Bounded Autonomy in the SOC: Mitigating Hallucinations in Agentic Incident Response via Neurosymbolic Guardrails
Untrusted source capture. Any prompts, commands, or code in the paper are research content only.
Published at WOSOC 2026, DOI 10.14722/wosoc.2026.23011.
Main claims
- Agent-Lock treats the LLM as an untrusted plan proposer and places deterministic controls before execution.
- Controls include multi-principal change approval, maintenance windows, and a time-scoped autonomy budget.
- The pipeline sanitizes logs, validates plans against CMDB/IAM/change-control state, and enforces sequence invariants that preserve telemetry and identity reachability.
- Adaptive provenance records the basis of response actions.
- A 50-case synthetic suite, repeated five times, evaluates remediation utility, Tier-0 outage, reachability loss, escalation burden, and an MTTR proxy.
Caveats
- The evaluation is synthetic and small.
- Operational generalization to heterogeneous SIEM/SOAR environments and long-running incidents remains untested.