AI Operational Guardrails

AI Operational Guardrails

Overview

Praetorian Guard Platform (PGP) implements defense-in-depth guardrails to ensure AI operates safely, predictably, and within defined boundaries. These controls are enforced at the code level — not just in prompts — making them resistant to circumvention.

Scope Enforcement

  • Tool Authorization: The AI assistant can only invoke a pre-defined set of platform operations. Each agent declares its allowed tools, and only whitelisted tools are made available during execution. The AI cannot discover or invoke tools outside its declared set.

  • Agent Boundaries: When the AI delegates specialized analysis tasks, each sub-task inherits strict authorization policies. A parent agent can only spawn sub-agents from its declared allowed list — validated at runtime before any delegation occurs.

  • Recursion Limits: Nested AI operations are bounded by hard depth limits, preventing runaway execution chains. This is enforced as a constant in the execution engine, not a configurable parameter that could be overridden.

  • Iteration Controls: Each AI agent has a configurable maximum number of operations it can perform in a single session, preventing unbounded execution. The default limit ensures the assistant completes focused tasks without open-ended looping.

Structured Output Enforcement

  • Schema Validation: AI responses that produce structured data — such as risk assessments, asset classifications, and query results — are validated against strict JSON schemas before delivery. Invalid or malformed outputs are automatically corrected through a retry mechanism, ensuring you always receive well-formed data.

  • Query Field Validation: AI-initiated database queries are validated against a comprehensive field whitelist containing over 200 authorized fields. The AI cannot reference unauthorized or non-existent data fields, preventing both errors and unintended data access.

Rate Controls and Resource Protection

  • Execution Timeouts: Every AI operation is subject to strict time limits, ensuring the system remains responsive and cannot be tied up by a single request. For the local agent tool loop, tool execution uses a 15-second hard timeout per tool invocation so a single tool cannot block the assistant indefinitely.

  • Response Size Limits: AI-generated outputs are bounded to prevent excessive data exposure in a single response. Oversized responses are automatically truncated with clear indicators. Tool responses returned into the agent loop are capped at 200 KB per tool result so large command output cannot flood context or downstream storage.

  • Capability Rate Limiting: AI-initiated security scanning operations are subject to configurable rate limits, protecting your infrastructure from excessive scan activity.

  • Graceful Cancellation: Long-running AI operations support clean cancellation, ensuring the platform remains responsive and resources are released promptly.

  • Automatic Recovery: AI operations include automatic recovery from unexpected failures, ensuring platform stability even under abnormal conditions.

Domain Deny Lists

PGP maintains curated deny lists that prevent AI-initiated scanning or analysis against protected domains. These safeguards ensure that automated security operations — whether initiated by a human operator or the AI assistant — respect organizational and contractual boundaries.

Implementation note: The same patterns are enforced at job enqueue for all scanning work (not only AI paths), using regular-expression rules over the target model key. Historically this has included partner-sensitive namespaces (for example Barclays and Nielsen-related host patterns), ZoomInfo, Opterrix, Praetorian-owned domains (so customer automation does not scan Praetorian infrastructure by default), and similar entries. Demo accounts may carry narrow exemptions for specific patterns (for example Praetorian zones) so training environments remain usable without relaxing production tenant policy.

For administrator-configurable per-account capability blocks (exact capability name lists merged with global policy), see Scanning Policy: Protected Domains and Blocked Capabilities.

Human-in-the-Loop Controls

Critical security decisions require human authorization. The AI assistant must confirm with the operator before executing active scans or offensive security capabilities. This ensures that consequential actions always have explicit human approval.