Governed Individuation: Cryptographically Decoupling an Agent's Learning from Its Authority
2026-07-06 • Artificial Intelligence
Artificial IntelligenceCryptography and Security
AI summaryⓘ
The authors study how to keep autonomous agents safely controlled even after they learn and change their behavior in the real world. They propose a system called governed individuation that locks an agent’s identity and checks every action by its actual effect, not just its name. This ensures the agent cannot exceed its allowed powers unless the operator explicitly approves it, no matter how much the agent learns or changes itself. They tested this approach and showed it prevents unsafe actions while letting the agent do its tasks well, unlike simpler methods that can be tricked. Their work shifts trust from guessing an agent stays safe to being able to verify safety every time it starts.
Autonomous agentsAgent alignmentGoverned individuationCryptographic identitySemantic effect gatingSelf-modifying agentsSafety guaranteesTool-use benchmarkDynamic effect tracingOperator authorization
Authors
Xue Qin, Simin Luan, Cong Yang, Zhijun Li
Abstract
Autonomous agents are moving from sandboxed text generators to operators of code, data, and physical infrastructure, and they increasingly learn while deployed. This reopens a question that alignment techniques answer only probabilistically: after an agent has adapted in the field, is the running system still confined to what its operator authorised? Here we show that confinement can be guaranteed as an invariant of the agent's execution architecture rather than a probabilistic outcome of its training. Governed individuation binds an agent at boot to a cryptographically frozen identity digest, and routes every action through a gate defined over the semantic effect of the action rather than its name. We prove that no amount of learning, skill acquisition, or self-induced governance abstraction can widen the agent's permitted authority without an operator-signed change to its identity; the guarantee holds even when the agent induces its own safety principle and that principle is wrong. Empirically, in an open-ended tool-use benchmark where a large action space rules out name-based blocking, ungoverned software agents under reward pressure attempt to tamper with their own evaluation at a task-dependent rate that reaches every run on the hardest task, whereas the gate reduces executed forbidden effects to zero as a verified property of the construction while preserving task success. An adversarial evaluation of monitors of increasing semantic depth shows false-allows falling from 75% (name-based gating) to zero (dynamic effect tracing), and refusal history transfers compliance to held-out red-line families. Trust in a deployed learning agent shifts from a wager on its continued alignment to a check anyone can run at boot.