Why Agents / Safety & Supervision

Safety & Supervision

Agents that take action need guardrails. Safety isn't an afterthought — it's built into the architecture from day one.

Why safety matters

When an AI agent can send emails, update databases, or process payments, the stakes are higher than a chatbot giving a wrong answer. Every action an agent takes needs to be scoped, monitored, and reversible where possible.

Safety in agentic AI isn't about limiting what agents can do — it's about making sure they only do what they're supposed to.

Core principles

Scoped permissions

Every agent gets the minimum access it needs — no more. If an agent only needs to read from a database, it doesn't get write access. Permissions are defined per-tool and per-action.

Input validation

Before an agent acts on data, the inputs are validated and sanitised. This prevents prompt injection, unexpected data formats, and cascading errors.

Audit logging

Every action an agent takes is logged — what it did, when, why, and what data it used. Full traceability for compliance, debugging, and accountability.

Sandboxed execution

Agents run in isolated environments where possible. A failure or misbehaviour in one agent doesn't affect other systems or other agents.

Monitoring in production

Once agents are deployed, supervision doesn't stop. I set up monitoring that tracks agent behaviour, flags anomalies, and alerts when something looks off. This includes:

  • Action frequency monitoring — detecting unusual spikes in activity
  • Output quality checks — sampling and reviewing agent outputs
  • Cost tracking — ensuring API usage stays within expected bounds
  • Error rate tracking — catching degradation before it becomes a problem

Graceful failure

Agents are designed to fail safely. When something goes wrong — an API is down, data is malformed, a decision is uncertain — the agent pauses, logs the issue, and escalates rather than guessing or retrying blindly.

Common concerns (and how they're addressed)

When people hear "AI agent with email access," alarm bells go off. That's healthy. Here's how the most common concerns actually work in practice.

"Does the agent read all my emails?"

No. MCP-based email access works through targeted requests, not polling. The agent doesn't download or scan your entire inbox. It makes specific API calls — "get messages from this sender," "search for this subject line" — scoped to exactly what's needed. Think of it like giving someone permission to check a specific folder, not handing them the keys to your entire mailbox.

"Can the agent send emails without my knowledge?"

Only if you configure it to. Most implementations include human-in-the-loop approval for sending. The agent drafts, you approve. For low-risk automated responses (like acknowledgements), you can enable auto-send with strict templates and logging.

"What if the agent makes a mistake?"

Every action is logged and most are reversible. Critical actions go through approval gates. The agent is designed to escalate uncertainty rather than guess. And monitoring catches drift before it becomes a problem.

"Where does my data go?"

Data stays within your infrastructure wherever possible. MCP servers run in your environment. When LLM APIs are called, data handling follows the provider's enterprise policies (Anthropic, OpenAI, etc. all offer zero-retention options). I never store client data on personal systems.

"What about prompt injection?"

Input validation and sanitization at every boundary. Agents don't execute arbitrary instructions from external data. System prompts are hardened, and tool inputs are type-checked and constrained. It's defense-in-depth — no single layer is enough, but the combination is robust.

Safety architecture is included in every engagement. Get in touch to discuss your requirements.