Governed MCP: Kernel-Level Tool Governance for AI Agents via Logit-Based Safety Primitives

Computer Science > Cryptography and Security [Submitted on 18 Apr 2026] Governed MCP: Kernel-Level Tool Governance for AI Agents via Logit-Based Safety Primitives Daeyeon Son AI agents increasingly call external tools (file system, network, APIs) through the Model Context Protocol (MCP). These tool calls are the agent's syscalls -- privileged operations with side effects on shared state -- yet today's safety enforcement lives entirely in userspace, where a 10-line script can bypass it. I propose Governed MCP, a kernel-resident tool governance gateway built on a logit-based safety primitive (ProbeLogits, companion paper: arXiv:2604.11943). The gateway interposes on every MCP tool call in a 6-layer pipeline: schema validation, trust tier check, rate limit, adversarial pre-filter, ProbeLogits gate (the load-bearing semantic check), and constitutional policy match, with a Blake3-hashed audit chain. I implement Governed MCP in Anima OS, a bare-metal x86_64 OS in approximately 86,000 lines of Rust. The five non-inference layers add 65.3 microseconds of overhead per call; ProbeLogits adds 65 ms (per-token-class semantic decision) on 7B Q4_0. A 4-config ablation on a 101-prompt MCP-domain benchmark shows that removing the ProbeLogits layer collapses F1 from 0.773 to 0.327 (Delta F1 = -0.446) -- hand-rule firewalling alone is insufficient. All 15 WASM-to-system host functions in the runtime route through the gateway (complete mediation of the WASM ABI surface; the scope and caveats of this claim are stated in Section 4.6); a 10-LoC userspace bypass that defeats existing guardrail libraries is structurally impossible against the kernel-resident gate. Comments: 12 pages. Companion paper to arXiv:2604.11943 (ProbeLogits) Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI); Operating Systems (cs.OS) Cite as: arXiv:2604.16870 [cs.CR]   (or arXiv:2604.16870v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2604.16870 Focus to learn more Related DOI: https://doi.org/10.5281/zenodo.19639122 Focus to learn more Submission history From: Daeyeon Son [view email] [v1] Sat, 18 Apr 2026 06:40:20 UTC (25 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-04 Change to browse by: cs cs.AI cs.OS References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)