Traditional operating systems struggle to support goal-directed, dynamically tool-invoking agents with adaptive behaviors, exhibiting fundamental limitations in scheduling, state management, security, and observability. This work presents the first systematic design of an Agent Operating System (AOS) architecture, which introduces an agent control plane into conventional OS abstractions and rethinks core mechanisms—including scheduling, context management, capability registration, policy enforcement, and auditing. AOS clearly delineates responsibility boundaries and non-goals, establishing a multi-layered integration model spanning user-space runtimes to distributed control planes, thereby transcending the traditional OS assumption of deterministic program execution. The paper establishes novel system abstractions for agent-centric computing, proposes a security threat model and evaluation criteria, and makes significant advances in ensuring deterministic execution, auditability, and operational interpretability.

Traditional operating systems were designed around deterministic programs, explicit control flow, and human initiated workflows. Their core abstractions processes, threads, system calls, files, and permissions assume bounded behavior and predictable interaction patterns. Agentic AI systems introduce a different execution model: long-lived, goal-directed entities that reason probabilistically, invoke tools dynamically, and adapt behavior based on feedback. While agents can be implemented as user-space applications today, their execution characteristics stress OS boundaries in scheduling, memory and state management, security, observability, and governance. This paper introduces the concept of an Agent Operating System (AOS), a systems architecture that integrates an agentic control plane into existing operating systems or, in some models, subsumes selected OS responsibilities over time. We provide a precise definition of an AOS, explicit assumptions and non-goals, and a structured decomposition of AOS responsibilities into schedulers, context and memory management, tool and capability registries, policy and trust enforcement, and observability and audit. We analyze limitations of classical OS abstractions for agent workloads, propose integration models from user-space runtimes to distributed control planes, and map AOS concepts onto Linux and Windows primitives. We present security and safety implications, including agent specific threat models, and define evaluation criteria that emphasize deterministic enforcement, auditability, and operator comprehensibility. The objective is not to replace operating systems wholesale, but to establish a rigorous systems foundation for agentic computation that remains controllable, accountable, and secure at scale.