Skip to main content

Agentic AI Safety: 7 Essential Guardrails

Pat Stanard, Distinguished Engineer and chief mainframe architect for Kyndryl US, shares the most important safety measures for AI agents in the enterprise

TechChannel AI
Patrick Stanard May 21, 2026

Meet agentic AI. It doesn’t just talk. It acts. And that can be scary!

Agentic AI agents can schedule meetings, query databases, start workflows, modify infrastructure and—if unchecked—accidentally do the digital equivalent of mailing the CEO’s tax return to the entire internet. Not good, and exactly why guardrails are so important in the world of agentic AI.

Traditional AI safety was about words. Agentic AI safety is about actions. And once your AI agent is active, you need guardrails—real ones, not duct tape and a terms of service agreement.

So, let’s talk about the most important agentic AI guardrails, in plain English, with just enough humor to keep things interesting and enough seriousness to keep auditors happy.

Why Agentic AI Changes Everything

As I present to our customers on this topic, I always tell them how this will change everything, and yes, on the mainframe. Classic generative AI is like a very confident new hire who only writes emails. Because they are new, they still need guidance, but their power and access is limited.

Agentic AI, by contrast, is like an intern who:

  • Has admin access
  • Knows how to call APIs
  • Can deploy code
  • Never sleeps
  • And really wants to finish the task (it’s been coded to do so!)

That can be powerful, but also dangerous.

Industry guidance sources and enterprise security leaders all emphasize the same thing: Prompt filters are not enough. Once AI crosses into autonomy, safety must move from the prompt to the execution layer. Think of the Terminator—no prompt filter ever stopped him.

Guardrail No. 1: Identity—AI Needs a Name Badge

The first rule of agentic AI: Your agents must have identities that are easily recognizable.

Not “generic‑service‑account‑123.” Not “admin‑bot.” Not Hal. You get my point.

Each agent needs:

  • A unique, non‑human identity
  • Clear role-based or attribute-based permissions
  • Minimum access level needed to operate
  • Clear and simple entitlements

Remember, if access exists, an agent will eventually use it. Not maliciously, just enthusiastically. And enthusiasm plus admin rights is how outages are born.

Guardrail No. 2: Tool Control—Just Because You Can Doesn’t Mean You Should

Agents don’t just think; they use tools. MCP servers have their own tools enabling agents to talk to one another. Just like two humans would.

Agents can use APIs, databases, ticketing systems, cloud consoles, financial systems … you name it.

Guardrails here mean:

  • Explicit allow‑lists of approved tools
  • Parameter validation for tool calls
  • Version‑pinned tools
  • Blocking uncontrolled tool chaining

Without this, hallucinations evolve from “wrong answer” to “wrong system call,” which is far more exciting than anyone wants at 2 a.m. And I remember getting woken up when I was a developer. Not fun.

Guardrail No. 3: Humans Still Sign the Big Checks

Autonomy is great, until it isn’t. Every credible framework agrees—some actions must remain human‑approved, including:

  • Financial transactions
  • Production infrastructure changes
  • Access to regulated or sensitive data
  • Customer-impacting decisions

Think of this as the “Are you sure?” step, except enforced by policy, not vibes. Humans aren’t there to slow things down; they’re there to cap the blast radius. It is always a requirement to have a HIL (human in the loop).

Guardrail No. 4: Runtime Enforcement Beats Prompt Politeness

Prompt rules are like speed limit signs. Runtime enforcement is the highway patrol.

Agentic AI operates across multiple steps and systems, so safety checks must happen:

  • Before each tool call
  • During execution
  • Not just at input/output
  • In each environment

This means deterministic policy engines that can block, pause, escalate or stop actions while they’re happening, not after the damage is done. It is like the application that is checking the application.

Guardrail No. 5: Data Is the Real Crown Jewel

According to enterprise risk leaders, data—not models—is the biggest AI risk surface. Agents move data fast and quietly. They do what they are programmed to do.

Guardrails must include:

  • Data‑level authorization (not just system‑level, think pervasive encryption)
  • Context-aware PII / PCI / PHI (protect that data)
  • Scoped retrieval for retrieval augmented generation (RAG) pipelines
    • RAG retrieves data from many sources
    • Analyzes and plans to use the data
    • Provides governance, validation and refinement
  • Output inspection for sensitive leakage (a must do)

Every prompt, attachment and retrieval is a potential data exfiltration event if left unchecked.

Guardrail No. 6: Observability—You Can’t Govern Ghosts

If your agent does something weird and you can’t answer: “What did it touch, why, and on whose authority?” This is a problem of agent governance that must be understood.

Real guardrails require:

  • End‑to‑end tracing of agent decision chains; it must always be tracked
  • Logged tool calls with before/after context, showing specific actions and commands
  • Audit trails tied to identity and data
  • Replay ability for investigations

This is the kind of vigilance is table stakes for compliance, trust and sleep. You don’t need that 2 a.m. wakeup call—ever!

Guardrail No. 7: Safety Brakes and Kill Switches

Agents operate at machine speed. Humans do not.

Every production agent needs:

  • Rate, step and spend limits
  • Circuit breakers
  • Emergency stop mechanisms
  • A manager

Again, the agent is being checked by human requirements.

Because when things go wrong, they go wrong fast, and fast automation without brakes is just chaos in a nicer UI. Think of the clock speed of a z17 processor. That can cause a lot of damage quickly. Don’t even get me started on quantum computers.

Final Thought: Autonomy Requires Adulthood

The most successful organizations know that agentic AI is not a toy. They’re not asking: “How autonomous can we make this agent?” They’re asking instead: “How safely can we make this agent act?”

During my customer presentations, I almost always get questions about guardrails. I explain that with the right guardrails, agentic AI becomes a force multiplier—because ultimately, to make the most of your agents, you need to give them limits.  

Related Articles See more

Articles

The Operational Costs Hiding Inside AWS Environments

Nicole Willing

May 20, 2026

Articles

When Cloud Is Better Than Mainframe (and When It’s Not)

George DeCandio

May 19, 2026

Press Releases

Project Glasswing Participation Extends IBM’s Security Efforts

May 19, 2026

© 2026 TechChannel. All rights reserved

Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.