Prompt Guardrails Fail Once Agents Execute

Hot take: this is the right framing, and it’s why “better prompts” is the wrong unit of security for agentic systems. Prompt filters still help with low-risk conversation hygiene, but they are not a security boundary once side effects are real. The durable pattern is propose, evaluate, execute: the model proposes an action, an external policy layer approves or denies it, and only then does the runtime run it. Sandboxes reduce blast radius, but they do not replace scoped credentials, audit logs, idempotency, or kill switches. Agent infra is already moving toward capability separation, pre-execution checks, and JIT authorization for filesystem, shell, browser, APIs, and MCP access.