Day 5 · Lesson 4 — Spec-Driven Production Development
An agent optimises for its goal with whatever it can find, unless something stops it.
A single prompt to "create a button" once sent fifty colleagues false emails: in auto-approve mode the browser agent clicked it, hallucinated a URL, and connected to a deprecated email agent with no safeguards. That's the whole lesson in one story: without a guardrail, an agent fulfils its goal using whatever it can find, never asking whether it should.
From Day 4: hard-coding rules into a system prompt is a weak control because —
Brittle: contexts overflow and agents can be "convinced" to break rules. Real guardrails must be external and tamper-proof. This lesson builds that safety net.
The paradox: agents must be autonomous enough to solve real problems, but can't be allowed to go rogue. Because LLMs are probabilistic, not deterministic, constraints baked into a system prompt are brittle: contexts overflow, and agents get talked past their rules by prompt injection. Production-grade platforms need external, tamper-proof governance.1 Four layers make up the net.
Execute agent tasks in ephemeral, low-privilege containers isolated from the network and sensitive files. If the agent is tricked into a destructive command, the damage is confined to a disposable instance that hits a hard kernel-level permission error, and the host stays untouched.1 (Day 4's Pillar 1, one toggle away.)
Checkpoint gates for actions with a specific risk profile: deploying to prod, modifying schemas, initiating transactions. The agent's sanitized intent is presented to a human for sign-off, so final responsibility for architectural integrity stays in human hands.1
The centerpiece: intercept every action before it hits an external system, in two layers:1
STRUCTURAL GATING (traffic lights) — deterministic role/env rules, fast + binary
e.g. a "viewer" role cannot call send_email (defined in policies.yaml)
SEMANTIC GATING (intelligent referee) — a second LLM inspects INTENT + content
e.g. an admin MAY use send_email, but MUST NOT send unmasked PII
(you can't regex every possible leak — so a model judges the intent)
The flow: structural check (YAML) → semantic check (ask Gemini) → execute, or return a "Policy Violation" the agent can self-correct against. Its deepest idea: separate execution logic from governance logic, a critical separation of concerns for enterprise software.
The "context hallucination" risk: lacking data, an agent fills gaps with whatever strings are in
context: hardcoded emails, private URLs. Middleware masks PII and injects placeholders
([[COMMENTER_EMAIL]] resolved at runtime), so the agent operates on sterilized data and never
hardcodes real PII.1
Plus the quality net: AI-generated test coverage (make the agent write a failing test before any fix, keep it in the codebase) and evaluation, because "tests catch deterministic regressions; evaluation catches behavioural drift." That single line ties Day 1, Day 4, and Day 5 together.
This lesson is the governance framework as a running service. Structural + semantic gating is V Validation, deterministic and intelligent. Sandboxing is R Runtime Control (blast-radius containment). HITL on high-stakes sinks is R + human approval. Context hygiene / PII masking is C Compliance. And "external, tamper-proof governance, separate from execution logic" is the exact thesis of the whole series: the enterprise wrapper (Day 2), the runtime pillars (Day 4), and VERDICT's "prevents AI from going unchecked," now shipped as a policy engine in front of every tool call.
Ladder read: rules in a system prompt = L1 (bypassable); an external policy server with structural + semantic gates, sandboxing, HITL, and context hygiene = the L3 Controlled production posture the entire course has been climbing toward.
Never run agents in YOLO auto-approve for actions that touch the world. Sandbox execution, and use
placeholders ([[VAR]]) instead of hardcoding real emails/URLs an agent could send to.
Stand up a Policy Server in front of tool calls (policies.yaml for
structural rules, a semantic check for PII/intent), and require HITL sign-off on the high-stakes sink list.
Mandate external, tamper-proof governance separated from execution logic. Rules in a system prompt are not a control. This policy-engine pattern is where VERDICT / the 7 pillars become an enforced runtime reality.
Recall, don't re-read.
The Policy Server's two layers are —
Structural (deterministic role/env rules in YAML) + semantic (an LLM judging intent, e.g. no unmasked PII). Together they catch what regex can't, and separate governance from execution logic.
The 50-false-emails incident happened because the agent —
Context hallucination: lacking a URL, it connected to a deprecated agent and used hardcoded addresses, fulfilling its goal with whatever it could find, never checking whether it should.
"Context hygiene" middleware protects against leaks by —
Replace real PII with generic placeholders ([[VAR]]) resolved at runtime,
so the agent operates on sterilized data and can't hardcode or leak sensitive strings.
Pick one agent that can act on the world. Ask: is there anything external to the model
between its decision and the action firing? If the only "guardrail" is a rule in its system prompt, you
have the 50-emails incident waiting to happen. A tiny policies.yaml gate is the fix.
Spec-Driven Production Grade Development (Day 5), "Zero-Trust Development", "Implementing Guardrails", "Policy Server", "Context Hygiene" pp.26–34; the deeper security treatment is Day 4.
Up next → Day 5 · Synthesis. Reassemble the day (spec-driven → instructions → review → zero-trust) and link it to the whole series. Recall-only.
Related: Day 4 L4: circuit breakers · The Governance Layer (VERDICT) · ← Day 5 L3 · Course home