| Primary question | Should this agent action be allowed, warned, blocked, or approved by a human? | Did the model output or plan violate a model-facing rule? |
| Decision path | Deterministic policy checks plus evidence, receipts, and audit events. | Prompt, classifier, LLM-as-judge, or runtime instruction. |
| Best security boundary | Tool calls, scopes, payments, signer isolation, receipt integrity, and deployment approval. | Content safety, style, refusal behavior, and model-level instruction following. |
| Audit artifact | Signed security receipt with subject hash, policy hash, evidence hash, scanner version, and issuer. | Trace, model response, classifier score, or prompt log. |
| Failure mode | Fail closed on critical findings, missing evidence, or invalid receipt. | May be bypassed by prompt injection, tool-result poisoning, or stochastic judgment. |
| Production role | Approval layer before agents touch real systems. | Helpful model behavior layer inside the agent runtime. |