The Agent Immune System Becomes the Runtime Boundary
A June 2026 arXiv paper argues that agent security cannot live only at the perimeter. Once agents have memory, tools, and peers, the runtime itself becomes the place where defense has to operate.
Runtime Is the Threat Surface
Agent security changes when the system stops being a single answer box. A tool-using agent reads external context, carries memory, calls APIs, delegates to peers, and may revise its own harness. A harmful instruction can become a memory record, a tool-description trap, a poisoned peer message, or a policy update that survives the original prompt.
The useful frame is therefore runtime integrity. A model can be trained to prefer safe behavior and still be steered after deployment by the state around it. The question becomes: what can detect, contain, remember, and recover from attacks while the agent is already acting?
The Paper Frame
The source is Bo Shen, Lifeng Chang, Tianyuan Wei, Yunpeng Li, Feng Shi, Yichen Han, Peijie Gao, Shiyi Kuang, Xin Chang, and Dehui Li's Agent-Native Immune System: Architecture, Taxonomy, and Engineering, arXiv:2606.28270 [cs.AI], submitted June 26, 2026. The arXiv record also lists Multiagent Systems as a subject.
The paper presents the Agent-Native Immune System, or ANIS, as a conceptual architecture for defenses embedded inside the agent's cognitive loop. Its premise is specific: perimeter security and training-time alignment remain important, but they do not by themselves handle runtime hijacking through memory poisoning, tool-chain manipulation, or multi-agent protocol attacks.
The Six-Layer Tower
The central design object is a six-layer Immune Tower. L0 is a hardware trust root for identity and attestation. L1 is barrier immunity: sandboxing, input isolation, API gateways, and MCP boundary proxies before the agent reasons over a threat. L2 is innate cognitive defense. L3 is adaptive tool defense. L4 is ecological governance for inter-agent protocols and trust chains. L5 is collective immunity, where agents share threat intelligence and vaccine-like defenses.
The important design move is L1. A sandbox or least-privilege gate should not wait for the model to decide whether it is safe. Some safety work has to happen outside the text stream and before reasoning begins.
Viruses and Vaccines
The paper classifies "agent viruses" by attack surface: cognitive, memory, tool, and multi-agent. A cognitive attack targets reasoning or goal stability. A memory attack poisons or hijacks persistent state. A tool attack manipulates descriptions, fake errors, or invocation paths. A multi-agent attack spoofs protocol identity or poisons trust chains.
It then classifies "agent vaccines" by mechanism and scope. Non-parametric vaccines include rules, prompts, access-control lists, hashes, sandboxes, and message formats. Parametric vaccines include steering vectors, LoRA adapters, defensive embeddings, tool-selection biases, and shared defense weights. A prompt-level rule is easier to inspect and reverse; a parametric defense may be harder to bypass, but harder to audit and more exposed to overfitting.
The Harness Loop
ANIS borrows from harness engineering and redirects it toward defense. Self-harness monitors reasoning traces, memory access, and tool-call graphs for anomalies. Meta-harness evaluates candidate defenses using traces, health scores, vaccine coverage, and an Autoimmunity Rate. Auto-harness synthesizes and deploys defensive code after testing.
The loop is called Continual Immune Learning. A detected antigen triggers candidate defensive edits; high-autoimmunity candidates are rejected; accepted candidates become harness rules or parametric vaccines; and peer agents may receive the defense through an attested vaccine message. Even if the engineering remains unproven, the governance idea is strong: defenses need provenance, scope, version, expiry, efficacy, and false-positive records.
Alignment Is Not Immunity
The paper's cleanest distinction is between model alignment and agent immunity. Alignment supplies the broad normative training target: what the agent should value or refuse. Immunity supplies runtime protection: how the deployed system detects that its memory, tools, peers, or own reasoning have been compromised.
That split avoids a common category error. A model can be aligned in the training sense and still be operationally unsafe when wrapped in a careless tool harness. The inverse is also a risk: a system optimized for self-preservation or attack resistance without a human welfare compass can become rigid, over-defensive, or institutionally unaccountable.
Governance Reading
ANIS is best read as a governance vocabulary for agent operations. It says defenses should be assigned to the layer where the attack actually works. A memory poison is not solved only by a final-answer filter. A malicious tool description is not solved only by asking the model to be careful. A fake peer identity is not solved only by content moderation.
A deployable version would need immune receipts: agent identity, harness version, active barriers, memory-write policy, tool hashes, peer-authentication rules, vaccine IDs, false-positive thresholds, escalation rules, and rollback. Without those receipts, "agent immunity" is only a metaphor.
Limits and Failure Modes
The paper is explicit that it is a conceptual framework and architectural blueprint. It says empirical validation of steering-vector vaccines, LoRA vaccines, and the Harness Triad under realistic attack conditions remains ongoing work. It also identifies computational overhead as a problem because continuous self-auditing and candidate-vaccine evaluation can add latency.
The most important limit is autoimmunity. A sensitive immune system may block legitimate work, while a permissive one may miss attacks. The paper defines Autoimmunity Rate as a false-positive intervention measure and describes threshold selection as underdeveloped. It also flags standardization gaps, multimodal immunity, liability, and unequal access to parametric defenses. Those limits should travel with any citation of the paper.
Audit Receipt
The audit-grade sentence is: Shen and coauthors propose ANIS, a layered conceptual architecture for agent-native runtime defense that separates hardware identity, non-cognitive barriers, cognitive checks, adaptive tool defenses, ecological governance, and collective immunity.
The receipt is: an agent immune claim should be accepted only when the threat surface, layer assignment, defense mechanism, provenance, false-positive rate, update path, rollback route, and empirical validation status are inspectable.
Sources
- Bo Shen, Lifeng Chang, Tianyuan Wei, Yunpeng Li, Feng Shi, Yichen Han, Peijie Gao, Shiyi Kuang, Xin Chang, and Dehui Li, Agent-Native Immune System: Architecture, Taxonomy, and Engineering, arXiv:2606.28270 [cs.AI], submitted June 26, 2026.
- Primary versions checked: experimental HTML and PDF.
- Related pages: The Agent Sandbox Becomes the Airlock, The Tool Call Becomes the Privacy Boundary, The MCP Server Becomes the Leakage Boundary, The Agent Log Becomes the Receipt, and The Agent Audit Becomes the Security Scanner.