Deontic Policies for Runtime Governance of Agentic AI Systems

What Happened

A new preprint on arXiv (2606.19464) proposes a framework called "Deontic Policies" for runtime governance of agentic AI systems. The core problem it addresses is that LLM-driven agents—which can autonomously invoke tools, manipulate data, install software, and coordinate with other agents—introduce novel security, privacy, and compliance risks that traditional static policy mechanisms cannot manage. The authors argue that existing approaches (like prompt engineering or post-hoc auditing) are insufficient because they either fail to constrain agent behavior in real time or lack formal guarantees about compliance.

The deontic policy framework draws from deontic logic (the logic of obligation, permission, and prohibition) to define a set of rules that govern agent actions at runtime. Rather than relying solely on the LLM's internal alignment or a static list of forbidden actions, this approach embeds a separate policy engine that evaluates each proposed action against a formal policy specification before execution. If an action violates a policy—for example, attempting to access a restricted API or share data with an unauthorized peer agent—the engine can block, modify, or log the action in real time.

Why It Matters

This research tackles a fundamental tension in agentic AI: how to give LLMs enough autonomy to be useful while preventing them from causing harm. Current approaches often swing between two extremes—either heavily restricting agent capabilities (which limits utility) or trusting the LLM's alignment (which is brittle and easily bypassed). Deontic policies offer a middle path: a formal, auditable layer of control that operates independently of the LLM's reasoning.

For enterprise deployments, this is critical. Agentic systems that can install software or coordinate with other agents pose real risks—an agent could accidentally exfiltrate customer data, overwrite critical files, or trigger cascading failures across a multi-agent network. A runtime governance layer that can enforce policies like "never write to production databases" or "only share anonymized data with peer agents" provides a safety net that no amount of prompt engineering can guarantee.

The formal nature of deontic policies also matters for compliance. Regulators increasingly demand explainable and auditable AI systems. A policy engine that logs every decision—including which rule blocked an action and why—creates a transparent audit trail that satisfies both internal governance and external regulatory requirements.

Implications for AI Practitioners

First, this framework suggests that the future of agentic AI will likely involve a separation of concerns: the LLM handles reasoning and planning, while a separate policy engine handles constraint enforcement. Practitioners building agent systems today should consider whether their current architecture allows for such a decoupled governance layer, or whether they are relying too heavily on the LLM itself to self-regulate.

Second, implementing deontic policies requires a shift in how we think about agent design. Instead of just defining what an agent can do, teams must explicitly define what it must do, what it may do, and what it must not do—and encode these as machine-readable rules. This demands collaboration between AI engineers, security teams, and domain experts to craft policies that are both precise and complete.

Third, this work highlights a growing need for tooling and standards around agent governance. As multi-agent systems become more common, the ability to share and enforce policies across heterogeneous agents will be essential. Practitioners should watch for emerging open-source policy engines or industry standards that build on these ideas.

Key Takeaways

• Deontic policies provide a formal, runtime governance layer for agentic AI, enabling real-time enforcement of security, privacy, and compliance rules independent of the LLM's reasoning.
• This approach addresses a critical gap: current methods (prompt engineering, post-hoc auditing) are insufficient for autonomous agents that can install software and coordinate with peers.
• For practitioners, this implies a need to architect agent systems with a decoupled policy engine, and to invest in cross-team collaboration to define precise, machine-readable rules.
• The framework offers a path toward auditable, regulator-friendly agentic AI by logging every policy decision and creating transparent compliance trails.