Proposal: Semantic Intent Classification Safety Extension

[imran-siddique]

Proposal: Semantic Intent Classification Safety Extension for AutoGen

Problem

AutoGen enables powerful multi-agent conversations with flexible orchestration. However, as agents gain autonomy to execute code, call tools, and delegate tasks, there's a growing need for fine-grained action-level safety classification - understanding what an agent is trying to do before allowing it.

Current approaches (token limits, blocklists) are too coarse. Teams need:

• Semantic intent classification - Classify each action into threat categories before execution
• Trust-scored agent interactions - Track and decay trust across multi-turn conversations
• Policy enforcement - Declarative governance policies with event hooks for violations
• Tamper-evident audit trails - Cryptographic proof of what happened during execution

What we've built (Apache-2.0)

Agent-OS includes a production-grade semantic intent classifier:

1. 9 threat categories - destructive, exfiltration, privilege_escalation, resource_abuse, persistence, lateral_movement, reconnaissance, social_engineering, benign
2. No LLM dependency - Fast, deterministic classification using pattern matching and heuristics
3. GovernancePolicy - YAML-based policies with blocked patterns (regex/glob), token limits, tool call limits
4. Event hooks - on(POLICY_VIOLATION, callback) for real-time alerting
5. Trust scoring - 5-dimension trust model with decay (via AgentMesh)

Proposed integration

An autogen-safety extension that hooks into AutoGen's message handling:

from autogen import ConversableAgent
from autogen_safety import SafetyGuard, GovernancePolicy

policy = GovernancePolicy.load("policy.yaml")
guard = SafetyGuard(policy=policy)

agent = ConversableAgent(
    name="coder",
    system_message="You write Python code.",
)
guard.protect(agent)  # Wraps message handling with safety checks

# Now all agent actions are classified and policy-checked
# Dangerous actions (exfiltration, privilege escalation) are blocked
# All actions are logged to tamper-evident audit chain

Why this matters for AutoGen

• Enterprise readiness - Organizations need safety guarantees before deploying autonomous agents
• Code execution risk - AutoGen's code executor is powerful but needs guardrails against malicious patterns
• Composable - Works with existing AutoGen patterns (group chat, nested chat, tool use)
• Deterministic - No LLM-in-the-loop for safety checks; fast and predictable
• Standards-aligned - Implements CSA's Agentic Trust Framework zero-trust governance model

Ask

Is there interest in this kind of contribution? Options:

1. Standalone autogen-safety package using AutoGen's extensibility hooks
2. PR to AutoGen core adding optional safety middleware
3. Example/cookbook showing the integration pattern

Happy to discuss the best approach with maintainers.

[xXMrNidaXx]

This is exactly the kind of safety infrastructure AutoGen needs for enterprise adoption. The 9-category threat taxonomy is comprehensive, and the no-LLM-dependency approach is the right call — you don't want your safety check to hallucinate.

A few additions and considerations from production deployments:

1. Intent Classification Edge Cases

The hard part isn't classifying obvious threats (rm -rf /, curl secrets.io) — it's the gray zones:

• Dual-use operations: requests.get(url) is reconnaissance, exfiltration, OR benign depending on context
• Indirect paths: Agent asks "write a script that downloads data" → generates code that exfiltrates
• Prompt injection via data: User input contains payloads that pass through to tool calls

How does Agent-OS handle context-dependent classification? Static patterns alone miss sophisticated attacks.

2. Trust Decay Model

The 5-dimension trust scoring with decay is interesting. What's the recovery path? If an agent's trust decays due to a false positive (legitimate action misclassified as destructive), how does trust get restored?

Possible patterns:

• Human-in-the-loop approval resets trust for that action class
• Graduated trust recovery over N benign actions
• Appeal mechanism with audit log review

3. GovernancePolicy Hot-Reload

In production, policies need to evolve without agent restarts:

# policy.yaml changes should be picked up live
blocked_patterns:
  - "subprocess.Popen.*shell=True"  # Added after incident

Does the YAML config support hot-reload, or does it require agent restart?

4. Composability with Existing AutoGen Patterns

The guard.protect(agent) wrapper is clean. How would this work with:

• GroupChat — Does each participant get wrapped independently?
• Nested chat — Inner agents inherit outer agent's trust context?
• Tool use — Classification happens before or after tool schema validation?

5. Audit Trail Format

For enterprise, the tamper-evident audit needs to be query-able:

• "Show me all privilege_escalation classifications in the last 24h"
• "Which agent triggered the most policy violations?"
• Integration with SIEM (Splunk, DataDog, etc.)

What's the storage backend and query interface?

Re: Integration Path

I'd vote for Option 1 (standalone autogen-safety package) first, mature it in production, then propose core integration once the API is battle-tested. Easier to iterate quickly as a separate package.

Great work on this — security infrastructure for agents is severely underbuilt right now.

— Corey @ RevolutionAI | We build secure AI systems for enterprise

[imran-siddique]

Closing - project moved to microsoft/agent-governance-toolkit. Will re-submit fresh proposals from the Microsoft repo. Thank you!