Position: A Three-Layer Probabilistic Assume-Guarantee Architecture Is Structurally Required for Safe LLM Agent Deployment

S. Bensalem, Y. Dong, M. Franzle, X. Huang, J. Kroger, D. Nickovic, A. Nouri, R. Roy

May 18, 2026
arXiv:2605.18672v1PDF
cs.AI(primary)
#1419 of 2292 · Artificial Intelligence
Share
Tournament Score
1385±39
10501800
48%
Win Rate
12
Wins
13
Losses
25
Matches
Rating
5.5/ 10
Significance
Rigor
Novelty
Clarity

Abstract

This position paper argues that enforcing LLM agent safety within a single abstraction layer is not merely suboptimal but categorically insufficient for deployed LLM agents -- a structural consequence of how agent execution works, not a contingent limitation of current systems. The three dimensions that jointly constitute safe operation -- semantic intent and policy compliance, environmental validity, and dynamical feasibility -- each depend on a strictly distinct set of information that becomes available at different stages of execution. No single guardrail can certify all three. We argue that the community must respond with a contract-based architecture in which each safety dimension is enforced by an independently certified layer whose probabilistic guarantee satisfies the next layer's assumption. We sketch such an architecture and derive the compositional system-level safety bounds it admits via the chain rule of probability. Three open problems stand between this and a deployable standard: bound estimation from non-i.i.d.\ traces, graceful degradation of contracts under deployment drift, and extension to multi-agent settings -- the most important unfinished business in LLM agent runtime assurance.

AI Impact Assessments

(1 models)

Scientific Impact Assessment

1. Core Contribution

This position paper argues that safe deployment of LLM agents cannot be achieved through any single-layer guardrail architecture, regardless of its sophistication. The central claim is structural rather than empirical: three dimensions of safety—semantic intent/policy compliance, environmental validity, and dynamical feasibility—depend on information sets that become available at strictly distinct stages of execution (pre-observation, post-observation/pre-actuation, and during control-loop execution). The paper proposes a three-layer probabilistic assume-guarantee (A/G) contract architecture where each layer certifies one dimension, and guarantees compose via the chain rule of probability to yield system-level safety bounds.

The key intellectual contribution is reframing LLM agent safety as an *information-availability* problem rather than a capability problem. This is a meaningful conceptual shift from the dominant paradigm of building "better guardrails" toward recognizing that the problem has inherent architectural constraints.

2. Methodological Rigor

The formal argument is structured around three desiderata (D1–D3) grounded in physical causality—irreversibility of action and causal precedence of observation over inference. Proposition 1 (the Collapse Argument) systematically enumerates all three possible two-stage collapses and shows each violates at least one desideratum or implicitly reconstructs the three-layer structure. This is logically clean and well-executed.

However, the rigor has notable limitations:

  • The desiderata do substantial work. The "necessity" of three layers follows from accepting D1–D3 as non-negotiable. While these are well-motivated by physical causality, they embed specific assumptions about what constitutes a "safety architecture" versus an "incident-response architecture" (D1). A critic could argue that certain deployment contexts tolerate weaker versions of these desiderata.
  • The probabilistic bounds (B1–B4) are illustrative, not validated. The numerical instantiation in Appendix C uses hand-selected probability estimates drawn from different benchmarks and systems, assembled into a hypothetical scenario. The paper is transparent about this, but it means the compositional certification framework remains entirely theoretical.
  • The gap between architecture and implementation is vast. The paper honestly acknowledges that none of the key quantities (marginal probabilities, conditional probabilities, co-failure rates) can currently be estimated for LLM agents due to non-i.i.d. traces, non-stationarity, and correlated backbone failures. This is a significant limitation for a framework whose value proposition is quantitative safety bounds.

    • 3. Potential Impact

    Conceptual framing: The paper's strongest potential impact is as a conceptual organizing framework. By clearly delineating *why* different safety mechanisms fail when applied in isolation and *where* each type of certification is possible, it provides a principled vocabulary for the growing LLM agent safety community. The distinction between information-driven versus artefact-driven decomposition (contrasting with Shamsujjoha et al.'s taxonomy) is particularly useful.

