Adopted from Elementum. Guardrails sit outside the AI system, not inside the model. The model's built-in safety is not a substitute. Three layers, each catching a different class of failure:
| Layer | Where it lives | What it does | Example |
|---|---|---|---|
| Policy guardrails | Documents + the registry | Defines who can do what, with which data, under which constraints, before a system runs | "AI cannot approve refunds > $5,000 without human review." |
| Workflow guardrails | The orchestration layer | Turns policy into deterministic approvals, RBAC, business rules, routing | The $5,000 threshold routes the request to a named reviewer with context |
| Runtime guardrails | Execution-time | Input filtering, output validation, tool allowlists, schema checks, semantic filters, kill switches | Block PII in prompts; block tool calls outside the allowlist; block outputs that don't conform to the expected schema |
All three are required. Policy alone is theater. Workflow without runtime checks misses prompt injection. Runtime without policy means each agent invents its own rules.