Agents in production
Agent infrastructure
AI agent guardrails work at the runtime layer, not the prompt layer. Why tool call safety, not output filters, is where production agents actually hold.

Most agent guardrail conversations start at the model and end at the model. Prompt filters, output classifiers, jailbreak detectors, refusal training. That's fine as far as it goes. But the failures that actually hurt production agents — the ones that delete data, leak records, or bill a customer twice — don't happen inside the model. They happen when a tool call executes. If your guardrails only sit around the LLM, you're guarding the wrong layer.
This is a POV piece, so here's the position plainly: AI agent guardrails are a runtime discipline, not a prompt discipline. The model is one input to the decision. The tool call is where the decision becomes real.
The industry has converged on a reasonable pattern around the model itself. On the way in, you filter prompts for injection attempts, sensitive data, and policy violations. On the way out, you classify responses for toxicity, hallucinated citations, or leaked PII. Vendors like Lakera and open-source projects like NeMo Guardrails do this well.
This is useful. It's also the easy half. Pre-LLM and post-LLM guardrails treat the agent as a text-in, text-out system. Modern agents aren't. They're systems that decide to call tools, and those tool calls hit real APIs against real customer data. A perfectly polite response that includes the wrong SQL update is not a safe response. It's a production incident with good grammar.
When a model emits a tool call, three things need to be true before it executes, and none of them are the model's job to enforce:
Call these agent runtime policy rules. They're the guardrails that matter, and they live outside the model on purpose. If the model gets jailbroken, gets confused, or hallucinates a tool argument, the runtime is the layer that has to hold.
Here's the asymmetry that keeps getting missed. When a prompt-level guardrail fails, you often don't know. The model complied with an injected instruction, the output classifier didn't catch it, and the tool call went through. The logs show a successful invocation. The incident is discovered when a customer notices.
When a runtime guardrail fails — when the tool call is rejected because the user lacks permission, or the argument is out of policy, or the action requires confirmation — you get a structured error. It's logged. It's countable. It shows up in dashboards. You can alert on it, rate-limit on it, and page on it.
That difference matters more than most guardrail vendors admit. You cannot operate what you cannot observe, and prompt-level failures are largely unobservable in the way that counts. Runtime failures are events. Prompt failures are vibes. If you're serious about tool call safety, you invest where the signal is.
A working set of runtime guardrails is boring in a way that prompt guardrails aren't. It's a small number of enforced rules, applied consistently, at the point of execution:
This is the layer that makes agents deployable in regulated environments. Not a better classifier. Not a bigger prompt. A runtime that treats tool calls as first-class security events.
The reason we keep coming back to this argument: Pontil operates in the tools layer of the agent stack, which is where runtime guardrails actually get applied. Our runtime executes tool calls as the authenticated user, honours the permission model your product already enforces, and treats every invocation as a logged, policy-checked event.
That's not a claim that Pontil replaces prompt-level guardrails — you still want those. It's a claim that if you're only doing prompt-level guardrails, you've secured the layer where failures are silent and left the layer where they're expensive unguarded. For teams whose agent projects have stalled at security review, the fix is rarely a better model. It's a runtime that a security team can reason about.
If your agent guardrail conversation lives entirely in prompt-land, move it. Ask three questions of your next agent design review. Which tool calls are destructive, and what stops them being called wrong? Whose identity does each call execute under, and does that identity carry the permissions your product already enforces? When a guardrail trips, where is the log, and who gets paged?
If you can't answer those without hand-waving toward the model, you don't have agent runtime policy — you have prompt hygiene. Both are useful. Only one of them will hold when the model gets it wrong.
Stay up to date on the ever changing agentic landscape.