Learning / Agentic Operations / Lesson 0015
Guardrails & the HITL Checkpoint
Least privilege at the tool boundary; a human gate placed by risk, its throughput cost measured.
1 · Give the agent a dangerous tool
Add a tool with real-world consequence — a simulated one: send_email(to, body)
that writes to an outbox file, or delete_record(id) that mutates a local store. Now
the agent can take an action that's hard to reverse — the exact case guardrails exist for
(OWASP LLM Top 10).
2 · Guardrails: least privilege + validation
- Least privilege: scope the tool to the minimum it needs. Can
send_emailonly reach an allowlist of recipients? Candelete_recordtouch only records the current task owns? Scope in your code, not the prompt — the prompt is advisory, the code is the boundary. - Input/output validation: validate the tool's arguments (0005's rule, now with stakes) and validate the agent's final output before it leaves.
- Injection defense: re-run a 0007-style attack — feed the agent untrusted
content trying to trigger
send_emailto an attacker address. Your least-privilege scoping should make the attack fail structurally even if the prompt defense is bypassed.
3 · Place a human checkpoint — by risk
The hard part isn't adding approval; it's placing it without killing throughput (Lesson 0004). Design a policy, don't gate everything:
| Action | Reversible? | Blast radius | Gate? |
|---|---|---|---|
| read_record | yes | none | auto |
| send_email (allowlisted) | no | 1 recipient | ? |
| delete_record | no | data loss | human |
Implement the gate: when the agent proposes a gated action, the loop pauses and surfaces it for approval (a console prompt, or a queue). Auto-approve the rest.
This is not abstract for you — Vernant's own commit/push/egress battery is exactly a checkpoint policy placed by risk (reversible local edits auto-proceed; irreversible egress hails a human). You operate a worked example of this lesson every session.
4 · Measure the throughput cost
Run a batch of tasks through with the checkpoint on and off. Record the cost of the gate:
Self-grade
- Least privilege enforced in code — the dangerous tool is scoped structurally; injection stopped by the scope, not the prompt
- Checkpoint placed by risk — a policy that gates irreversible/high-blast actions and auto-approves the rest, not a gate on everything
- Throughput cost measured — the price of the gate stated in numbers (waits added, bad actions blocked)
- Auditable — consequential actions logged with decision + context
Next
Lesson 0016 — the full improvement loop: catch a live regression, ship a gated fix, prove the suite would have blocked the bad version. The last lesson — and the M4 gate.