Researchers propose TokenWall, a runtime defense framework designed to secure persistent AI agents by acting as a semantic firewall over natural-language token flows. The system performs boundary-aware semantic auditing on memory updates, tool arguments, and inter-component communications to intercept unsafe behavior before it reaches privileged runtime sinks.

  • Constructs structured source-sink audit records for full-coverage pre-execution mediation.
  • Applies lightweight local inspection before execution to reduce remote arbitration and latency.
  • Selectively escalates ambiguous high-risk cases to stronger arbitration modules.
  • Reduces attack success rate to 12.5% on CIK-Bench while maintaining a 97.4% benign executable pass rate.
  • Adds only 0.69 seconds of additional latency for benign cases.

TokenWall demonstrates that semantic runtime containment can achieve a practical security-utility trade-off for long-lived software systems by preventing unsafe content propagation through persistent state and tool-mediated interactions.