Probabilistic Verification for AI Agents: DRO-Based Framework Bounds Policy Violation Risk

Existing runtime monitoring approaches for AI agents are restricted to deterministic policies, a critical limitation identified in recent research (arXiv 2606.20510). As AI agents increasingly operate in ambiguous environments, there is a pressing need to enforce security policies that involve probabilistic predicates or state transitions. For example, a declassifier or Personally Identifiable Information (PII) detector may have a non-zero failure probability on each invocation, requiring a framework that can reason about probabilistic outcomes.

To address this gap, the authors introduce a sound and efficient framework for probabilistic verification of AI agents based on distributionally robust optimization (DRO). The core innovation is the ability to compute sound upper bounds on the probability of policy violation regardless of possible correlations between predicates. This is a significant advancement because, in many practical applications, one cannot easily make the independence assumptions necessary to invoke prior work on probabilistic inference in Datalog. By avoiding these assumptions, the framework provides rigorous guarantees even when predicate correlations are unknown or complex.

The framework leverages Datalog as the formal language for expressing and enforcing security policies at runtime for AI agents. Datalog’s declarative nature allows for clear specification of policies, and the DRO-based verification extends its applicability to probabilistic settings. The approach is evaluated on standard benchmarks for terminal and tool-calling agents, demonstrating that it outperforms prior art and improves the security-utility trade-off while ensuring rigorous bounds on the probability of policy violation.

This work has direct implications for blockchain and crypto ecosystems, where autonomous agents must operate under strict safety invariants. For on-chain AI agents, such as those in DeFi, the framework can provide provable upper bounds on the probability of policy violations (e.g., unauthorized token transfers) without requiring knowledge of correlations between oracle calls. In TEE-based AI inference, it enables sound risk bounding even when the agent’s internal state is hidden. MEV bots using ML models can enforce probabilistic compliance policies with formal guarantees, and the approach pairs naturally with zero-knowledge proofs for verifiable policy adherence. By bridging the gap between deterministic runtime monitoring and real-world probabilistic agent behavior, this research opens new avenues for secure and trustworthy autonomous systems.