datarekha

Agent safety controls

Prompt-level safety asks the model to behave — not enough for an autonomous agent that can delete data, send money, or deploy code. You need engineered controls that bound what it can do and let you recover when it goes wrong, even when the model is working 'correctly' but does the wrong thing.

8 min read Advanced Agentic AI Lesson 64 of 71

What you'll learn

  • Why autonomy needs engineered controls, not just a careful model
  • Propose-then-commit — gating high-stakes, irreversible actions
  • Kill switches, canary rollouts, and checkpoint/rollback
  • Layering controls (scope → gate → monitor → kill → rollback) for defense in depth

Before you start

Prompt-level safety — “please be careful, don’t do anything harmful” — is a request, not a guarantee. The moment an agent is autonomous and can take real actions (delete a database, send a payment, deploy code, email a customer), hoping the model behaves is not a safety strategy. You need engineered controls: mechanisms that bound what the agent can do and let you recover when it goes wrong — including the common case where the model is working exactly as trained but still does the wrong thing.

Propose-then-commit: gate the irreversible

The single most important control is to separate proposing an action from executing it for anything high-stakes or irreversible. Low-risk, reversible actions (reading a file, summarizing) run automatically; irreversible ones (sending money, deleting data) are proposed and require approval — from a human, or a policy checker — before they commit:

IRREVERSIBLE = {"delete_database", "send_payment", "email_external"}

def execute(action):
    if action in IRREVERSIBLE:
        return f"{action}: PAUSED -> needs approval"   # propose, don't commit
    return f"{action}: auto-executed"

for a in ["read_file", "summarize", "send_payment", "delete_database", "list_dir"]:
    print(" ", execute(a))
  read_file: auto-executed
  summarize: auto-executed
  send_payment: PAUSED -> needs approval
  delete_database: PAUSED -> needs approval
  list_dir: auto-executed

The reversible actions flow through; the irreversible ones stop at a gate for a human to confirm. This is the same human-in-the-loop idea behind safe deploys — plan, review, then apply — applied to every dangerous tool call.

🛑 kill switch · stop any agent instantlyagentproposes actionrisk gateclassify actionlow riskauto-execute (reversible)high riskproposehuman approvescommit+ least-privilege scope · canary rollout · checkpoint & rollback
Defense in depth: scope the agent, gate the irreversible actions for approval, keep a kill switch to stop it instantly, and checkpoint so you can roll back.

The rest of the toolkit

Propose-then-commit is one layer; production autonomy stacks several:

  • Least privilege / scoping (the recap from prompt injection): give the agent the minimum tools and permissions, so even a wrong action has a bounded blast radius.
  • Kill switch. A way to stop an agent instantly — globally or per-agent — when it misbehaves. Non-negotiable for anything autonomous; you must be able to pull the plug without redeploying.
  • Canary / staged rollout. Release a new agent or capability to a small slice of traffic first, watch it, then expand — so a regression hits a few requests, not all of them.
  • Checkpoints & rollback. Snapshot state before a risky operation so you can undo it, and prefer reversible or transactional operations where possible (soft-delete, draft-then-send). Pairs naturally with durable execution.

In one breath

  • Prompt-level safety is a request, not a guarantee; an autonomous agent that takes real actions needs engineered controls to bound it and recover when it errs.
  • Propose-then-commit: reversible/low-risk actions auto-execute, but irreversible ones (payments, deletes, deploys) are proposed and require approval before they commit (the demo gates send_payment and delete_database).
  • Layer the rest: least-privilege scoping (bounded blast radius), a kill switch (stop instantly), canary/staged rollout (limit a regression’s reach), and checkpoints + rollback (undo; prefer reversible ops).
  • This is not the prompt-injection problem — it bounds the agent’s own actions (including honest mistakes), not just adversarial input. You need both.
  • The mindset: assume the agent will eventually do something wrong, and engineer so it was gated, contained, stoppable, and undoable.

Quick check

Quick check

0/4
Q1Why isn't prompt-level safety ('please be careful') enough for an autonomous agent?
Q2What is the 'propose-then-commit' control?
Q3Why is a kill switch essential for an autonomous agent?
Q4How do agent safety controls differ from prompt-injection defenses?

Next

Safety controls pair with durable execution (checkpoints/rollback) and the security lessons — agent security, prompt injection, and credential security — for the full picture of running an autonomous agent safely.

Sign in to track your progress

Completed lessons, your XP, level, and streak save to your account — it's free and takes a few seconds.

Related lessons

Explore further

Skip to content