Sovereign Agentic Loops: Decoupling AI Reasoning from Execution in Real-World Systems

arXiv cs.LG / 4/27/2026

💬 OpinionIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper argues that common LLM-agent designs tightly couple stochastic model outputs to real system execution, creating safety risks when correctness and policy adherence can’t be guaranteed at runtime.
It proposes Sovereign Agentic Loops (SAL), a control-plane architecture where models produce structured “intents” with justifications, and a separate control plane validates them against actual system state and policies before anything is executed.
SAL adds an “obfuscation membrane” to limit model access to identity-sensitive state, and uses a cryptographically linked Evidence Chain to enable auditing and deterministic replay.
The authors formalize SAL’s guarantees (policy-bounded execution, identity isolation, deterministic replay) and demonstrate results in an OpenKedge cloud infrastructure prototype.
In the prototype, SAL blocks 93% of unsafe intents at the policy layer, filters the remaining 7% with consistency checks, prevents unsafe executions in benchmarks, and incurs about 12.4 ms median added latency.

Abstract

Large language model (LLM) agents increasingly issue API calls that mutate real systems, yet many current architectures pass stochastic model outputs directly to execution layers. We argue that this coupling creates a safety risk because model correctness, context awareness, and alignment cannot be assumed at execution time. We introduce Sovereign Agentic Loops (SAL), a control-plane architecture in which models emit structured intents with justifications, and the control plane validates those intents against true system state and policy before execution. SAL combines an obfuscation membrane, which limits model access to identity-sensitive state, with a cryptographically linked Evidence Chain for auditability and replay. We formalize SAL and show that, under the stated assumptions, it provides policy-bounded execution, identity isolation, and deterministic replay. In an OpenKedge prototype for cloud infrastructure, SAL blocks 93% of unsafe intents at the policy layer, rejects the remaining 7% via consistency checks, prevents unsafe executions in our benchmark, and adds 12.4 ms median latency.