The 60-second version
When you paste "never trade more than $200" into your agent’s instructions, you haven’t created a rule. You’ve created text that usually influences the model’s behavior. Usually. The gap between "usually" and "always" is where accounts get drained — through prompt injection, through ordinary model error, and through plain context loss on long sessions.
Security engineering solved this category of problem decades ago, and the solution was never "ask the untrusted component more firmly." It’s: move the decision outside the thing you can’t trust. That’s the difference between a guardrail and a firewall — and you want both, doing different jobs.
What a prompt guardrail actually is
It’s worth being precise, because the failure follows from the mechanism. An LLM doesn’t store your rules in some protected registry and consult them before acting. Your guardrail is tokens in a context window, weighed against every other token in that window — the system prompt, the conversation, the tool outputs, the news article the agent just fetched. The model’s next action is a probabilistic function of all of it.
That means your $200 cap competes for influence with everything else the model reads. On a calm day, it wins easily. The interesting question is what happens on the other days.
The three ways instructions lose
1. Injection — someone else is writing to the same channel
The model reads your guardrails and the attacker’s content through the same channel, with no hardware separation between "instructions" and "data." A poisoned headline, a crafted ticker description, a manipulated tool response — each is text with a vote on the model’s next action. OWASP ranks prompt injection as the top LLM application risk for exactly this reason, and the attack-surface piece catalogs how it reaches trading agents specifically. The uncomfortable part: the better your model is at following instructions, the better it follows injected ones.
2. Plain error — no attacker required
The agent misparses a price, confuses share count with dollar value, or retries a "failed" order that actually filled — five times. No adversary, no exotic attack, just a probabilistic system having a bad day at machine speed. Prompt guardrails are especially weak here because the model doesn’t know it’s making a mistake — it believes it’s complying while it violates your cap. You can’t instruct your way out of a failure the model can’t perceive. This mundane mode, not injection, is behind most real "my agent made a bad trade" stories.
3. Context loss — your rules age out
Long sessions get summarized, compacted, or truncated to fit the context window. Your guardrails were at the top of a conversation that has since been compressed; the summary kept the trading plan and dropped the constraint, or kept a paraphrase ("be careful with position sizes") that no longer says $200. The agent didn’t rebel — it genuinely no longer has the rule. Anyone who has watched a long agent session slowly forget its setup instructions has seen this mode.
The principle: separate the decision from the doer
In access-control architecture there’s a standard split: the component that wants to act, the policy decision point that decides if the action is allowed, and the policy enforcement point that makes the decision stick. The cardinal rule is that the decision and enforcement points must sit outside the trust boundary of the requester — otherwise you don’t have access control, you have a suggestion box.
Prompt guardrails put all three roles inside the model. The model wants to trade, the model evaluates whether the trade is allowed, the model enforces its own conclusion. Every failure mode above is a consequence of that collapse.
You already trust this principle everywhere else. Your OS doesn’t ask processes to please respect file permissions — the kernel checks. Your network doesn’t ask packets to be well-intentioned — the firewall filters. A hardware wallet doesn’t ask the malware-ridden laptop to be honest — the transaction halts until a human presses a physical button. In every case the enforcement lives in a component the untrusted party cannot rewrite, no matter what it believes or has been told.
What enforcement looks like for a trading agent
Concretely: a process that sits in the tool path between agent and broker, holds the credentials so the agent has no direct route to the account, and checks every order against a machine-readable policy — caps, allowlists, hours, a circuit breaker, an approval gate — with arithmetic, not language. That’s the Agent Firewall. Replay the three failure modes against it:
- Injection: the poisoned headline convinces the agent completely. The agent attempts the trade.
ticker not on allowlist → blocked. The model’s beliefs were compromised; the policy wasn’t, because the policy was never in the model. - Error: the agent confuses shares with dollars and submits a $5,000 order.
per_trade cap → blocked, and the retry loop hits the circuit breaker on attempt six. - Context loss: the session forgot your rules hours ago. Irrelevant — the rules were never only in the session.
Keep the prompt guardrails anyway
This isn’t "prompts are useless." Defense-in-depth assigns each layer the job it’s actually good at. Prompt guardrails shape intent — they make the agent try reasonable things, explain its reasoning, ask before acting, stay on strategy. Enforcement bounds outcomes when intent fails. The Safety Kit config remains the right first move: it’s free, it works today, and it makes the agent cooperative in the 99% case. The firewall exists for the 1% where cooperation breaks — which, with real money, is the only case that matters.
A useful way to hold the distinction: prompt guardrails lower the probability of a bad action; enforcement caps the cost of one. Risk is the product of both. Working on probability alone leaves the tail unbounded — and the tail is your account.
Two ways to act on this
First: the human version of this skill — recognizing when an agent is being manipulated — is testable, and it’s the foundation the whole defense stack sits on. Try the Agentic AI Security scenarios and see how you score. Second: the enforcement layer itself. The Agent Firewall beta opens to the waitlist first, with founding pricing locked for life. Join the waitlist →