A policy your agent can read but not be stopped by is not enforcement

Writing the boundary into the prompt is not the same as enforcing it. An agent can be told the rule and still break it, which is why production agents need policy enforced outside the model.

B

Balagei G Nagarajan

4 MIN READ


A prompt-level rule shown as a sign the agent walks past, beside a code-level gate that physically blocks the action
Controls that sit between the agent and its effects, not inside its reasoning.
— from “A policy your agent can read but not be stopped by is not enforcement”

Key facts.

  • AgentDojo (arXiv:2406.13352) is a benchmark of realistic tasks and prompt-injection test cases for tool-using LLM agents, showing that injected instructions can move agents off their intended policy. source
  • The OWASP Top 10 for Agentic Applications (ASI categories) names prompt injection and excessive agency among the core agentic risk classes a control layer must address. source
  • ISO/IEC 42001:2023 treats risk handling as implemented Annex A controls and operational safeguards, not as instructions the system may choose to honor. source

Why isn't an in-prompt policy enforcement?

Because the prompt asks the model to behave and asking is not the same as preventing. The model reads the boundary and, most of the time, respects it, which is enough to make the prompt look like a control in testing. But the model is the thing being governed and a control that lives inside the thing it governs can be overridden by anything that influences the model: an injected instruction in retrieved content, a cleverly framed user request or plain probabilistic drift on an edge case. AgentDojo exists to measure exactly this, putting tool-using agents in realistic tasks with adversarial injections and the result is that the agent can be moved off its policy. When that happens, the in-prompt rule does not stop the action, because the rule and the decision both live in the model the attacker just steered.

A stronger model raises the bar for the attacker without changing the category. It may resist more injections and drift less, but the boundary is still a request it can decline and the OWASP agentic risks, prompt injection and excessive agency among them, remain present because they are properties of letting a model decide. The enforceable version of a policy lives where the model cannot reach it: in the code that mediates the agent's tools and permissions, which checks the action against the rule and blocks it regardless of what the model decided.

Layered diagram: model layer with advisory prompt rules, and an enforcement layer at the tool/permission boundary that blocks violating actions

What does enforced policy look like for an agent?

Controls that sit between the agent and its effects, not inside its reasoning. Permission scopes that the agent physically cannot exceed, so an over-reach is denied at the tool layer rather than trusted at the prompt layer. Action checks that validate what the agent is about to do against the policy before it happens, so a violating call is blocked even if the model was convinced to make it. Approval gates on irreversible or high-consequence actions, so a human confirms what the agent cannot be trusted to decide alone. And policy expressed as enforceable rules, policy-as-code, rather than prose the model interprets. The prompt can still carry the boundary as guidance, which helps the common case, but the enforcement is the code that does not negotiate. That separation is what turns a readable policy into a real one.

AspectPolicy in the promptPolicy enforced in code
NatureRequest the model may declineCheck the model cannot bypass
Under injectionCan be overriddenStill blocks the action
ScopeAdvisoryPermission and tool boundary
High-stakes actionsTrusted to the modelGated, sometimes to a human

A policy the agent only reads is a suggestion, and AgentDojo shows injection moves agents off task; a bigger model does not make the prompt a control, enforce it in code before the incident. (arXiv:2406.13352)

The Pattern Intelligence Layer is where enforcement meets observation. Policy boundaries and the actions that approach them are tracked at the pattern level, so attempted violations show up as signals and the enforced gate has the context to allow, block or escalate. Reliability at the pattern level is what makes a policy something the agent runs inside, not something it is merely told.

Frequently asked questions

Isn't a well-written system prompt enough for most cases?
It handles the common case but is not enforcement. AgentDojo shows injections can move agents off their instructions, so anything that matters needs a check in code that the model cannot override.

Where should the enforcement live?
At the tool and permission boundary, between the agent and its effects. Permission scopes, action checks and approval gates block a violating action regardless of what the model decided.

Does a stronger model let me skip code-level controls?
No. A stronger model resists more attacks but the boundary stays a request it can decline. The OWASP agentic risks persist, so the enforceable control belongs outside the model.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.