AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents

AgenticOS proposes a novel secure operating system architecture that reframes the OS as an "intent filter" rather than a traditional resource manager, utilizing a four-layer design and structured intent declarations to synthesize least-privilege environments that prevent LLM-driven autonomous agents from exceeding their authorized tasks even when compromised.

The Gist

The Big Problem: The "Over-Generous Butler"

Imagine you hire a highly intelligent butler (an AI Agent) to organize your messy study. You tell them, "Please gather the experimental results from the desk, summarize them, and email the summary to my boss."

In today's computer world (the Traditional OS), when you hire this butler, you don't just give them a pen and paper. You give them the keys to the entire house. They get:

• Keys to the front door (Network access).
• Keys to the safe (File system access).
• The ability to call a locksmith to break into other rooms (Process execution).
• The ability to hire their own helpers (Dynamic code loading).

The Danger: If the butler gets confused by a tricky note you wrote (a "prompt injection") or if a tool they bought is secretly broken (a "poisoned supply chain"), they might use those keys to steal your jewelry, break into your neighbor's house, or set up a secret tunnel to the outside world. They have the power to do things you never asked them to do.

The Solution: AgenticOS (The "Intent Filter")

AgenticOS proposes a new way to run these AI agents. Instead of giving the agent a keyring full of keys, the system acts as a strict security guard who only lets the agent do exactly what they promised to do, nothing more.

The paper calls this shifting from a "Resource Manager" (giving keys) to an "Intent Filter" (checking the plan).

The Core Analogy: The "Manifest" vs. The "Keyring"

In AgenticOS, before the agent starts working, they must submit a Manifest. Think of this as a strict shopping list or a flight plan.

• Old Way: "Here is a key to the whole building. Go find what you need."
• AgenticOS Way: "Here is a list: 'I need to read the 'Project_Report.txt' file and send one email to 'boss@company.com'. I do not need a key to the safe, the garage, or the neighbor's house.' If you try to do anything else, the system stops you."

---

The Four Layers of Security (The "Ghost Kitchen")

The paper designs a four-layer architecture to enforce this. Imagine a high-security restaurant kitchen where the chef (the Agent) is in a glass box, and the food (the data) is prepared by machines.

1. The Ghost Kernel (The Invisible Foundation)

   • What it is: The deepest, most secure layer. It's like the concrete floor and the steel beams of the building.
   • What it does: It creates a sealed, invisible room for the agent. It doesn't talk to the agent directly. It just makes sure the agent's room is physically separated from everyone else's. It's called "Ghost" because it's there, but you can't touch it or talk to it directly.

2. The Logic Shutter (The Smart Gatekeeper)

   • What it is: The brain of the security system.
   • What it does: When the agent says, "I want to read this file," the Shutter checks the Manifest.
     • Agent: "I want to read the file."
     • Shutter: "Okay, that's on your list. Go ahead."
     • Agent: "I want to call my friend on the phone."
     • Shutter: "Nope. That's not on your list. Denied."
   • It also keeps a detailed log of every single thing the agent tries to do, like a security camera that writes down exactly what happened.

3. The Agent Capsule (The Glass Box)

   • What it is: The actual room where the agent lives and works.
   • What it does: This is a special environment where the agent runs. Crucially, the doors to the outside world are sealed shut unless the Logic Shutter opens them. The agent cannot just "break out" or use hidden tools because the tools they need are only built after the Shutter checks the Manifest. If the Manifest doesn't say "Network," the agent literally doesn't have a network cable in their room.

4. The Semantic Boundary Gateway (The Translator)

   • What it is: The interface between the glass box and the outside world.
   • What it does: The agent doesn't speak "raw internet code" (like TCP/IP packets). They speak "Intent."
     • Agent: "Send a message to the boss."
     • Gateway: "Okay, I will take that message, check it for viruses, format it nicely, and send it."
   • The agent never sees the raw internet; they only see the result of their request. This stops them from hiding secret messages inside normal-looking data.

