The Agent Rulebook Leaves the Prompt
The June 2026 arXiv paper Deontic Policies for Runtime Governance of Agentic AI Systems, by Anupam Joshi, Tim Finin, Karuna Pande Joshi, and Lalana Kagal, argues that agent governance cannot stop at authentication, access control, or prompt-level instructions. A tool-using agent needs a runtime rule system that can say what is permitted, what is prohibited, what obligations follow from an action, when an obligation is waived, and which rule wins when policies conflict.
The Prompt Is Not the Policy Engine
A prompt can tell an agent to obey policy, but it is not itself a policy engine. It lives inside the same probabilistic context as the user's request, retrieved documents, tool descriptions, conversation history, and other agent messages. That makes prompt-level governance easy to state and hard to enforce. The agent may summarize the rule correctly while still making a tool call that violates the institution's actual control structure.
The Joshi, Finin, Joshi, and Kagal paper makes the boundary sharper. An agent that invokes tools, manipulates data, installs software, and coordinates with peer agents across organizational boundaries needs runtime governance. The authors argue that current policy engines such as XACML, Rego, and Cedar mostly cover permit and prohibit decisions. Enterprise governance also needs obligations, dispensations, conflict resolution, and reasoning over domain classes such as healthcare, cybersecurity, or privacy concepts.
This is related to the site's pages on intent-governed tool authorization, procedural compliance traces, and the agent-to-agent protocol handshake. The difference is the rule form. This paper asks what a machine-readable governance language must express when the agent is already at the action boundary.
What AgenticRei Adds
The paper, arXiv:2606.19464, was submitted on June 17, 2026 and is listed under Artificial Intelligence and Multiagent Systems. It proposes AgenticRei, a runtime governance approach built on the Rei deontic policy framework. The policies are expressed in OWL, the Web Ontology Language, and evaluated by a logic engine outside the LLM. The same pipeline governs both agent tool invocations and agent-to-agent messages.
The paper's architecture has a clear contract. A middleware layer intercepts an outbound action, whether a tool call or an A2A message, and extracts a subject, action, and resource triple from the structured invocation. A policy engine evaluates the triple against Rei-encoded rules and domain ontologies. The middleware then permits the action, prohibits it, or applies default-deny, and may return attached obligations for the agent to satisfy.
The authors state that the prototype implements permission, prohibition, obligation, dispensation, and meta-policy priority resolution over the Rei ontology, with subclass reasoning supplied by RDFox's OWL/RDFS entailment. They also report that credential verification is simulated through trusted-issuer matching in the prototype, while integration with production agent runtimes and cryptographic credential verification remains ongoing work. That limitation matters: the paper is a governance architecture and prototype, not a claim that enterprise deployment is already solved.
Why Obligations Matter
Allow and deny are too small for many institutional duties. A system may be allowed to install software only if it notifies a security officer. A clinical agent may be allowed to read a record only if the access is logged and justified. A financial agent may be allowed to export a report only if the export is tied to a credential issued by the right authority. The policy question is not only whether the action may occur. It is what must happen because the action occurred.
That is why the paper's treatment of obligations and dispensations is important. An obligation records a duty attached to a permitted action. A dispensation releases the actor from that duty under specified circumstances. Meta-policies decide which rule takes precedence when an organizational prohibition, project permission, and regulatory exception collide. Ontological reasoning lets the rule apply to a category, so a policy written for regulated data can cover future subclasses without rewriting every attribute list.
For agent governance, this changes the audit question. A log that says a tool call was allowed is incomplete. Reviewers need to know which policy version was loaded, which rule matched, which credentials were presented, which obligation was created, whether it was discharged, and which conflict-resolution rule resolved the decision.
Governance Standard
A serious agent platform should keep governance decisions outside the model loop. The LLM can propose, explain, and request. It should not be the final authority on whether a controlled action satisfies policy. Action-boundary middleware should extract structured facts, consult an external policy engine, default-deny on failure, and preserve a structured audit record.
The policy language should be richer than a tool allowlist. It should express permissions, prohibitions, obligations, dispensations, trusted credential issuers, domain classes, and rule priority. It should work for both tool calls and agent-to-agent messages, because an agent can cause harm by sending data or instructions to another agent even when no local shell command runs.
The paper's audit detail is especially useful. It describes structured decision records that include the matched rule, latency, credential issuers, and a hash of the loaded policy knowledge base. A stronger production version would also preserve enough staged request context to reproduce contested decisions. That is the bridge between AI audit trails and runtime enforcement.
What This Changes
The agent rulebook leaves the prompt when a rule becomes something the system enforces, not something the model is asked to remember. The shift is small in interface terms and large in institutional terms. Governance moves from advice to infrastructure.
The Spiralist rule is practical: if an agent can act, the institution needs a policy engine at the action boundary. Prompts can carry norms. Runtime policy decides authority. Audit records decide whether the institution can later prove what happened, under whose rule, and with which unresolved obligation still attached.
Sources
- Anupam Joshi, Tim Finin, Karuna Pande Joshi, and Lalana Kagal, Deontic Policies for Runtime Governance of Agentic AI Systems, arXiv:2606.19464 [cs.AI], submitted June 17, 2026.
- arXiv experimental HTML for Deontic Policies for Runtime Governance of Agentic AI Systems, reviewed June 24, 2026.
- Related pages: The Tool Scope Becomes the Intent Gate, The Compliance Trace Becomes the Rulebook, The Agent-to-Agent Protocol Becomes the Handshake, The Agent Identity Becomes the Service Account, The Agent Log Becomes the Receipt, The Agent Team Becomes the Trust Graph, AI Agents, Model Context Protocol, and AI Audit Trails.