Search papers, labs, and topics across Lattice.
This paper introduces TokenWall, a runtime defense framework designed to enhance the security of persistent AI agents by intercepting unsafe semantic flows before they reach critical execution points. By employing boundary-aware semantic auditing, TokenWall constructs detailed audit records and applies local inspections to mitigate risks associated with natural-language token flows, which are prevalent in interactions involving memory updates and tool-mediated communications. Experimental results indicate that TokenWall significantly reduces the attack success rate to 12.5% while maintaining a high benign executable pass rate of 97.4%, with minimal added latency, showcasing a practical security-utility balance for AI agents.
TokenWall slashes the attack success rate to 12.5% while ensuring a 97.4% pass rate for benign interactions, all with just 0.69 seconds of added latency.
Persistent AI agents extend large language models (LLMs) beyond single-turn interaction into long-lived software systems. Unlike traditional chat assistants, unsafe content in these agents can propagate through persistent state, reusable skills, and tool-mediated interactions, creating a substantially larger semantic attack surface. We observe that most security-critical interactions in such agents are transmitted through natural-language token flows, including memory updates, tool arguments, retrieved files, and inter-component communications. This observation enables a new security formulation: unsafe behavior can be intercepted as risky semantic flows before reaching privileged runtime sinks. Based on this insight, we propose TokenWall, a runtime defense framework that acts as a semantic firewall over agent token flows. TokenWall performs boundary-aware semantic auditing over these flows, constructing structured source-sink audit records, applying lightweight local inspection before execution, and selectively escalating ambiguous high-risk cases to stronger arbitration modules. Unlike prior approaches that rely on sparse auditing or remote large-model oversight, TokenWall enables full-coverage pre-execution mediation while reducing remote arbitration and latency. Experiments on CIK-Bench show that TokenWall reduces attack success rate to 12.5% while maintaining a 97.4% benign executable pass rate without human confirmation. TokenWall further introduces only 0.69 seconds of additional latency on benign cases, demonstrating that semantic runtime containment can achieve a practical security-utility trade-off for persistent AI agents.