• Breaking and Fixing Defenses Against Control-Flow Hijacking in Multi-Agent Systems [7.558938027515112]
  Control-flow hijacking attacks manipulate orchestration mechanisms in multi-agent systems into performing unsafe actions.<n>We propose, implement, and evaluate ControlValve, a new defense inspired by the principles of control-flow integrity and least privilege.
  arXiv  Detail & Related papers  (2025-10-20T08:02:51Z)
• Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols [80.68060125494645]
  We study adaptive attacks by an untrusted model that knows the protocol and the monitor model.<n>We instantiate a simple adaptive attack vector by which the attacker embeds publicly known or zero-shot prompt injections in the model outputs.
  arXiv  Detail & Related papers  (2025-10-10T15:12:44Z)
• Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents [0.6747475365990533]
  In agentic settings reasoning, prompt injection, or multi-agent orchestration can silently expand privileges.<n>We introduce Agentic JWT (A-JWT), a dual-faceted intent token that binds each agent's action to verifiable user intent.<n>A-JWT carries an agent's identity as a one-way hash derived from its prompt, tools and configuration.
  arXiv  Detail & Related papers  (2025-09-16T23:43:24Z)
• DRIFT: Dynamic Rule-Based Defense with Injection Isolation for Securing LLM Agents [52.92354372596197]
  Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities.<n>This interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior.<n>We propose a Dynamic Rule-based Isolation Framework for Trustworthy agentic systems, which enforces both control and data-level constraints.
  arXiv  Detail & Related papers  (2025-06-13T05:01:09Z)
• CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
  We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
  arXiv  Detail & Related papers  (2025-05-14T13:37:07Z)
• Keeping Behavioral Programs Alive: Specifying and Executing Liveness Requirements [2.4387555567462647]
  We propose an idiom for tagging states with "must-finish," indicating that tasks are yet to be completed. We also offer semantics and two execution mechanisms, one based on a translation to B"uchi automata and the other based on a Markov decision process (MDP)
  arXiv  Detail & Related papers  (2024-04-02T11:36:58Z)
• Code Models are Zero-shot Precondition Reasoners [83.8561159080672]
  We use code representations to reason about action preconditions for sequential decision making tasks. We propose a precondition-aware action sampling strategy that ensures actions predicted by a policy are consistent with preconditions.
  arXiv  Detail & Related papers  (2023-11-16T06:19:27Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.