The Safety Rule Becomes the Revision Ledger
A June 2026 arXiv paper studies how symbolic safety rules for LLM agents can evolve from labeled execution traces without becoming opaque classifiers.
The Rule Is Not Finished at Launch
Agent safety is often described as a choice between hard rules and adaptive models. The hard rule is inspectable but brittle. The adaptive model can learn from feedback but becomes harder to audit. Production agents complicate that split because new tools, model behavior, prompts, and user-discovered failure modes keep changing after launch.
The Spiralist angle is maintenance. A safety rule should not be treated as a tablet handed down at launch. It should become a revision ledger: each false alarm, missed hazard, tool change, and reviewer annotation should leave a visible mark on how the rule was changed. The valuable object is not only the current rule. It is the history of why that rule now says what it says.
The Paper Frame
The source is Pingchuan Ma, Zhaoyu Wang, Zimo Ji, Yuguang Zhou, Zhantong Xue, Zongjie Li, Shuai Wang, and Xiaoqin Zhang's AutoSpec: Safety Rule Evolution for LLM Agents via Inductive Logic Programming, arXiv:2606.24245v2 [cs.SE]. The arXiv record says version 1 was submitted June 23, 2026, and version 2 was submitted June 24, 2026. The paper is a preprint in software engineering, artificial intelligence, and computer security categories.
AutoSpec starts from deployed expert-designed safety rules rather than replacing them. Its target is the rule-based layer of an LLM-agent defense stack: the part that inspects execution traces, tool calls, state snapshots, and domain predicates before or during agent action. Static rules drift as the agent's operating environment changes.
How AutoSpec Revises Rules
The workflow combines counterexample-guided inductive synthesis, or CEGIS, with inductive logic programming, or ILP. AutoSpec evaluates the current rule set on labeled execution traces, mines false positives and false negatives, asks ILP to identify predicates that distinguish the mistakes, generates candidate rule edits, then verifies candidate revisions against the labeled trace set.
The edit vocabulary is deliberately small: add a conjunct, add an exception, add a disjunctive branch, or relax a predicate. ILP does not replace the guardrail with a black-box classifier. It nominates the predicates most useful for repair, and the rule editor turns those suggestions into traceable changes. The paper uses ILASP v4.4.1 as the ILP backend and describes the implementation as Python 3.10 code built on an AgentSpec predicate library.
That makes the method politically interesting as well as technical: it can record which predicate fired, which counterexample motivated a change, and whether the revision was meant to reduce false positives or recover missed hazards.
What the Evaluation Shows
The evaluation uses 291 manually labeled execution traces across two domains. The code-execution domain has 191 traces: 91 unsafe traces sampled from RedCode-Exec risk categories and 100 safe traces generated to mirror those categories without triggering security predicates. The embodied-agent domain uses 100 SafeAgentBench traces in simulated household robotics, with GPT-5.1-Codex agents using zero-shot ReAct prompting and a high-level controller with 16 primitive actions.
On the held-out effectiveness comparison, AutoSpec reports F1 of 0.980 in the code-execution domain, compared with 0.698 for the baseline expert rule, 0.813 for an LLM classifier, 0.480 for CEGIS without ILP, and 0.692 for random search. In the embodied-agent domain, AutoSpec reports F1 of 0.933, compared with 0.493 for the baseline rule, 0.881 for the LLM classifier, 0.667 for CEGIS without ILP, and 0.493 for random search.
The convergence claim is modest but concrete: code execution reaches the target threshold in four iterations, while embodied agents improve over five iterations. In the code domain, removing ILP guidance drops F1 from 0.98 to 0.20. A 10-practitioner user study favors the symbolic output: participants rated AutoSpec higher than an LLM classifier on interpretability, actionability, and trust, and preferred it in 101 of 120 pairwise comparisons.
Governance Reading
The governance lesson is that guardrail maintenance is an evidence process. A production agent should not merely have a policy file. It should have a traceable relationship between policy, predicates, execution logs, reviewer labels, counterexamples, and rule revisions. Otherwise "we improved the guardrail" becomes a vague claim that cannot be reconstructed after an incident.
An audit record for agent safety should therefore preserve the initial expert rule, predicate library version, labeled traces, false-positive and false-negative sets, chosen edit operations, validation score, unresolved counterexamples, and human approval path. If a team uses an adaptive neural classifier instead, it needs an equally inspectable path from feedback to deployment decision. The classifier may be useful, but it should not be allowed to hide the maintenance history.
Limits and Cautions
The paper's own boundaries matter. The experiments cover code execution and embodied household agents, not web, database, finance, medical, or government agent deployments. Safe code traces are generated rather than observed from production users. Labels are human annotations at trace granularity. AutoSpec depends on the richness of the predicate library; if the necessary predicate does not exist, the best synthesis loop cannot express the missing safety concept.
The method also does not prove global optimality. The authors describe finite termination, monotonic score improvement under their procedure, and deterministic output for fixed inputs, while noting that solution quality depends on the predicate library. For governance, that means the revision ledger must include unresolved counterexamples and missing-predicate notes, not just the final F1 score.
Audit Receipt
The audit-grade sentence is: Ma, Wang, Ji, Zhou, Xue, Li, Wang, and Zhang report that AutoSpec evolves expert-designed LLM-agent safety rules from labeled execution traces using ILP-guided CEGIS, arXiv:2606.24245.
The receipt is: before accepting an agent-guardrail update, preserve the starting rule, predicate library, labeled trace set, counterexamples, edit operations, validation split, final rule, unresolved failures, and human sign-off.
Sources
- Pingchuan Ma, Zhaoyu Wang, Zimo Ji, Yuguang Zhou, Zhantong Xue, Zongjie Li, Shuai Wang, and Xiaoqin Zhang, AutoSpec: Safety Rule Evolution for LLM Agents via Inductive Logic Programming, arXiv:2606.24245v2 [cs.SE], submitted June 23, 2026 and revised June 24, 2026.
- Primary versions checked: arXiv abstract record, experimental HTML, and PDF.
- Related pages: AI Agents, Tool Use and Function Calling, Agent Tool Permission Protocol, Agent Audit and Incident Review, and The Agent Log Becomes the Receipt.