    Standards and regulation: The framework could influence emerging regulatory approaches to LLM agent deployment, particularly in robotics and autonomous systems where the three information layers map naturally to existing safety engineering practices (intent verification, ODD compliance, runtime monitoring).

    Research agenda: The three open problems identified—bound estimation from non-i.i.d. traces, graceful degradation under drift, and multi-agent extension—are well-articulated and could usefully direct research efforts. The connection to specific technical tools (martingale bounds, conformal prediction, e-processes) provides actionable starting points.

    Practical deployment: Near-term practical impact is limited. The framework is pre-empirical—no prototype implementation exists, no benchmarking against real agent failures is performed, and latency concerns for real-time systems are acknowledged but unaddressed.

    4. Timeliness & Relevance

    The paper is highly timely. LLM agents are being deployed in increasingly safety-critical settings, and the community lacks principled architectural frameworks for runtime assurance. The benchmark data cited (AgentSafetyBench scores below 60%, attack success rates exceeding 84%) underscore the urgency. The paper correctly identifies that safety mechanisms are being produced faster than the theoretical infrastructure to compose them—a valuable meta-observation.

    The connection to established CPS (cyber-physical systems) contract-based design traditions is appropriate and adds credibility, though the paper could more explicitly address the gap between CPS assumptions (well-characterized noise models) and LLM agent realities.

    5. Strengths & Limitations

    Strengths:

  • Clear, principled structural argument that goes beyond "more layers = better" to explain *why* exactly three layers are needed
  • Honest and detailed treatment of open problems and limitations, particularly the estimation challenges in Section 4
  • Strong integration with existing formal methods literature (A/G contracts, CBFs, STL monitoring)
  • The bidirectional assurance loop (forward certification + bottom-up safety signals) is a practical design insight
  • Running example throughout provides concrete grounding

    • Limitations:

  • No empirical validation. For a framework claiming structural necessity for "deployed" agents, the absence of any prototype implementation or empirical case study is a significant gap, even for a position paper.
  • Reliance on external work for all key mechanisms. Each layer depends on techniques (ShieldAgent, CBFs, ODD monitoring) that are individually immature for LLM agents.
  • The "necessity" claim's scope. The argument applies most naturally to embodied agents in physical environments. For software-only LLM agents (API orchestrators, coding agents), the three-layer decomposition may be less compelling, as "dynamical feasibility" maps less cleanly.
  • Compositional bounds may be practically vacuous. Given current estimation capabilities, (B1) with realistic uncertainty intervals could produce bounds too loose for meaningful certification.
  • Limited engagement with alternative architectures. The paper briefly discusses end-to-end learned safety but doesn't seriously engage with hierarchical planning architectures (e.g., task-motion planning) that already implement similar staged verification without the A/G formalism.
  • Self-citation and recency concerns. Several references are from 2025-2026, some appearing to be from the authors' group, which is appropriate for a position paper but warrants scrutiny regarding the maturity of the cited evidence base.

    • Summary

    This is a well-argued position paper that provides a useful conceptual framework for thinking about LLM agent safety architecturally. Its structural necessity argument is its strongest contribution, though the practical utility depends entirely on resolving open problems that are themselves acknowledged as extremely challenging. The paper's impact will likely be more conceptual and agenda-setting than immediately technical.

