What every agent must enforce before it acts. Adopted from Elementum's framing, with corroboration from Anthropic, Microsoft, OWASP.
- Confidence thresholds per process, not per model. An agent approving a $1,000 procurement request has a different threshold than one approving a $100,000 contract — regardless of model calibration. Tie thresholds to the business risk, not the model's internal score.
- Human-in-the-loop checkpoints at irreversible decision points. Financial transactions, deletions, regulated decisions, customer-facing actions, anything that writes to systems of record. HITL is a compliance artifact, not a backup.
- Input validation and prompt-injection defense. Sanitize inputs. Use a secondary validation step on untrusted content (e.g., RAG-retrieved docs) before it reaches the main agent. Treat retrieved data as adversarial.
- Deterministic workflow boundaries. The orchestration layer — not the agent — decides when AI runs, what data it sees, and where humans review. Business rules handle steps requiring consistency. Agents handle steps requiring reasoning. Humans handle steps requiring judgment.
- Least-privilege scoping. No wildcard permissions, no shared service accounts. Three constraint dimensions enforced together: operation restrictions, resource restrictions, output limitations. Enforced at the IAM layer, not just by the application.