Guardrails as Code: Configuring AI Guardian and Approval Gates for Autonomous Agents
Guardrails are not a slide, they are configuration. Placing every action on the autonomy spectrum, enforcing prohibitions with AI Guardian, and gating the risky five percent.
Everyone talks about AI guardrails in the abstract. You are the one who has to actually configure them, and "we will make it autonomous" without real boundaries is precisely how a single bad action torches your organization's trust in the whole program. Guardrails are not a slide; they are configuration, approval steps, and policy that you build at design time. Let us get concrete about how to bound an agent.
The autonomy spectrum is your primary design axis. Stop thinking of agents as either "assistant" or "autonomous." Think of a spectrum. At one end, the agent only suggests and a human does everything. In the middle, the agent acts but requires approval before the action commits. At the far end, the agent acts fully autonomously. Every action an agent can take should be deliberately placed on this spectrum, and the placement should be driven by the action's reversibility and blast radius, not by how impressive autonomy looks. A draft can be autonomous; closing a customer's case probably starts at act-with-approval; anything irreversible or externally visible earns a gate until the data proves it safe.
AI Guardian's role. AI Guardian, introduced alongside the platform's move into agentic AI, provides the guardrail layer for agents. Use it to define the boundaries within which agents are allowed to operate, the behaviors that are constrained, and the policies that apply to agentic activity. Think of it as the policy plane that sits over your agents rather than logic you scatter inside each one. Centralizing constraints there means you are not relying on every individual agent's instructions to behave; you have an enforcement layer above them.
Define what the agent must not touch. Guardrails are as much about prohibition as permission. Be explicit about the tables, fields, records, and actions an agent is forbidden from, regardless of what its reasoning concludes. An agent that talks itself into a prohibited action should hit a wall, not a suggestion. This is the difference between an instruction ("please do not modify financial records") and a guardrail (the agent cannot modify financial records). Instructions are advisory to a probabilistic model; guardrails are enforced. Prefer enforcement for anything that matters.
Insert approval gates at the consequential actions. For actions in the middle of the autonomy spectrum, build an explicit human approval step between the agent's decision and the commit. The agent assembles the action and its rationale; a human reviews and approves or rejects; only then does it execute. Place these gates surgically at the consequential points, not everywhere, or you recreate the manual bottleneck you were trying to remove. The art is gating the risky 5% while letting the safe 95% flow.
Reversible versus irreversible policy. Adopt a simple, enforced rule: reversible actions can be autonomous once trusted; irreversible actions always require a gate or a strong confirmation. Deleting data, sending external communications, financial transactions, anything you cannot cleanly undo, these stay gated. This single policy prevents the most catastrophic class of agent failure, the confident irreversible mistake.
Test that the guardrails actually hold. A guardrail you have not adversarially tested is a hope. Deliberately construct scenarios that try to make the agent cross a boundary: ambiguous requests, edge cases, inputs engineered to tempt a prohibited action. Confirm the guardrail stops it every time. Then test the approval gates: confirm a gated action genuinely cannot commit without approval, and that a rejected action is cleanly abandoned. If you have not tried to break your own guardrails, you do not know they work.
The maturity here is starting conservative and loosening based on evidence. Ship with tight guardrails and generous gating. Watch the accuracy and outcome data. Remove gates only for the specific paths the data proves safe. You can always grant more autonomy; you cannot un-break the trust that one confident, irreversible, ungated mistake destroys.