Governing AI-agent actions via a network intent layer (NILScript)
A proposed structural framework, the Network Intent Layer (NIL), uses a deterministic propose-approve-commit-rollback lifecycle to let AI agents only propose intents while backends declare operations, reducing unauthorized writes to 0% model-independently.
Published June 20, 2026
| Version v2
Preprint
Open
Unexpressible, Not Filtered: A Structural Framework for Governing AI-Agent Actions — the Network Intent Layer
Authors/Creators
Elkhider, ElBasheir A. M.1
1.
Independent Researcher · NILScript
Description
Large language model (LLM) agents are moving from generating text to taking actions on production systems: issuing refunds, updating records, sending messages. Independent enterprise data now identifies the resulting trust gap, not model capability, as the dominant barrier to deployment: Stanford's 2026 AI Index reports security and risk as the top blocker to scaling agentic AI at 62%, a 24-point margin over the next factor, even as organizational AI adoption reaches 88% and actual agent deployment remains in single digits. Prevailing defences are behavioural: the agent authors an action and a probabilistic filter attempts to catch unsafe ones after the fact, a probabilistic check over a probabilistic policy, which admits a nonzero failure rate by construction. We propose a structural framework. The Network Intent Layer (NIL) is a neutral wire contract under which an agent never issues an action; it can only propose intent against operations a backend has explicitly declared, and every write passes a deterministic propose-approve-commit-rollback lifecycle. An action a backend never declared is unexpressible, not merely blocked. This severs deciding from doing: a poisoned reasoning loop still cannot author a write, and the security perimeter collapses from every reasoning step (O(n)) to one intent-to-effect boundary (O(1)), independent of the model. We give the framework in full: four structural guarantees, a statically-validated multi-step plan language, a human-approval gate over an auditable lifecycle, honest multi-step reversibility, and wire-level robustness (typed refusals, deterministic idempotency, circuit-breaking), and a controlled A/B evaluation instantiated on InjecAgent (4,216 indirect prompt-injection cases, two models): unauthorized writes through NIL were 0.00% at 100% benign task-success, model-independently. We give metric definitions, an anti-tautology discipline, and threats to validity. NIL composes with tool-integration standards such as MCP as the governed action layer they do not define.
Files
NIL-arxiv-source.zip
Files (683.4 kB)
Name Size
Download all
NIL-arxiv-source.zip
md5:60c923933ad5605219496ad41115c225
197.1 kB
Preview
Download
NIL-paper.pdf
md5:eee26063cb2c9321ac6323df1085fcc4
486.3 kB
Preview
Download
Additional details
Related works
Is supplemented by
Software:
https://github.com/nilscript-org/nilscript-protocol
(URL)
Other:
https://nilscript.org
(URL)
Software
Development Status
Active