Agents and planners emit structured actions. The failure mode is not a malformed request; it is a plausible request to the wrong host, with the wrong method, or over a budget you never approved. Preventing that requires a gate that understands identity, target, and policy, not a bigger prompt.
For the cluster pillar overview, see runtime authorization for AI agents.
Key concepts
1. Shrink the generic "HTTP tool" surface
A catch-all api_outbound tool is convenient and dangerous. Split outbound calls into scoped surfaces, each with an explicit allowlist and method set. The gate can return SILENCE when a call is outside the allowed policy profile.
2. Bind who is calling
Include tenant, agent id, and correlation fields in the authorization request so policy can distinguish automation from a human-originated path. Execution flow describes the shape from intent to decision.
3. Verify, do not "trust the trace"
Traces and logs are evidence, not control. A signed receipt tied to a policy version is a control artifact you can re-verify offline, including in CI, using /verify or your own Ed25519 verifier against published keys.
Related architecture
Next step
Define outbound surfaces, then guard them before the client library runs.