How It Stops Attacks

The paper explains how this stops specific types of bad behavior:

• Supply Chain Poisoning: If the agent tries to use a tool that was secretly infected with a virus, the Weaver (a builder tool) checks the tool before the agent even gets it. If the tool tries to do something not on the Manifest, it gets rejected.
• Capability Composition: Sometimes, bad guys combine two "safe" things to make something bad (e.g., "Read a file" + "Send an email" = "Steal data"). AgenticOS looks at the whole chain. It asks, "Is this combination allowed by the Manifest?" If the Manifest only said "Read," but the agent tries to "Read then Email," the system blocks it.
• Covert Channels: Bad agents try to send secret messages by how fast they work or the size of their files. AgenticOS adds "padding" (filler noise) and forces everything to happen on a strict schedule, making it impossible to hide secret codes in the timing or size of messages.

The "Human in the Loop"

The paper emphasizes that for high-risk actions (like transferring money or deleting a database), the system must pause and ask a human for permission.

• Think of this as a safety break. Even if the agent is allowed to do the task, the system forces a "Human Confirmation" step for anything dangerous. This ensures that a confused AI doesn't accidentally crash the company.

The Big Picture: What AgenticOS is NOT

The paper is careful to say what this system is not trying to do:

• It is not trying to replace all software. You can still use your normal apps for browsing the web or playing games.
• It is not trying to make the AI "smarter" or "more trustworthy" on its own. It assumes the AI might be tricked or confused.
• Its Goal: To build a system where, even if the AI is tricked, it physically cannot do anything outside the narrow box of what you asked it to do.

Summary

AgenticOS is like building a secure, automated factory for AI agents.

• Old OS: Gives the agent a master key to the whole city. If the agent goes rogue, the whole city is in danger.
• AgenticOS: Gives the agent a specific, pre-approved task list. The agent works inside a sealed glass box. A smart gatekeeper checks every request against the list. If the agent tries to do something not on the list, the gatekeeper slams the door shut.

It shifts the security question from "Do you have permission to touch this file?" to "Is this action part of the task you promised to do?"

Technical Summary

Technical Summary: AgenticOS

Problem Statement

The emergence of Large Language Model (LLM)-driven autonomous agents introduces a fundamental security mismatch between traditional operating system (OS) models and agent behavior. Traditional OSs operate on a "resource exposure plus permission checks" paradigm, exposing general-purpose primitives (files, networks, processes, memory mappings, dynamic execution) via POSIX-style system calls. While effective for human-operated applications where user intent and application logic jointly define boundaries, this model fails for autonomous agents.

In the agent era, a user authorizes a high-level "task intent" (e.g., "summarize project results"), but the agent runtime often receives broad, low-level resource capabilities. If an agent is compromised via prompt injection, supply-chain poisoning, or malicious tool outputs, an attacker can combine these general primitives to execute behaviors far beyond the user's authorization, such as lateral movement, data exfiltration, or establishing covert channels. The core problem is that current security models constrain resources rather than task intents, making it difficult to prevent the composition of legitimate interfaces into malicious external effects.

Methodology

AgenticOS proposes a paradigm shift from a "resource manager" to an "intent filter." Instead of allowing agents to request low-level resources directly, the system requires agents to submit structured Intent Declarations (Manifests). The system then dynamically synthesizes a least-capability environment and enforces mandatory mediation, auditing, and information-flow constraints on all external effects.

The architecture is built upon four distinct layers with strict one-way dependencies:

1. Ghost Kernel: The minimal trusted computing base (TCB) running at the highest privilege level (e.g., VMM Root or TEE). It provides encrypted memory allocation, deterministic time-slice scheduling, and a root of attestation. Crucially, it exposes no general system-call interfaces to agent runtimes, structurally removing privilege-escalation paths.
2. Logic Shutter: The semantic translation and policy enforcement layer. It performs intent parsing, capability token management, information-flow labeling, and audit logging. It validates whether a requested external effect conforms to the declared Manifest before authorizing the action.
3. Agent Capsule: The restricted runtime environment for the agent code. It operates under a Manifest-Only Runtime principle, where the address space contains only the specific interface stubs (ABI) generated from the Manifest. It lacks general system calls (e.g., exec, fork, mmap, socket) and cannot access raw byte streams or protocol stacks.
4. Semantic Boundary Gateway: The sole controlled boundary between the Agent Capsule and the external world. It handles protocol proxying (SSH, TLS, HTTP), credential hosting, and output normalization. It transforms structured intents into controlled external effects, ensuring no raw protocols or credentials are exposed to the agent.

