Researchers propose TokenWall, a runtime defense framework designed to secure persistent AI agents by acting as a semantic firewall over natural-language token flows. The system performs boundary-aware semantic auditing on memory updates, tool arguments, and inter-component communications to intercept unsafe behavior before it reaches privileged runtime sinks.
- Constructs structured source-sink audit records for full-coverage pre-execution mediation.
- Applies lightweight local inspection before execution to reduce remote arbitration and latency.
- Selectively escalates ambiguous high-risk cases to stronger arbitration modules.
- Reduces attack success rate to 12.5% on CIK-Bench while maintaining a 97.4% benign executable pass rate.
- Adds only 0.69 seconds of additional latency for benign cases.
TokenWall demonstrates that semantic runtime containment can achieve a practical security-utility trade-off for long-lived software systems by preventing unsafe content propagation through persistent state and tool-mediated interactions.