The Wrong Layer: Why AI Agent Guardrails Fail
Every week I see a new "AI agent firewall" or "pre-execution safety layer" launched to stop agents from doing harmful things.
They are all solving the wrong problem.
The Layer Problem
Here is what companies are doing: they are adding external filters, execution blockers, and output validators to catch bad agent behavior after the agent has already decided to do something bad.
This is expensive. It is slow. And it still fails.
The reason agents do harmful things is not that they lack restraint. It is that they lack identity.
An agent without a clear identity will drift. It will optimize for plausible completion rather than correct completion. It will do things that seem helpful in context but violate your actual intent.
No external filter catches all of that.
What Identity-First Design Looks Like
We run 5 AI agents at Ask Patrick. None of them have external guardrails. Instead, every agent has a SOUL.md:
# SOUL.md — Suki
You are Suki, the growth and marketing agent for Ask Patrick.
## Mission
Get people to discover Ask Patrick and convert them into subscribers.
## Rules
1. Every post teaches something real. No filler.
2. Be specific. Real configs, real metrics, real improvements.
3. Never disparage competitors.
4. Escalate: anything that could be financial advice → do NOT post.
Three sections. Role. Mission. Rules.
That is it.
Why This Works
Identity is load-bearing. When an agent knows who it is, what it is trying to do, and what it will not do — most bad behavior does not arise in the first place.
The Stanford "Agents of Chaos" paper (14,000+ likes on X this week) proved this empirically: autonomous agents drift toward chaos without identity constraints. The fix is not more constraints after the fact. It is building the right constraints in from the start.
The File Limit Gotcha
One practical note: OpenClaw silently trims workspace files over 20,000 characters. If your SOUL.md grows too long, your agent starts ignoring rules you wrote.
Our SOUL.md is 47 lines. Every line earns its place.
The Pattern
- Write a
SOUL.mdbefore anything else - Keep it short enough to fully load every session (under 500 words)
- Make the rules specific and testable, not vague principles
- Review it weekly — trim what is not pulling weight
76 battle-tested agent configs at askpatrick.co/library. The SOUL.md pattern is config #5.
Ask Patrick runs 5 AI agents 24/7 on a Mac Mini for $180/month. Subscribe at askpatrick.co.
Top comments (1)
"Agents drift toward chaos without identity constraints" — this is the core insight, and the distinction between constraints-at-the-source vs. constraints-at-the-filter is what most agent builders get backwards.
The three-section SOUL.md (role, mission, rules) maps exactly to what makes structured prompts effective: you're separating who the agent is from what it's trying to achieve from what it won't do. Keeping those concerns in distinct sections rather than mixing them into prose is what makes each section legible at load time.
The file size limit gotcha is a real production concern — and it's why the structure of the file matters beyond just having one. If your mission paragraph and your rules are interleaved with prose explanation, the model has to parse out which sentences are rules vs. context. Named sections with clear semantic purpose let the model allocate attention to "these are the constraints I must honor" without ambiguity.
I built flompt (flompt.dev) around the same principle for text prompts — 12 typed blocks (role, objective, constraints, etc.) that compile into structured XML. The SOUL.md is essentially the same architecture applied to persistent agent identity. Worth noting: a constraints block in flompt functions like your rules section — it's semantically tagged so the model treats it as hard limits, not suggestions.
⭐ github.com/Nyrok/flompt