ChatPaper.aiChatPaper

PolicyGuard: 基於對話的子代理驗證器,用於LLM代理中的政策遵循

PolicyGuard: A Dialogue-Grounded Sub-Agent Verifier for Policy Adherence in LLM Agents

June 28, 2026
作者: Seongjae Kang, Taehyung Yu, Sung Ju Hwang
cs.AI

摘要

LLM代理透過工具呼叫代表組織處理使用者請求,且必須遵循其系統提示中載明的公司政策。先前的研究將其視為防護問題——即透過外部檢查來阻止不符合規定的代理行為。我們認為政策遵循是一個更廣泛的問題:實際工作流程涉及多輪互動,需要明確的使用者確認與前置閱讀,且取決於對話內容,而非單一參數值。要達到此標準,需要具備三項能力:(i)完整的對話上下文、(ii)針對政策及當前對話的自我推理,以及(iii)對話特定的修正措施,以引導代理的下一輪行動——這些都是先前的防護工作經常低估的能力。我們提出POLICYGUARD,一個子代理驗證器,它與代理共享對話視角,基於上下文對政策進行推理,並為代理的下一輪行動提供可執行的反饋。在tau²-BENCH航空基準測試中,針對三個供應商(GPT-5.4、Claude Sonnet 4.6、Gemini 2.5 Pro),每種設定進行四次試驗,POLICYGUARD將PASS4提升了+12.0 / +6.0 / +12.0個百分點。逐次呼叫分析顯示,POLICYGUARD在實現更高政策違規召回率的同時,其封鎖次數約為參數層級防護的一半。
English
LLM agents handle user requests on behalf of organizations through tool calls and must follow the company policies stated in their system prompts. Prior work approaches this as a safeguarding problem -- external checks that block non-compliant agent actions. We argue that policy adherence is a broader problem: real workflows unfold across many turns, require explicit user confirmation and prerequisite reads, and hinge on the content of the dialogue rather than on any single argument value. Meeting this bar requires (i) full conversation context, (ii) self-reasoning over the policy and the current dialogue, and (iii) conversation-specific remediation that guides the agent's next turn -- three capabilities that prior safeguard work has often underestimated. We introduce POLICYGUARD, a sub-agent verifier that shares the agent's view of the dialogue, reasons over the policy in context, and provides actionable feedback for the agent's next turn. On tau^2-BENCH airline across three vendors (GPT-5.4, Claude Sonnet 4.6, Gemini 2.5 Pro) with four trials per setting, POLICYGUARD improves PASS4 by +12.0 / +6.0 / +12.0 pp. Per-call analyses show POLICYGUARD achieves higher policy-violation recall while blocking roughly half as often as argument-level guards.