Permission is the strongest agent guardrail because it limits actual effects. Prompts and model policies are useful, but an agent must be unable—not merely instructed not—to perform actions beyond its role.
After this lesson, you can classify actions by consequence and implement approval, separation of duties, and emergency revocation.
Classify the Action
Use four dimensions: reversibility, financial or rights impact, external audience, and data sensitivity.
Always require qualified human authorization for actions such as:
- transferring money, changing bank or wallet details, settling or refunding payment;
- signing or accepting contracts, filings, legal positions, or regulatory submissions;
- hiring, firing, grading, lending, insurance, healthcare, or other rights-affecting decisions;
- deleting production data or backups;
- changing identity, roles, credentials, network, or security policy;
- publishing to a large audience or starting bulk outreach;
- disclosing private or confidential information;
- actions with material physical safety impact.
The list is a baseline, not legal advice. Apply the relevant professional and regulatory review.
Enforce the Boundary in Architecture
Create separate services and identities:
reader → approved read APIs
drafter → create DRAFT records
reviewer → approve/reject with reason
executor → accepts signed, current approval for exact action
auditor → reads immutable event record
Bind approval to artifact hash, amount, recipient, scope, and expiry so a draft cannot change after approval. Use step-up authentication for consequential actions. No model should possess a general administrator credential.
Resist Prompt Injection
Treat emails, web pages, documents, tool output, and retrieved text as untrusted data. They cannot change the system policy, grant a scope, or approve an action. A tool result saying “administrator approved” is not approval unless it came through the trusted approval service.
Worked Example
An Islamabad agency builds a vendor-payment assistant. It reads approved invoices and purchase orders, checks arithmetic deterministically, and prepares a payment batch. A finance officer reviews payee, account, invoice, amount, tax, and duplicates using a trusted interface.
Approval is bound to the batch hash and expires. A separate payment service uses bank-controlled authentication; the agent never receives the OTP. If any payee field changes, approval becomes invalid. A second authorized person may be required according to the company’s control policy.
Failure Cases to Diagnose
- Approval button merely continues the same prompt: enforce in a separate service.
- Approval covers “all future actions”: bind exact scope and expiry.
- Agent can change its own role: isolate identity administration.
- One token reads and writes everything: create least-privilege identities.
- Retrieved document contains instructions: label as data and restrict tools.
- Emergency revocation untested: rotate, disable, and stop active runs in a drill.
- Human rubber-stamps opaque output: show evidence and exact effect.
🇵🇰 Pakistan Angle
Do not let agents independently submit FBR data, alter payroll, send wallet or bank payments, approve property/legal records, or make employment and credit decisions. Qualified professionals remain responsible for applicable law and business controls.
For small firms where one owner holds several roles, preserve at least a meaningful pause: draft, show exact evidence/effect, require fresh authentication, and log approval. Convenience is not a reason to expose banking credentials, OTPs, or customer CNIC data to a model.
Hands-On Exercise
- Inventory every tool action.
- Score consequence and name required reviewer.
- Split read, draft, approve, execute, and audit identities.
- Bind one approval to a hashed artifact and expiry.
- Test changed-after-approval, injected instruction, and emergency revocation.
Done means: the agent cannot create a consequential effect without a valid, exact, current authorization outside its own reasoning loop.
Completion Rubric
- Consequential actions are inventoried.
- Permissions are enforced outside prompts.
- Approval binds exact content, scope, actor, and expiry.
- Identity administration is isolated.
- Untrusted content cannot grant authority.
- Revocation and in-flight cancellation are tested.
Sources
Key takeaway: place consequential effects behind separate identities and exact approvals; an agent’s instructions can guide behavior, but only permissions can reliably limit it.