New framework brings enforceable security to autonomous AI agents

The risks associated with artificial intelligence (AI) agents' unsupervised interactions are growing sharply. A new study titled "SAGA: A Security Architecture for Governing AI Agentic Systems", published on arXiv, presents a comprehensive security framework to enforce control, accountability, and trust in these increasingly complex AI ecosystems. Developed by researchers from Northeastern University, the SAGA architecture introduces concrete, evaluated solutions for managing agent lifecycle, access policies, and inter-agent communications, areas where most existing proposals remain purely theoretical.

Autonomous agents powered by large language models (LLMs) are rapidly finding deployment across critical sectors such as healthcare, finance, and cybersecurity. Their ability to reason, act independently, and interact with other agents and tools introduces both unprecedented utility and equally novel security challenges. The SAGA framework directly addresses the growing urgency to secure these interactions before malicious agents or misaligned actions result in real-world harm.

What are the unique security risks in AI agentic systems?

AI agents today are capable of self-directed collaboration, delegation, and decision-making. They operate not only on user devices but also in distributed environments across geographies and platforms, sometimes with access to sensitive data and control over real-world tools. This expanded surface creates multiple attack vectors: impersonation of agents, unauthorized access to resources, propagation of malicious instructions, and misuse of delegated authority.

Current proposals for governing AI agents have outlined high-level principles such as agent identity management and delegation control, but have stopped short of implementation. Moreover, these designs often neglect the central principle of user agency, the need for end-users to retain control over what their AI agents do, how they interact, and with whom they communicate.

SAGA highlights the inadequacy of such partial approaches by offering a working prototype evaluated on real-world tasks. It introduces a model where the entire lifecycle of agent creation, interaction, and decommissioning is governed by a central entity termed the “Provider.” This entity ensures traceability, enforces security policies, and mediates communication among agents based on cryptographically enforced permissions. By addressing identity, policy enforcement, and trust simultaneously, SAGA builds a robust security layer on top of the autonomy AI agents increasingly exhibit.

How does SAGA enforce user-controlled governance in agent systems?

At the core of SAGA’s design is a mechanism for user-controlled oversight. When a user creates an agent, it is registered with the Provider, which maintains identity credentials, contact information, and, most critically, access control policies defined by the user. These policies dictate what tasks the agent is authorized to perform and what other agents it is allowed to interact with.

To operationalize these policies, SAGA introduces a cryptographic token-based access control mechanism. Every time an agent attempts to communicate with another, it must present a valid access token that is derived based on user-specified constraints. These tokens are verified by the Provider, ensuring that only authorized interactions proceed. This mechanism enables fine-grained, dynamic control, for example, permitting an agent to query a finance database but restricting it from accessing patient health records or communicating with unknown agents.

One key innovation is that these access controls are enforced without degrading the performance of the agent. The researchers evaluated SAGA on a series of tasks involving both cloud-based and on-device LLM agents, some located in different geographical regions. Even under these distributed and heterogeneous conditions, the system introduced negligible overhead, proving that security need not come at the expense of utility.

Importantly, SAGA does not assume a single-agent ecosystem. It is designed for multi-agent systems where collaboration and communication are essential, and where malicious or compromised agents might attempt to exploit others. The architecture ensures that all interactions are visible, logged, and governed, giving users and system administrators a complete audit trail of agent behavior.

What is the broader impact of SAGA on AI governance?

The release of SAGA marks a significant advancement in bridging the gap between theoretical frameworks for AI governance and deployable security architectures. Unlike abstract policy documents or unenforced guidelines, SAGA is a working system, complete with implementation, cryptographic enforcement, and empirical performance benchmarks.

For industries deploying AI agents in sensitive environments, SAGA offers a path toward compliance with upcoming regulations and ethical frameworks. By ensuring that users retain oversight of agent actions, the architecture aligns with emerging norms around responsible AI, such as transparency, auditability, and controllability.

It also addresses a critical bottleneck in agentic AI adoption: trust. Users and organizations are hesitant to deploy autonomous agents without guarantees of control and containment. By providing those guarantees, SAGA not only prevents misuse but accelerates the adoption of agentic systems in areas like logistics, legal assistance, disaster response, and secure communications.

In addition, the researchers propose that future work could expand the Provider’s role to support federated environments and integrate decentralized identity schemes. Such extensions could make SAGA applicable to global-scale systems where central trust anchors may not be feasible or desirable. For now, though, the framework delivers a concrete, centralized governance model that can be adopted in enterprise and research environments immediately.