My question: in a real production environment, what’s your enforcement point that the agent cannot bypass? Like, what actually guarantees the tool call isn’t executed unless it passes policy?
Some specific things I’m curious about:
Are you enforcing permissions inside each tool wrapper, at a gateway/proxy, or via centralized policy service?
How do you handle identity + authorization when agents act on behalf of users?
Do you log decisions separately from execution logs (so you can answer “why was this allowed?” later)?
How do you roll out enforcement safely (audit-only/shadow mode -> enforcement)?
What failure modes hurt most like policy bugs, agent hallucinations, prompt injection, or tool misuse?
Would love to hear how people are doing this in practice (platform/security/infra teams especially)