Governed MCP: Kernel-Level Tool Governance for AI Agents via Logit-Based Safety Primitives

This paper introduces Governed MCP, a kernel-resident tool governance gateway implemented in the Rust-based Anima OS that enforces robust, non-bypassable safety for AI agent tool calls through a six-layer pipeline featuring a novel logit-based semantic check (ProbeLogits), demonstrating that such deep integration is essential to prevent adversarial bypasses that defeat existing userspace guardrails.

The Gist

Imagine you've hired a very smart, incredibly fast, but slightly reckless personal assistant (an AI Agent) to run your house. This assistant can open doors, turn on lights, order groceries, and even call the police.

The problem is: You can't trust the assistant to police itself.

The Problem: The "Self-Policing" Flaw

Currently, most AI safety systems work like this: You give the assistant a notebook of rules (a Python library) and say, "Before you do anything, check your notebook."

But here's the catch: The assistant holds the notebook. If the assistant gets confused, tricked, or decides to be naughty, it can simply:

1. Ignore the notebook (don't open it).
2. Tear out the pages (delete the rules).
3. Write fake rules (change the notebook to say "It's okay to burn the house down").

Because the safety rules live in the same room as the assistant, the assistant can always cheat. It's like asking a thief to guard the jewelry box while they are holding the key.

The Solution: The "Bouncer in the Basement"

This paper proposes a new system called Governed MCP. Instead of giving the assistant a notebook, we build a fortified security checkpoint in the basement of the house (the Operating System Kernel).

Here is how it works, using a simple analogy:

1. The Setup

• The Assistant (The Agent): Lives in a glass cage (a sandbox). It can see the house, but it cannot touch the doors or the locks directly.
• The Bouncer (The Gateway): A super-secure guard standing at the only door leading out of the glass cage. The guard lives in the basement (the Kernel), a place the assistant cannot enter or touch.
• The Request: Every time the assistant wants to do something (like "Open the front door" or "Call the fire department"), it must shout its request up to the Bouncer.

2. The Six-Layer Security Check

The Bouncer doesn't just say "Yes" or "No." He runs the request through a 6-step assembly line:

1. The ID Check (Schema Validation): "Is this request even written correctly? Did you ask for a door when you should have asked for a light?"
2. The Clearance Badge (Trust Tier): "Do you have the right security badge to ask for this? A low-level assistant can't ask to open the bank vault."
3. The Speed Limit (Rate Limit): "Whoa, slow down! You're asking to open 50 doors a second. That's suspicious."
4. The Code Breaker (Adversarial Pre-filter): "I see you're trying to hide your request in a secret code (like Base64) or using tricky words to trick me. No go."
5. The Mind Reader (The "ProbeLogits" Gate): This is the most important part. The Bouncer has a super-brain (a small AI model) that reads the intent behind the words.
   • Example: If the assistant says, "I want to clean the floor," the Bouncer's brain checks: "Is he actually trying to flood the basement?"
   • If the brain senses danger, it slams the door shut. This is the only layer that truly understands meaning, not just keywords.
6. The Constitution (Policy Match): "Even if it's not dangerous, does it break our family rules? (e.g., 'No pets allowed')."

3. The "Fail-Safe" Rule

If the Bouncer's super-brain ever crashes or gets sick, the system has a rule: "If in doubt, lock everything down." The doors stay shut until the Bouncer is fixed. This is called Fail-Closed. It's better to be stuck inside than to let a disaster happen.

Why This Matters

The paper proves two huge things:

1. You can't just use rules; you need a brain.
   The researchers tested what happens if they remove the "Mind Reader" (Layer 5) and only keep the simple rules. The system failed miserably. It let dangerous requests slip through because the bad guys learned how to phrase their requests in tricky ways. The "Mind Reader" was the only thing stopping them.

2. You can't cheat the Bouncer.
   Because the Bouncer lives in the basement (the Kernel) and the assistant is in the glass cage, the assistant physically cannot reach up and change the Bouncer's rules. It's structurally impossible to bypass.

The Bottom Line

This paper says: "Stop trusting AI to watch itself."

We need to move safety checks from the "living room" (where the AI lives) to the "foundation of the house" (the Operating System). By building a secure, unbreakable gate that checks the meaning of every single action an AI tries to take, we can finally let AI agents run our tools without worrying they will accidentally (or intentionally) burn the house down.

It's like upgrading from a "Please don't steal" sign on the door to a high-tech, unbreakable vault with a guard who can read your mind.

Technical Summary

1. Problem Statement

The paper addresses a critical security gap in the deployment of autonomous AI agents. As agents increasingly utilize the Model Context Protocol (MCP) to call external tools (file systems, networks, APIs), these tool calls function as "syscalls" with privileged side effects. However, current safety enforcement mechanisms (e.g., NeMo Guardrails, AGT schemas) operate entirely in userspace within the same process and privilege domain as the agent.

