it is more and more common in many applications. However, the integrated agents in your program are much more than just giving the LLM access to all information and functions. You also need to build effective guardrails that ensure the agent receives only relevant data and prevent abuse of functions. You need to do this, while also ensuring that the model can work effectively by accessing the necessary data, and use as many functions as possible, without needing a person at the waist.
My goal of this article is to highlight, at a high level, how to create agentic guardrails to ensure that your agent accesses only the necessary data that receives the necessary information. I will first discuss why guardrails are so important, before moving on to the most important part of Guarderrails: Good approval. Next, I'll discuss creating your own data guards, and continue to cover Guardrails by function.
Why you need Guardrails for your agents
First, I want to explain why we need security guards that work with AI Agents. You can, in theory, just give the agent access to all the information and functions in your applications, right?
There are many reasons why caution is necessary. The main reason is to prevent the agent from doing any unwanted actions, such as deleting data tables. In addition, you also need to ensure that agents only receive data within a certain limit, for example, ensuring that an agent used by one customer cannot use data from another customer.
Some Guardrails can be set up automatically and do not require human involvement. Database access in Guardrail, where you limit what the agent is working on (for example, within the customer), and only allow the agent's access to customer information. Some Guardrails, however, require human interaction. Consider if an agent wants to run a command, how do we make sure that the agent does not perform a destructive action (such as deleting a database table), and the user allows the command?
In these cases, we have a loop-in-the-loop, where the agent requests permission to perform a specific action. If the user allows it, the agent can continue, and if it is not allowed, the agent must decide on a different course of action.
Clean Permits
A possible requirement for working with agents is to have clean permits. This means that you can easily check whether a function, or certain data, is available within a certain range, such as:
- Does this customer 1 access Database table a?
- Does user 2 have access to function B?
- Does organization 3 achieve function c?
It is important that you have a good fake authorization used in your application. There are many providers that offer this functionality.
If you are absolutely sure that a task is authorized, you should apply it to all tasks in your applications, and manage both the state where access is granted and where access is denied where access is denied when access is denied. If access is denied, for example, you might consider adding a message that says you need to ask an administrator for a certain level of access to be able to perform a certain action.
Data Agentic Guardrails
After you've implemented properly disposed permissions, we can start discussing the Guardrails around your data. It is important that your agent has access to as much data as possible to effectively answer user questions. You need to balance this with the fact that the agent should not access restricted data, or download unnecessary information that does not need to answer the user's question
Access to restricted data
Restrict data access for your agents severely until properly authorized. In your operations that perform data searches (data visualization, bucket retrieval, …), you must check the user's access first.
In addition, you should also look to inform your agent of the benefits that you are allowed to do. Having an agent try to access the data and be denied access for any reason will be very expensive, both token usage and time wise.
Avoid Downloading unnecessary information
If you give your agent access to all data tables and data buckets, you may have problems where agents have too many options, and it will be a challenge to find the right table of documents. This is also a topic I recently covered in my article about tools for building effective agents.
To solve this problem, I would focus on informing only the agent of the relevant information sources. If an agent is working on a task that you know can only be solved using database a, you should consider informing the agent only about database a, and leave all other information that applies to agents immediately. This, of course, assumes that you know what data works best for the agent to answer queries.
Job Agentic Guardrails
I think the topic of creating agentic GuardRalis with jobs is more interesting. The reason is that there are many things to consider when building these Guardrails:
- How do you prevent destructive actions?
- How do you minimize human interaction?
How do you prevent destructive actions
A very important subtopic in WUNCHENT Guardrails is preventing harmful actions. To solve this, you have to assign all tasks to what they do Unrepentant Actions. For example
- Deleting a database table is irreversible (you can, upload a backup, but this requires some work)
- Table reading has no detrimental effect
If the agent performs an action that is easily reversible (it can be undone by clicking the undo button), or an action that has no destructive effect, you can simply let the agent run the job.
If the user performs an action that is not objectionable, however, it must notify the agent of that, and it may benefit the human user if the agent is able to perform this action.
How do you reduce the human-in-loop interaction?
Naturally, you want to prevent destructive actions. However, you also don't want to bother the user too much by prompting if the agent can perform the action or not.
A good way to reduce human interaction is to perform a whiteling task, such as which pointer is the last command only: first the pointer wants to execute a command, such as:
- CD in the folder
- Run Pytest test
- Move a file from one location to another
The indicator will prompt the user if he is allowed to execute the command. You can then choose one of the three options below:
- Deny the request
- Accept request (one time)
- Whitalist command (accept the request now, and go forward)
WhitiTelisting works well because you ensure that the user allows the agent to run a task or command, but you don't have to worry them too much about that straight forward task. However, the white background is reduced to the fact that some commands cannot be white, processing the user must review the context every time the agent proposes to perform other operations (such as deleting a data table)
Lasting
In this advanced article, I have discussed how you should approach creating agentic programs in relation to Guardrails. Guardrails are necessary because you need to ensure that the event does something in the desired behavior and is not allowed to do things like things like finding things or doing destructive things without express permission from the user. I discussed creating Guarderails with your information and the jobs you get available from your agent. I believe that Guardrails are an important part of the architecture of an agentic application, which should always be kept top-of-mind when creating eventic programs. Ensuring that the appropriate Guardrails are in place will make your agents safe to use, which is very important, considering that if the user's trust in the agent is broken, it will be difficult to restore the user's trust.
👉 Find me in the community:
🧑💻 Get in touch
🔗 lickEdin
🐦 X / Twitter
✍️ Medium
You can also read some of my articles:
