Definition
Guardrails
Guardrails are the controls that constrain what an AI system is allowed to do or say, enforced around the model rather than left to the model's judgment. They validate inputs and outputs, block unsafe or off-policy actions, scope which tools an agent may use, and route risky operations through approval — turning a probabilistic model into a system safe to deploy.
Key takeaways
- Guardrails constrain what an AI system may do or say, enforced around the model rather than trusted to the model's own judgment.
- They validate inputs and outputs, block off-policy actions, scope an agent's tools, and route risky operations through human approval.
- For agents, the key guardrails are about authority — least-privilege tools, a hard tenant boundary, and approval gates — not just language filtering.
- They are the durable defense against prompt injection, paired with an audit trail of what was attempted and what was allowed.
A language model is probabilistic and can be steered by its input, so trusting it to police itself is fragile. Guardrails move the enforcement outside the model: deterministic checks and policies that wrap the call. On the way in they filter or sanitize prompts; on the way out they validate that responses match a required schema, stay on policy, and contain nothing unsafe before anything acts on them.
For agents that can take actions, the most important guardrails are about authority, not language. Scoping an agent to a least-privilege set of allowed tools, enforcing the tenant boundary on every call, and gating destructive operations behind explicit human approval bound what an agent can do regardless of what it decides. The model proposes; the guardrails decide what is permitted to execute.
Guardrails are also defense against adversarial input. Because prompt injection tries to make a model ignore its instructions, the durable protection is not a sterner system prompt but external limits the model cannot talk its way past — and an audit trail that records what was attempted and what was allowed.
In Planoda, agents are clamped to an explicitly allowed tool set inside the RLS tenant boundary, destructive actions require propose/approve, and every action lands in an immutable audit trail.
Related terms
- Propose / Approve (AI Governance)Propose/approve is a governance pattern for autonomous software: instead of executing a consequential action directly, an AI agent emits it as a proposal that a human or policy must approve before it runs. It keeps fast, read-only work autonomous while gating destructive or irreversible operations — the practical way to give agents real power without surrendering control.
- Prompt InjectionPrompt injection is an attack on AI systems where malicious instructions hidden in user input or retrieved content trick a language model into ignoring its original directives — leaking data, performing unauthorized actions, or producing harmful output. Because models can't reliably separate trusted instructions from untrusted data in their context, it is a fundamental security risk for any LLM application.
- Audit TrailAn audit trail is an append-only, time-ordered record of who did what, when, and to which object across a system. Every create, edit, delete, and approval is logged immutably, so any state can be traced back to the actions that produced it. Audit trails underpin accountability, debugging, compliance, and — increasingly — oversight of what AI agents do.
- Tool CallingTool calling is the capability that lets a language model invoke external functions — query a database, search the web, create a record — by emitting a structured request the surrounding system executes. Instead of only producing text, the model can take actions and pull in live data, turning it from a text generator into the reasoning core of an agent.
- RBAC (Role-Based Access Control)Role-based access control (RBAC) governs what users can do by assigning them roles — such as admin, member, or viewer — that carry defined permissions, rather than granting rights to each person individually. It scales access management: change a role's permissions once and every user with that role updates, and onboarding becomes assigning a role, not wiring up dozens of grants.