Key Mechanisms:

• Intent ABI: A specialized application binary interface that replaces general system calls with structured semantic operations (e.g., FetchJSON, UploadArtifact, ModelInfer). It prohibits byte streams and arbitrary execution.
• Weaver: A build-time tool that generates the Agent Capsule environment. It links the agent code with standard semantic libraries, verifying that the code contains no references to undeclared capabilities or prohibited interfaces. It ensures the generated ABI is consistent with the Manifest.
• Capability Tokens: Unforgeable tokens issued by the Logic Shutter that bind capabilities to specific agent identities, Manifests, and request chains, preventing replay attacks and cross-task reuse.
• Skill Ecosystem: A mechanism for introducing new system-native capabilities ("Skills"). New Skills must undergo a rigorous admission process (development, static analysis, testing, signing) before being registered as auditable system components, preventing runtime self-escalation.

Key Contributions

The paper outlines the following primary contributions:

• Intent-Oriented Security Paradigm: Reconstructing the OS security model from resource-based permissions to intent-based filtering, addressing the mismatch between task authorization and resource exposure.
• Four-Layer Architecture: Designing the Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway to provide defense-in-depth with provable isolation.
• Intent ABI and Manifest-Only Runtime: Introducing an interface model where agents access only semantic capabilities derived from task declarations, eliminating direct access to raw system resources.
• Dynamic Capability Generation: Presenting the Weaver mechanism for generating secure, Manifest-compliant runtime environments and defining principles for the admission of AgenticOS-native Skills.
• Security Analysis: Analyzing the architecture's impact on system-call attack surfaces, supply-chain poisoning, capability-composition attacks, intent drift, and covert channels.
• Ecological Boundary Definition: Discussing the migration of software capabilities from application-private functions to system-side, auditable capability objects.

Results and Security Analysis

The paper argues that AgenticOS structurally removes traditional system-call attack surfaces. By eliminating general system calls, dynamic linkers, and raw protocol stacks from the Agent Capsule, traditional escape vectors (e.g., kernel exploits, container escapes via device drivers) are rendered inapplicable.

The analysis highlights several security improvements:

• Supply-Chain and Composition Attacks: By enforcing information-flow labeling and intent-interaction graph analysis, the system prevents the chaining of legitimate interfaces into malicious behaviors (e.g., fetching data, summarizing it, and exfiltrating it).
• Intent Drift: The system mitigates the risk of agents deviating from their declared intent through restricted Domain-Specific Languages (DSLs), conservative static analysis, and mandatory human confirmation for high-risk operations.
• Covert Channels: While not theoretically eliminable, covert channels (timing, size, presence) are compressed to low-bandwidth, monitorable residual risks through output normalization, fixed-time windows, and size padding.
• Trusted Boundaries: The Logic Shutter and Weaver are hardened through decomposition, memory-safe language implementation (e.g., Rust), and formal verification of critical paths.

Significance and Claims

The paper positions AgenticOS not as a replacement for all application forms, but as a necessary evolution of the operating system for the era of autonomous agents. Its significance lies in:

1. Redefining the OS Boundary: Shifting the OS role from a passive resource provider to an active governance layer that hosts, constrains, and composes application capabilities.
2. Bridging the Intent-Resource Gap: Solving the fundamental security tension where users authorize high-level tasks but systems expose low-level primitives.
3. Sustainable Capability Migration: Proposing a path where delegable, semantically abstractable, and auditable software capabilities gradually migrate from private application functions to system-native, revocable Skills.

The authors explicitly state that AgenticOS does not claim to fully "understand" arbitrary code intent (acknowledging the undecidability of the halting problem) nor does it eliminate all risks. Instead, it aims to provide a secure substrate where the "ownership boundary" of general capabilities is redrawn, ensuring that even compromised or misled agents cannot cross the semantic capability boundaries granted by the system. The ultimate goal is to enable a future where software capabilities are declarable, reviewable, and composable within a secure, intent-driven operating system framework.