Samuel Addington (California State University Long Beach)
Security Operations Centers (SOCs) are moving from static SOAR playbooks to agentic incident response: LLM-driven operators that can query telemetry and execute remediation actions. The main barrier to safe deployment is not intent misalignment alone, but operational unsafety: a hallucinating or prompt-injected agent can trigger Tier-0 outages (e.g., isolating a domain controller), violate change-control, or degrade core monitoring and identity reachability.
We present Agent-Lock, a bounded-autonomy enforcement pattern tailored to SOC engineering. Agent-Lock introduces (i) SOC-specific constraints that are difficult to encode in generic shielding frameworks—multi-principal change-control approvals, maintenance windows, and time-scoped autonomy budgets (blast-radius over assets and identities); (ii) a multi-stage neurosymbolic pipeline that (a) sanitizes untrusted log fields, (b) validates plan-level actions against CMDB/IAM/change-control state, and (c) enforces sequence-level invariants such as continued reachability to core telemetry and identity providers; and (iii) an adaptive provenance model that updates source trust online from incident outcomes while preserving a hard safety invariant.
We formalize a Tier-0 non-disruption property under single-log adversarial manipulation and prove it under explicit assumptions. On a 50-case synthetic incident suite (5 runs per case), Agent-Lock prevents high-risk actions that the baseline agent executes while retaining most valid remediation utility.