KAIJU: A Secure Execution Kernel and Intent-Gated Architecture for LLM Agents

KAIJU addresses three critical limitations of traditional ReAct LLM Agents—serial execution delay, context quadratic expansion, and security vulnerabilities—via system-level architecture innovations: decoupling planning and execution layers, introducing Intent-Gated Execution (IGX) for safety, and an Execution Kernel for efficient task management. This transforms LLM Agents into reliable, secure tools for real-world applications.

Traditional ReAct Agents face three major bottlenecks:

1. Serial Delay: Step-by-step execution (think → act → wait → repeat) leads to low efficiency for complex tasks. 2.** Context Bloat**: Historical actions/observations accumulate, causing quadratic growth in input context and potential information loss. 3.** Security Risks**: Direct tool call generation by LLMs makes Agents vulnerable to prompt injection and unregulated dangerous operations.

KAIJU decouples two layers:

• Planning Layer: LLM handles high-level task decomposition and tool scheduling (no real-time execution wait).
• Execution Layer: Managed by Execution Kernel for tool calls, parallel scheduling, dependency parsing, and error handling.

Two core abstractions:

1. Intent-Gated Execution (IGX): 4D authorization (Scope/Intent/Impact/Clearance) with static analysis, semantic validation, risk scoring, and dynamic interception.
2. Execution Kernel: Manages task lifecycle (scheduling, dependency resolution, fault handling, resource control).

Three modes for different scenarios:

• Reflect: Deep reflection after each step (high quality, slow; ideal for complex analysis).
• nReflect: Light reflection at key nodes (balance of quality and speed; for medium tasks).
• Orchestrator: No reflection (max speed; for simple, well-defined tasks).

Experimental results:

• Simple tasks: ReAct faster (2-3s vs KAIJU's 3-4s due to planning overhead).
• Medium tasks: Converge (parallel execution saves time equal to planning cost).
• Complex tasks: KAIJU 60-80% faster (parallel data collection).

Context efficiency: KAIJU reduces token consumption by 40-60% in 10+ step tasks (vs ReAct's quadratic growth).

KAIJU solves ReAct's security flaws:

• Architecture Isolation: LLM generates plans (not direct code) validated by Execution Kernel.
• IGX Enforcement: Mandatory 4D authorization checks block dangerous operations.
• Audit & Traceability: Full lifecycle logs for each operation.
• Behavior Policies: Hard enforcement of rules (e.g., no unapproved write operations).

Applications:

• Enterprise data analysis: Parallel query of multiple systems with IGX authorization.
• Deep research: Reflect mode for adaptive direction adjustment.
• Automation O&M: IGX intercepts high-risk operations and handles faults.

Limitations:

• Plan accuracy issues (wrong dependencies lead to failure).
• Poor adaptation to dynamic environment changes.
• Steeper learning curve for developers.

KAIJU represents a key evolution in LLM Agent architecture—system-level design makes Agents practical. Future work includes:

• Adaptive mode switching based on task progress.
• Learning-based plan optimization using historical data.
• Multi-agent collaboration support.

KAIJU's open source repo (https://github.com/compdeep/kaiju) is available for exploration.