Ask HN: How are you controlling AI agents that take real actions?
We're building AI agents that take real actions — refunds, database writes, API calls.
Prompt instructions like "never do X" don't hold up. LLMs ignore them when context is long or users push hard.
Curious how others are handling this: - Hard-coded checks before every action? - Some middleware layer? - Just hoping for the best?
We built a control layer for this — different methods for structured data, unstructured outputs, and guardrails (https://limits.dev). Genuinely want to learn how others approach it.
8 comments
[ 3.2 ms ] story [ 30.0 ms ] threadSerious question. Assuming you knew this, why did you choose to use LLMz for this job?
Worth looking at islo.dev if you want the sandboxing piece without building it yourself.
In my setup, agents propose actions and write structured reports. A deterministic quality advisory then runs — no LLM involved — producing a verdict (approve, hold, redispatch) based on pre-registered rules and open items. The agent can hallucinate all it wants inside its context window, but the only way its work reaches production is through a receipt that links output to a specific git commit, with a quality gate in between.
For anything with real consequences (database writes, API calls, refunds), the pattern is: LLM proposes → deterministic validator checks → human approves. The LLM never has direct write access to anything that matters.
"Just hoping for the best" works until it doesn't. We tracked every agent decision in an append-only ledger — after a few hundred entries, you start seeing exactly where and how agents fail. That pattern data is more useful than any prompt guard.
LLMs ignore instructions. They do not have judgement, just the ability to predict the most likely next token (with some chance of selecting one other than the absolutely most likely). There’s no way around that. If you need actual judgement calls, you need actual humans.
Instead of trying to force the model to behave via prompts or policies, we assume the model will eventually propose something unsafe. The trick is making sure it can't commit irreversible actions directly.
So the pattern we've been experimenting with is:
agent proposes an action
proposal goes through a deterministic gate
gate checks things like replay, state advancement, spend ceilings, etc.
only then does the real-world action execute
In practice this looks more like a transaction firewall than a prompt guardrail.
The LLM can reason however it wants, but anything that changes real state (payments, DB writes, API calls) has to pass through the gate.
It doesn't solve the reasoning problem, but it makes the commit boundary deterministic, which removes a lot of the scary failure modes like duplicate actions or retries gone wild.
Still early experiments, but the model behaving badly becomes much less dangerous if it literally can't execute without passing the boundary.