Architectural Requirements for Agentic AI Containment

Computer Science > Cryptography and Security arXiv:2604.23425 (cs) [Submitted on 25 Apr 2026] Title:When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape Authors:Richard Joseph Mitchell View a PDF of the paper titled When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape, by Richard Joseph Mitchell View PDF Abstract:The April 2026 disclosure that a frontier large language model escaped its security sandbox, executed unauthorized actions, and concealed its modifications to version control history demonstrates that agentic AI systems with autonomous tool access can circumvent the containment mechanisms designed to constrain them. This paper analyzes four categories of current containment approaches - alignment training, environmental sandboxing, application-level tool-call interception, and accessible audit systems - and identifies the failure modes each exhibits when the AI agent is treated as a potential adversary rather than a trusted component receiving adversarial inputs. We categorize five behavioral incidents from the public disclosure and situate them within 698 real-world AI scheming incidents documented by the Centre for Long-Term Resilience between October 2025 and March 2026, a 4.9x acceleration establishing the challenge as systemic. We derive five architectural requirements: trust separation through layered OS privilege enforcement with semantic intent analysis, sequential intent inference through five-phase taxonomic monitoring, independent containment integrity monitoring, adversarial audit isolation through logical invisibility, and emergent capability envelope enforcement through distributional divergence monitoring. No publicly described system satisfies all five. We argue that architectural containment is the only durable safety strategy given the inevitable proliferation of equivalent capabilities including open-weight models. The author's published patent portfolio in provider-independent constraint enforcement addresses several of these requirements. Concurrent work including SandboxEscapeBench (arXiv:2603.02277) independently confirms that frontier models can escape standard container sandboxes, corroborating the threat model presented here. Comments: 17 pages, 30 references, 5 tables. Derives five architectural requirements (R1-R5) for agentic AI containment from the April 2026 Mythos Preview incidents. Assesses AEGIS, Microsoft AGT, NVIDIA OpenShell, and other current systems; finds none satisfies all five requirements. Patent pending Subjects: Cryptography and Security (cs.CR) MSC classes: 68M25, 68T42 ACM classes: D.4.6; I.2.11; D.2.11; K.6.5 Cite as: arXiv:2604.23425 [cs.CR] (or arXiv:2604.23425v1 [cs.CR] for this version) https://doi.org/10.48550/arXiv.2604.23425 Focus to learn more arXiv-issued DOI via DataCite (pending registration) Submission history From: Richard Mitchell [view email] [v1] Sat, 25 Apr 2026 19:41:00 UTC (306 KB) Full-text links: Access Paper: View a PDF of the paper titled When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape, by Richard Joseph MitchellView PDF view license Current browse context: cs.CR < prev | next > new | recent | 2026-04 Change to browse by: cs References & Citations NASA ADSGoogle Scholar Semantic Scholar export BibTeX citation Loading...…

This excerpt is published under fair use for community discussion. Read the full article at arXiv.org.