From Craft to Kernel: A Governance-First Execution Architecture and Semantic ISA for Agentic Computers

arXiv cs.AI / 4/22/2026

💬 OpinionDeveloper Stack & InfrastructureIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper argues that agentic AI systems remain fragile because the common approach delegates the control loop to LLMs while relying on heuristic guardrails, which does not scale to production reliability.
It introduces Arbiter-K, a governance-first execution architecture that wraps a probabilistic model inside a deterministic, neuro-symbolic kernel.
Arbiter-K uses a Semantic ISA to convert probabilistic messages into discrete instructions, maintaining a Security Context Registry and building an instruction dependency graph at runtime.
With active taint propagation tied to the data-flow lineage of reasoning nodes, the system can block unsafe actions at deterministic “sinks” such as risky tool calls or unauthorized network egress, and can correct or roll back execution when policies are triggered.
Evaluations on OpenClaw and NanoBot report 76%–95% unsafe interception with a 92.79% absolute improvement over native policies, and the code is available on GitHub.

Abstract

The transition of agentic AI from brittle prototypes to production systems is stalled by a pervasive crisis of craft. We suggest that the prevailing orchestration paradigm-delegating the system control loop to large language models and merely patching with heuristic guardrails-is the root cause of this fragility. Instead, we propose Arbiter-K, a Governance-First execution architecture that reconceptualizes the underlying model as a Probabilistic Processing Unit encapsulated by a deterministic, neuro-symbolic kernel. Arbiter-K implements a Semantic Instruction Set Architecture (ISA) to reify probabilistic messages into discrete instructions. This allows the kernel to maintain a Security Context Registry and construct an Instruction Dependency Graph at runtime, enabling active taint propagation based on the data-flow pedigree of each reasoning node. By leveraging this mechanism, Arbiter-K precisely interdicts unsafe trajectories at deterministic sinks (e.g., high-risk tool calls or unauthorized network egress) and enables autonomous execution correction and architectural rollback when security policies are triggered. Evaluations on OpenClaw and NanoBot demonstrate that Arbiter-K enforces security as a microarchitectural property, achieving 76% to 95% unsafe interception for a 92.79% absolute gain over native policies. The code is publicly available at https://github.com/cure-lab/ArbiterOS.