Step 1 of 4
Inventory soft rules and classify enforcement needs
Know which promises are currently backed by nothing.
Extract every behavioral rule from your system and tool prompts into a list. For each, record: what it protects (data loss, money, credentials, repo history, user trust), the worst case if the model ignores it, and how often transcripts show it violated. Classify: GUIDANCE (style, tool preference - prompt-only is fine, though code may add suggestions), CONFIRM (destructive-but-legitimate operations - needs an ask gate), and BLOCK (never legitimate without explicit authorization - needs a deny). The output is an enforcement matrix: rule, class, existing enforcement (usually none), required check. Prioritize by worst case, not frequency.
Expected after this step
An enforcement matrix mapping every prompt rule to its required code backing.
Should not happen
- ✕Prompt-only safety: one bad sample away from a destructive action
- ✕Code-only safety: the model floods the gate with denied attempts because nothing guides it
- ✕Code checks keyed to prompt phrasing, breaking when the prompt is reworded
- ✕Everything denied outright, training users to bypass the agent entirely
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !Prompt-only safety: one bad sample away from a destructive action
- !Code-only safety: the model floods the gate with denied attempts because nothing guides it
- !Code checks keyed to prompt phrasing, breaking when the prompt is reworded
- !Everything denied outright, training users to bypass the agent entirely
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
The matrix says most rules are guidance. Re-test each against: 'if the model violated this once at the worst moment, is the damage acceptable and reversible?' If not, it is confirm or block - optimism here is precisely the failure the second layer exists to catch.