AgenticRei proposes governing AI agents with deontic policies at runtime

The problem of controlling what an AI agent can or cannot do in real time has been accumulating attention in corporate security circles for months now. And rightfully so: as LLM-based systems gain the ability to invoke tools, install software, manipulate data, and coordinate with other agents across organizational boundaries, the classical "allow or deny" model is beginning to show obvious cracks. A paper published on June 19 on arXiv, Deontic Policies for Runtime Governance of Agentic AI Systems, articulates this precisely: existing policy engines solve only a fraction of the problem.

The research identifies four capabilities that current frameworks—XACML, Rego, and Cedar—do not natively cover: lifecycle management of obligations, conflict resolution between meta-policies, dispensations that override obligations under specific circumstances, and ontological reasoning about hierarchies of domain entity classes (think healthcare data taxonomies or cybersecurity asset graphs). The paper proposes AgenticRei as a response to that gap.

What AgenticRei does that current policy engines don't

Traditional access control systems work on binary logic: is this action permitted for this principal on this resource? Yes or no. That's sufficient for managing an API endpoint or a storage bucket. It's not enough for an agent that, after executing a high-impact action, must necessarily notify the CISO, unless specific conditions arise that override that obligation, and where that rule may also conflict with another privacy policy that prohibits sharing certain metadata with the security team.

That is deontic logic applied: the formal study of what agents are obligated to do, what is prohibited for them, and what is permitted, including exceptions and precedence of conflicting rules. AgenticRei translates that formalization to the runtime of actual agentic systems.

The framework explicitly distinguishes between:

• Active obligations: actions the agent must execute after a specific event.
• Dispensations: conditions under which an obligation is temporarily suspended.
• Meta-policies: rules that determine which policy prevails when two norms collide.
• Ontological reasoning: the ability to infer that an action on a data subclass inherits the restrictions applied to the parent class.

Why it matters in the Claude ecosystem context

This work is especially relevant for those building on Claude Code and MCP. When a specialized sub-agent has access to a database MCP server, another to a cloud infrastructure MCP server, and a third coordinates both, the governance risk surface is not the sum of the three: it is the product of their possible interactions. A `PreToolUse` hook can intercept a call, but it has no native mechanism to reason about whether that call activates a pending obligation elsewhere in the workflow.

The authors are aware that the problem is not academic. Organizations deploying agents in regulated environments—healthcare, finance, cybersecurity—need to be able to audit not only what agents did, but whether they fulfilled the obligations arising from their previous actions. A log of invoked tools is not enough: a runtime engine is needed to evaluate the state of obligations over time.

Who should read this paper right now

In its current state, AgenticRei is a research framework, not a ready-to-integrate product. However, the paper is required reading for three specific profiles:

1. Security teams defining deployment policies for internal LLM-based agents.
2. Plugin and MCP server developers who need to understand what governance controls exist—and which are missing—before assuming authentication is sufficient.
3. Compliance officers in regulated sectors evaluating whether autonomous agents can operate within their current regulatory framework.

The field of agentic governance is moving from being a theoretical concern to becoming an operational requirement. The research community beginning to formalize deontic logic as a runtime layer is a sign of maturity, not alarm. The practical question that remains—and which the paper does not fully answer—is how to integrate this type of policy engine into existing agentic pipelines without unacceptably penalizing latency. For now, that is still work to be done.