The latest articles on DEV Community by Enforra (@enforra). https://dev.to/enforra https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3944883%2F2c9796df-e70c-4a5c-bc34-912fa03f86f3.png https://dev.to/enforra en Enforra Thu, 21 May 2026 22:05:35 +0000 https://dev.to/enforra/system-prompts-are-not-a-security-boundary-for-ai-agents-2n8 https://dev.to/enforra/system-prompts-are-not-a-security-boundary-for-ai-agents-2n8 <p>AI agents are moving from generating text to taking actions.</p> <p>They can run commands, send emails, issue refunds, update records, call internal tools, and touch production workflows.</p> <p>That changes the security model.</p> <p>A system prompt can guide an agent, but it should not be the thing that enforces policy.</p> <p>If an action has a real side effect, there should be a control point before that action happens.</p> <p>The problem</p> <p>When an agent calls a tool, the important event is not the text the model generated.</p> <p>The important event is the tool call.</p> <p>That is where something real can happen.</p> <p>A model can be manipulated.<br> A model can hallucinate.<br> A user can ask for something risky.<br> A prompt can be ignored or misunderstood.</p> <p>So the question should not only be:</p> <p>Did the model intend to do this?</p> <p>It should also be:</p> <p>Should this action be allowed under company policy?</p> <p>A simple example</p> <p>Imagine a support agent that can issue refunds.</p> <p>A prompt might say:</p> <p>Only issue refunds when appropriate.</p> <p>That is useful guidance, but it is not enforcement.</p> <p>A better pattern is to check the action before the refund tool executes.</p> <p>For example:</p> <p>Refund under $100: allow<br> Refund between $100 and $500: require approval<br> Refund over $500: block</p> <p>Now the rule is not just hidden inside the prompt.</p> <p>It is enforced before the tool callback runs.</p> <p>What Enforra does</p> <p>I’m building Enforra as an open source SDK for AI agent runtime control.</p> <p>It sits before your tool callbacks and returns a decision before anything executes:</p> <p>allow<br> block<br> require_approval<br> log_only</p> <p>The application still owns the actual tool execution.</p> <p>Enforra does not run your tools remotely.</p> <p>It gives your app a policy decision before the callback is called.</p> <p>Why this matters</p> <p>As agents move into production, teams need more than prompt instructions and logs after the fact.</p> <p>They need clear policy checks around actions that matter.</p> <p>That becomes important when agents can touch money, customer data, internal systems, production infrastructure, or business workflows.</p> <p>The goal is not to make agents less useful.</p> <p>The goal is to make sure useful agents have a clear control point before they do something risky.</p> <p>Open source</p> <p>The initial Enforra SDK is here:</p> <p><a href="https://github.com/enforra/enforra" rel="noopener noreferrer">https://github.com/enforra/enforra</a></p> ai security opensource agents