AI Development

How to Constrain an AI Agent

Q: What does it mean to "constrain" an AI agent?

Setting clear rules about what the agent is and isn't allowed to do

Q: Why is "human approval" a useful constraint for risky actions?

It lets a real person check risky actions before they happen

Q: In agent design, what is an "allowlist"?

A list of actions the agent IS allowed to take

A simple guide to setting boundaries so AI agents only do what you want.

Scroll to start

01 — The Concept

Setting Rules for Smart Helpers

An AI agent is a helper that can do things on its own. It can read your email, write code, search the web, or even place an order for you. That's powerful, but it's also a little scary. What if the agent makes a mistake? What if it does something you didn't ask for?

That's where constraints come in. A constraint is a rule that tells the agent what it can and can't do. Think of it like training wheels on a bike. The bike can still move, but it can't tip over too far. Constraints keep the agent on the right path.

Without constraints, an agent is like a brand-new intern with no instructions, no limits, and a credit card. With constraints, that same intern knows exactly what to do, what to avoid, and when to ask for help.

02 — Why It Matters

One Mistake Can Cause Big Trouble

Agents are powerful because they can take real actions in the real world. But that power is also the danger. A small mistake can turn into a big problem in seconds. Imagine a coding agent that deletes a whole folder by accident. Or a customer service agent that shares one customer's private info with another. Or a shopping agent that buys 100 items instead of one.

This is why constraints are not optional for serious agents. They are the difference between a helpful tool and a costly mistake. Every company that builds real agents — from small startups to giant tech companies — spends a lot of time thinking about what their agent is allowed to do.

For you, understanding constraints means you can use agents with confidence. You don't have to cross your fingers and hope for the best. You can set the rules ahead of time and trust them to do their job.

💡 Key Insight

A powerful agent without constraints is like handing a stranger your house keys, your wallet, and a list of people you trust. The agent might be friendly, but you wouldn't sleep well at night. Constraints are the locks, alarms, and spending limits that let you actually use that power without worry.

03 — How It Works

The Three Fences Around an Agent

Most agents are wrapped in three kinds of fences. Each one stops a different kind of mistake.

📋

Action Rules

Tell the agent exactly which actions it can take. "You can read files but you cannot delete them." "You can draft an email but you cannot send it." This is the most common and most important fence.

🎯

Scope Limits

Even when the agent is allowed to act, limit where it can act. It can read files in your project folder, but not your whole hard drive. It can use the test database, but not the real customer database.

🛡️

Output Checks

Before the agent does anything, a separate check looks at what it's about to do. If something looks off — like deleting 10,000 files or sending money to the wrong account — the check stops it.

These fences are checked every time the agent wants to do something. Here is what that check process looks like in practice:

The Agent Check Loop

🧠

Plan

Agent figures out what it wants to do

→

🔍

Check

System compares plan to the rules

→

⚖️

Decide

Allow, block, or ask a human

→

⚙️

Act

Do it, or stop it safely

↺ every single action

04 — Practical Example

A Simple Agent With Built-in Rules

Here's what constraints look like in real code. Imagine you're building a small agent that helps with email. You don't want it to do anything dangerous, so you set the rules right at the start, before the agent ever runs.

email_agent.py

# Define what the agent is allowed to do
agent = create_agent(
    name="email-helper",

    # Fence 1: Action rules
    allowed_actions=[
        "read_inbox",
        "draft_reply",
        "search_calendar",
    ],
    blocked_actions=[
        "delete_account",
        "send_money",
        "change_password",
    ],

    # Fence 2: Scope limits
    max_emails_per_hour=10,
    max_cost_per_day=5.00,
    can_access=["work_email", "work_calendar"],
    cannot_access=["bank_account", "personal_email"],

    # Fence 3: Output checks
    require_approval_for=["send_email"],
    log_every_action=True,
)

Now, when the agent tries to do something it shouldn't, the constraints catch it before any damage is done:

output.txt

❌ BLOCKED: 'send_money' is in blocked_actions.

This action is not allowed for this agent.

If you think this is wrong, ask a human to approve.

# The agent never actually sent any money.
# The constraint stopped it before it could try.

That's the whole idea. The agent stays helpful, but the constraints make sure it can't go off the rails.

05 — Test Yourself

Knowledge Check

Test what you learned with this quick quiz.

Quick Quiz — 3 Questions

Question 1

What does it mean to "constrain" an AI agent?

Question 2

Why is "human approval" a useful constraint for risky actions?

Question 3

In agent design, what is an "allowlist"?