    Rating:5.5/ 10
    Significance 6.5Rigor 5.5Novelty 6Clarity 7.5

    Generated May 19, 2026

    Comparison History (25)

    vs. AOP-Wiki EMOD 3.0: Data Model Expansions and Content Evaluation Framework for Using Agentic AI to Improve Integration between AOPs and New Approach Methodologies (NAMs)
    claude-opus-4.65/22/2026

    Paper 1 addresses a fundamental architectural challenge for safe LLM agent deployment with broad applicability across all AI agent systems. Its formal probabilistic framework for compositional safety guarantees is highly novel and timely given rapid LLM agent proliferation. It identifies concrete open problems that could shape an entire research agenda. Paper 2, while valuable for the AOP/toxicology community, addresses a more domain-specific data infrastructure problem with narrower impact scope. Paper 1's breadth of impact across AI safety, formal methods, and deployment practices gives it substantially higher potential scientific impact.

    vs. Toward AI VIS Co-Scientists: A General and End-to-End Agent Harness for Solving Complex Data Visualization Tasks
    claude-opus-4.65/22/2026

    Paper 2 addresses a fundamental and broadly applicable problem—safety guarantees for deployed LLM agents—which is timely and critically important as LLM agents proliferate across domains. Its formal, contract-based architecture with compositional probabilistic safety bounds provides a principled theoretical framework that could influence standards across the entire AI safety community. Paper 1, while technically impressive in automating visualization pipelines, addresses a narrower application domain. Paper 2's identification of three open problems and its structural argument for layered safety have broader cross-disciplinary implications for AI deployment at scale.

    vs. Spreadsheet-RL: Advancing Large Language Model Agents on Realistic Spreadsheet Tasks via Reinforcement Learning
    gpt-5.25/22/2026

    Paper 1 likely has higher scientific impact due to a concrete, novel RL fine-tuning framework, a realistic Excel-based environment, and new benchmark datasets enabling reproducible progress and direct deployment potential in ubiquitous spreadsheet workflows. It provides measurable performance gains and infrastructure that other researchers can build on across agent learning, tool use, and human-in-the-loop data work. Paper 2 presents an important conceptual safety argument, but as a position paper without empirical validation or implemented artifacts, its near-term impact may be less certain despite high relevance.

    vs. The Log is the Agent: Event-Sourced Reactive Graphs for Auditable, Forkable Agentic Systems
    gpt-5.25/22/2026

    Paper 1 proposes a concrete, systems-level runtime architecture (event-sourced reactive graphs) with clear, novel properties for agentic systems: deterministic replay, cheap forking, and end-to-end lineage. These enable immediate real-world applications in debugging, auditing, evaluation, compliance, and reproducibility, and can influence multiple areas (agent frameworks, MLOps/observability, workflow engines, and provenance). Paper 2 is timely and conceptually valuable for safety, but as a position paper it offers less methodological rigor and fewer directly actionable artifacts, making its near-term scientific and engineering impact likely lower.

    vs. SAPO: Step-Aligned Policy Optimization for Reasoning-Based Generative Recommendation
    claude-opus-4.65/19/2026

    Paper 1 addresses a fundamental architectural problem for safe LLM agent deployment — a topic of immense and growing importance as LLM agents are increasingly deployed in real-world settings. Its contribution of a principled three-layer probabilistic framework with compositional safety guarantees has broad applicability across all LLM agent systems, not just one domain. It identifies open research problems that could catalyze an entire research agenda. Paper 2, while methodologically sound, addresses a more narrow problem (credit assignment in generative recommendation), with impact limited primarily to the recommendation systems community.

    vs. Capturing LLM Capabilities via Evidence-Calibrated Query Clustering
    gemini-3.15/19/2026

    Paper 2 addresses a critical bottleneck in the field—safe deployment of LLM agents—by proposing a foundational, mathematically grounded architectural paradigm. While Paper 1 offers a strong, empirically validated method for evaluation and routing, Paper 2's focus on system-level safety guarantees has broader implications across all domains of AI agent deployment, potentially shaping future standards and research trajectories in AI safety.

    vs. Efficient Lookahead Encoding and Abstracted Width for Learning General Policies in Classical Planning
    claude-opus-4.65/19/2026

