How an agent breaks a policy nobody is watching for

A governance gap is not a loud failure. It is the policy violation that runs to completion because nothing in the stack was set up to notice it. The fix is detection wired to the boundary, not a document.

B

Balagei G Nagarajan

4 MIN READ


An agent crossing a faint policy line while every monitor stays green
Neither shows up as an error, because both produce output that looks like success.
— from “How an agent breaks a policy nobody is watching for”

Key facts.

  • AgentDojo (arXiv:2406.13352) shows tool-using agents both fail a large share of benign tasks (under 66% solved) and remain steerable by injected instructions, so off-policy actions can occur without an obvious error. source
  • Greshake et al. (arXiv:2302.12173) demonstrated indirect prompt injection, where an instruction hidden in retrieved content is obeyed by the agent, a violation path that produces no exception. source
  • The OWASP Top 10 for Agentic Applications catalogs goal hijacking and rogue-agent behavior as primary risks, the failure classes a governance gap leaves undetected. source
  • An off-policy agent follows a hidden instruction and returns a clean result, so nothing alerts; on AgentDojo a stronger model narrows that surface but will not detect it before the cost. (arXiv:2406.13352)

Why does a policy violation go undetected?

Because the violation succeeds. When an agent does something it should not, the tool call usually returns normally, the run completes and the dashboard stays green. There is no stack trace for an off-policy action that the system was never told to watch for. The instruction that caused it may have been hidden in a document the agent retrieved, which is the indirect-injection path Greshake described or it may simply be the agent drifting past its lane on a task it was not equipped to refuse. AgentDojo measures exactly this combination: agents that miss a real share of legitimate tasks while remaining steerable by adversarial text. Neither shows up as an error, because both produce output that looks like success.

The mistake is treating governance as a written policy rather than an instrumented one. A document that says the agent must not move money outside an approved list does nothing at runtime. What catches the violation is a check at the boundary, where the action is compared against the policy before or as it executes and an alert fires when they disagree. Without that, the policy exists only on paper and the first time you learn it was crossed is when the consequence surfaces, often days later and somewhere downstream.

Heatmap of policy boundaries by detection coverage, with hot cells where violations run unseen

What turns a paper policy into a detected one?

Three things. A boundary defined in machine-checkable terms, so the rule is a comparison the system can make, not a sentence a human has to interpret. A check placed at the action, so the comparison runs every time the agent does the thing the policy governs. And an alert that distinguishes a crossed boundary from a normal action, so the violation reaches a person while it still matters. The OWASP agentic risks read like a list of what these checks are for: goal hijacking, excessive agency, rogue behavior, each one a boundary that needs a watcher. A governed agent is not one with more rules written down. It is one where the rules that matter are wired to fire.

PropertyPaper policyInstrumented policy
FormDocumentMachine-checkable boundary
When it actsNever, at runtimeAt every governed action
Violation surfacedAfter the consequenceAs it happens
Detection coverageNoneTied to the boundary

The Pattern Intelligence Layer is where policy boundaries become detectable. Agent actions are compared against their boundaries at the pattern level, so an off-policy move is caught as it happens rather than reconstructed after it costs you. Reliability at the pattern level is what turns a governance document into a control that actually fires.

Frequently asked questions

Why doesn't an error log catch a policy violation?
Because most violations return cleanly. The tool call succeeds, the run completes and there is no exception. You only catch it if you compare the action against the policy, which an error log does not do.

Does a better model prevent off-policy actions?
It lowers the rate but does not detect them. AgentDojo shows even strong agents stay steerable and miss benign tasks, so detection at the boundary is still required.

Is a written governance policy useless then?
No, it is necessary but not sufficient. The policy defines the boundary. Detection wired to that boundary is what makes the policy enforceable at runtime.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.