ChatPaper.aiChatPaper

PolicyGuard:一种基于对话的子代理验证器,用于确保LLM代理的策略遵循

PolicyGuard: A Dialogue-Grounded Sub-Agent Verifier for Policy Adherence in LLM Agents

June 28, 2026
作者: Seongjae Kang, Taehyung Yu, Sung Ju Hwang
cs.AI

摘要

LLM代理通过工具调用代表组织处理用户请求,必须遵循系统提示中规定的公司策略。现有研究将其视为防护问题——通过外部检查阻止不合规的代理行为。我们认为策略遵循是一个更广泛的问题:真实工作流程涉及多轮交互,需要显式用户确认和前置阅读,且依赖于对话内容而非单一参数值。满足这一要求需要三项能力——(i)完整的对话上下文、(ii)基于策略和当前对话的自我推理、以及(iii)针对特定对话的补救措施以引导代理的下一步操作——这三项能力在以往的防护研究中常被低估。我们提出PolicyGuard,一个子代理验证器,与代理共享对话视图,在上下文中推理策略,并为代理的下一步操作提供可操作的反馈。在tau²-BENCH航空基准测试中,针对三个供应商(GPT-5.4、Claude Sonnet 4.6、Gemini 2.5 Pro),每个设置进行四次试验,PolicyGuard将PASS4指标提升了+12.0 / +6.0 / +12.0个百分点。逐次调用分析显示,PolicyGuard在实现更高策略违规召回率的同时,拦截频率约为参数级防护的一半。
English
LLM agents handle user requests on behalf of organizations through tool calls and must follow the company policies stated in their system prompts. Prior work approaches this as a safeguarding problem -- external checks that block non-compliant agent actions. We argue that policy adherence is a broader problem: real workflows unfold across many turns, require explicit user confirmation and prerequisite reads, and hinge on the content of the dialogue rather than on any single argument value. Meeting this bar requires (i) full conversation context, (ii) self-reasoning over the policy and the current dialogue, and (iii) conversation-specific remediation that guides the agent's next turn -- three capabilities that prior safeguard work has often underestimated. We introduce POLICYGUARD, a sub-agent verifier that shares the agent's view of the dialogue, reasons over the policy in context, and provides actionable feedback for the agent's next turn. On tau^2-BENCH airline across three vendors (GPT-5.4, Claude Sonnet 4.6, Gemini 2.5 Pro) with four trials per setting, POLICYGUARD improves PASS4 by +12.0 / +6.0 / +12.0 pp. Per-call analyses show POLICYGUARD achieves higher policy-violation recall while blocking roughly half as often as argument-level guards.