The Core Vulnerability: Because safety libraries share the agent's privilege boundary, they are structurally bypassable. An agent (or a compromised tool) can:

1. Skip imports: Simply not load the safety library.
2. Monkey-patch: Overwrite library functions in memory to return "allowed."
3. Inject verdicts: Mutate the dictionary returned by the safety check before the agent acts on it.

The paper argues that without a kernel-resident enforcement point, no amount of userspace hardening can prevent an agent from bypassing its own safety constraints.

2. Methodology: Governed MCP

The author proposes Governed MCP, a kernel-resident governance gateway implemented in Anima OS, a bare-metal x86_64 operating system written in Rust (~86,000 lines).

System Architecture

• Trust Boundary: The AI agent runs as WASM bytecode in a sandboxed environment (via Cranelift). The gateway resides in Kernel Ring 0.
• Mediation: The agent cannot directly access host services. All 15 WASM-to-system host functions (including mcp_call_tool) route through a single mediated entry point: governance_check_host().
• Fail-Closed Semantics: If the inference engine is unavailable, the system denies all tool calls by default.

The Six-Layer Pipeline

Every tool call traverses a fixed 6-layer pipeline:

1. Schema Validation: JSON-RPC parsing and MCP spec matching (Type/field checks).
2. Trust Tier Check: Verifies the agent's trust level (e.g., System vs. Classic) against the tool's requirements.
3. Rate Limiting: Token-bucket limits per agent and tool to prevent DoS.
4. Adversarial Pre-filter: O(n) regex DFA scan for known prompt injection patterns (e.g., base64, "ignore previous instructions").
5. ProbeLogits Gate (Semantic Core): The load-bearing layer. It performs a single forward pass through a loaded inference model (e.g., Qwen 2.5-7B) to read logits at a specific "verbalizer" position (e.g., "Safe" vs. "Dangerous"). It does not generate text; it classifies intent based on probability scores.
6. Constitutional Policy: A 12-principle rule match (e.g., "No writing to /etc/shadow") applied after semantic analysis.

Audit Mechanism: Every decision is appended to a Blake3-hashed audit chain in a ring buffer, ensuring tamper-evident logging within a boot session.

3. Key Contributions

1. First Kernel-Resident MCP Gateway: The system places semantic safety enforcement below the agent's privilege boundary, making structural bypasses (like monkey-patching) impossible.
2. ProbeLogits Primitive: Introduces a logit-based safety check that reads the model's internal "dangerous" vs. "safe" logits without full text generation, significantly reducing latency compared to standard classifiers.
3. Complete Mediation of WASM ABI: Empirical verification that all 123 reachable synchronous agent-to-system paths route through the gateway, satisfying the "complete mediation" principle of reference monitors.
4. Open-Source Implementation: A fully functional bare-metal OS implementation (AGPL-3.0) demonstrating that kernel-grade governance is feasible without proprietary silicon or hypervisors.

4. Experimental Results

The system was evaluated on Anima OS (native boot, AMD Ryzen 9800X3D) using a 7B parameter model (Q4_0 quantized).

• Performance Overhead:

  • Non-inference layers (1-4, 6): Add only 65.3 µs of latency per call.
  • ProbeLogits Layer (Layer 5): Adds 65 ms per call (dominated by the 7B model forward pass).
  • Total End-to-End: ~66 ms per tool call.
  • Throughput: ~15 governed tool calls per second (single-threaded).

• Ablation Study (The "Load-Bearing" Finding):

  • Full Pipeline (6 layers): Achieved F1 = 0.773 on a 101-prompt MCP benchmark.
  • Without ProbeLogits (Layers 1-4 + 6 only): F1 collapsed to 0.327 ($\Delta F1 = -0.446$).
  • Conclusion: Hand-rule firewalling (schema, regex, policies) is insufficient. Semantic understanding via the ProbeLogits layer is essential for detecting adversarial euphemisms and multi-step attacks.

• Comparison to Userspace Alternatives:

  • NeMo Guardrails: Requires multiple LLM round-trips (2–5 seconds latency) and is bypassable.
  • Llama Guard 3: Requires full autoregressive generation (~1.06s latency) and is bypassable.
  • Governed MCP: 65 ms latency and structurally un-bypassable.

5. Significance and Implications

• Paradigm Shift: The paper argues that tool-call governance must move from an application-layer concern (Python libraries) to an OS primitive (kernel mediation).
• Security Guarantee: By moving the check to the kernel, the system eliminates the "privilege gap" where the agent controls the safety check.
• Feasibility: Demonstrates that semantic safety checks can be integrated into the OS kernel with manageable overhead (65ms) and high reliability (Fail-Closed).
• Future Work: The author identifies the need for GPU/NPU offloading to reduce latency below 10ms, post-execution probing of tool outputs (to catch indirect prompt injection), and community-led red-teaming benchmarks.

In summary, Governed MCP proves that AI agents require a "kernel-grade" security model similar to traditional operating systems, where safety enforcement is a privileged, non-bypassable layer that understands semantic intent, rather than a userspace library that can be easily circumvented.