Skip to content

Definition

For hard policy limits (e.g. never process a refund over a threshold), enforcement must live in the application layer that intercepts tool calls, not in prompt instructions — because model discretion is unreliable.

Key points

  • The trap: relying on emphatic system prompts ("CRITICAL POLICY: NEVER process >$500") still yields a 3% failure rate.
  • The architectural standard:
    • Implement an application-layer hook to intercept tool calls.
    • When the process amount exceeds the threshold, block it server-side and invoke escalation.
    • Model discretion is removed.
  • Diagram: AI Agent → Application-Layer Interceptprocess_refund($847) blocked → routed to Human Escalation.
  • This is enforcement at the application layer, not prompt instructions — the same principle as PreToolUse hook enforcement (the only reliable enforcement for financial/destructive ops).
  • On the Architect's Reference Matrix this is the Compliance/Control × Customer Support cell ("App-Layer Intercepts").

Why it matters for the exam

  • README study focus item. Compliance scenarios: the correct answer is a deterministic server-side intercept, not a stronger prompt.

Common gotchas

  • "Make the system prompt more emphatic" is always wrong for hard limits — 3% still slips through.
  • Enforcement is server-side/application-layer, invoking escalation on block.

See also

Sources