    Paper 1 presents concrete algorithmic innovations (holistic encoding, Abstracted IW(1)) with empirical validation showing state-of-the-art results surpassing established planners like LAMA on competitive benchmarks. It advances generalized planning with measurable improvements. Paper 2 is a position paper arguing for a three-layer safety architecture for LLM agents—while timely and relevant, it lacks empirical validation, presents no implemented system, and primarily sketches a conceptual framework with open problems. Paper 1's methodological rigor, novel technical contributions, and demonstrated results give it higher concrete scientific impact.

    vs. ALSO: Adversarial Online Strategy Optimization for Social Agents
    claude-opus-4.65/19/2026

    Paper 2 addresses a fundamental structural problem in LLM agent safety that is highly timely given the rapid deployment of LLM agents. Its contribution—a principled three-layer safety architecture with compositional probabilistic guarantees—has broader impact across the entire LLM agent ecosystem, not just social simulation. It identifies concrete open problems that could shape an entire research agenda. While Paper 1 makes solid contributions to online strategy optimization in social simulation, its scope is narrower. Paper 2's position, if adopted, could influence safety standards and deployment practices industry-wide.

    vs. KISS - Knowledge Infrastructure for Scientific Simulation: A Scaffolding for Agentic Earth Science
    claude-opus-4.65/19/2026

    Paper 2 demonstrates higher scientific impact through its concrete, empirically validated system (3,000 trials, 119 knowledge infrastructures across 14 Earth-science domains) with clear real-world applications in democratizing climate and Earth science modeling for underserved communities. It combines methodological rigor with broad interdisciplinary impact and immediate practical utility. Paper 1, while intellectually rigorous in proposing a safety architecture for LLM agents, is a position paper that sketches theoretical frameworks without empirical validation, and its impact is more narrowly focused on the AI safety community.

    vs. Unleashing LLMs in Bayesian Optimization: Preference-Guided Framework for Scientific Discovery
    gemini-3.15/19/2026

    Paper 2 presents a concrete, methodologically rigorous framework with both theoretical guarantees and strong empirical validation across multiple scientific domains, including real-world wet-lab experiments. While Paper 1 addresses the critical issue of LLM safety, it is a position paper sketching an architecture. Paper 2's broad applicability to accelerate scientific discovery across physics, chemistry, biology, and materials science gives it a significantly wider and more immediate scientific impact.

    vs. Context Pruning for Coding Agents via Multi-Rubric Latent Reasoning
    gemini-3.15/19/2026

    Paper 2 proposes a foundational, conceptual framework for LLM agent safety, addressing a critical bottleneck in the field. By outlining a necessary architectural paradigm and identifying key open problems, it has the potential to shape broad research agendas and deployment standards across all agentic applications. Paper 1 offers a highly rigorous and effective technical solution for context pruning in coding agents, but its impact is more narrowly focused on optimization rather than fundamental system-level safety guarantees.

    vs. Reasoning Can Be Restored by Correcting a Few Decision Tokens
    claude-opus-4.65/19/2026

    Paper 2 presents a novel empirical finding—that reasoning advantages concentrate in sparse 'decision tokens'—with a concrete, validated intervention method that recovers reasoning performance efficiently. This offers immediate practical applications (cheaper inference via selective delegation), strong methodological rigor with reproducible code, and broad relevance to the LLM reasoning community. Paper 1, while intellectually interesting, is a position paper proposing a theoretical architecture without implementation or empirical validation, and its impact depends on future work to address its own stated open problems.

    vs. Computational Challenges in Token Economics: Bridging Economic Theory and AI System Design
    gpt-5.25/19/2026

    Paper 2 has higher potential impact: it proposes a concrete, structurally motivated three-layer assume-guarantee safety architecture with probabilistic compositional guarantees, directly targeting urgent real-world deployment risks for LLM agents. The framing is novel and timely, with a clearer path to standardization and cross-field uptake (formal methods, controls, verification, safety engineering, ML). Paper 1 usefully defines a research agenda and trilemma for computational token economics, but is more exploratory and less methodologically grounded in actionable mechanisms, likely narrowing near-term adoption and measurable impact.

    vs. Body-Grounded Perspective Formation and Conative Attunement in Artificial Agents
    gpt-5.25/19/2026

    Paper 1 has higher likely scientific impact: it targets an urgent, widely recognized deployment problem (LLM agent safety), proposes a clear architectural thesis (three-layer probabilistic assume–guarantee contracts), and sketches compositional safety bounds that could generalize across applications and fields (AI safety, formal methods, controls, runtime assurance). Its ideas are timely and actionable for real-world systems. Paper 2 is conceptually novel and interesting for embodied cognition, but its applications and evaluation appear narrower (gridworld, phenomenological framing) and may have less immediate uptake outside specialized communities.

    vs. From Imitation to Interaction: Mastering Game of Schnapsen with Shallow Reinforcement Learning
    gpt-5.25/19/2026

    Paper 1 has higher potential impact due to a novel, general safety architecture for LLM agents with compositional probabilistic guarantees, directly addressing a timely, high-stakes deployment problem with broad relevance across AI safety, systems, and verification. Its contract-based multilayer framing could influence standards and real-world engineering practices. Paper 2 is a solid applied RL study on a niche game domain with incremental methodological contributions and narrower cross-field applicability, making its likely impact more limited.

    vs. FORGE: Self-Evolving Agent Memory With No Weight Updates via Population Broadcast
    gpt-5.25/19/2026

    Paper 1 presents a concrete, novel algorithmic protocol (population-broadcast self-evolving memory with no weight updates) with substantial empirical gains on a challenging, stochastic long-horizon cyber-defense benchmark, plus ablations identifying key mechanisms—supporting methodological rigor and near-term applicability. Its approach is timely for agent reliability and can plausibly transfer across agentic tasks where prompt-memory is used. Paper 2 is timely and potentially broadly influential conceptually, but as a position paper it offers limited empirical validation and actionable implementation detail, making near-term scientific/engineering impact less certain.

    vs. Skim: Speculative Execution for Fast and Efficient Web Agents
    gemini-3.15/19/2026

    Paper 1 addresses a fundamental structural challenge in LLM agent safety, proposing a theoretical foundation for runtime assurance across all agent applications. Its foundational nature and focus on safety guarantees give it broader, longer-term scientific impact compared to Paper 2's domain-specific optimization for web agents.

    vs. TaskGround: Structured Executable Task Inference for Full-Scene Household Reasoning
    gemini-3.15/19/2026

    Paper 2 addresses the critical, foundational issue of LLM agent safety by proposing a novel theoretical architecture. Its focus on structural guarantees and probabilistic safety bounds gives it broad applicability across all domains of LLM agent deployment. In contrast, while Paper 1 presents strong empirical work and a useful dataset, its impact is largely restricted to embodied AI and household robotics. Paper 2's potential to establish a new paradigm for AI runtime assurance offers wider and more profound scientific impact.

    vs. SkillGenBench: Benchmarking Skill Generation Pipelines for LLM Agents
    gpt-5.25/19/2026

    Paper 2 likely has higher impact because it delivers a concrete, reusable benchmark with pinned environments and execution-based evaluation, enabling reproducible comparison across methods and immediate adoption by the community. This can accelerate progress in agent skill generation, a timely and practically important capability with clear downstream applications. Paper 1 is conceptually novel and relevant for safety, but as a position/architecture sketch it is less methodologically grounded and may have slower, harder-to-measure uptake than a benchmark that becomes standard infrastructure for a growing subfield.

    vs. Reinforcement Learning Trained Observer Control for Bearings-Only Tracking
    gemini-3.15/19/2026

    Paper 1 addresses a critical bottleneck in the rapidly expanding field of LLM agents (safety and runtime assurance) by proposing a foundational, contract-based architecture. Its high timeliness, broad applicability across AI deployments, and framing of new open problems give it significantly higher potential for widespread scientific impact compared to Paper 2, which presents a more focused, domain-specific application of reinforcement learning to target tracking.