chapter six

6 Tools and Guardrails: Enabling safe, managed AI actions

 

This chapter covers

  • Designing the Tool Service for managed tool discovery
  • Execution patterns for reliable external integrations
  • Integrating with MCP and other emerging standards
  • Isolating tool execution for safety and reliability
  • Reframing guardrails as platform-enforced execution policies that protect the application from unsafe or unintended outputs
  • Making safety decisions visible through metrics and audit trails

Sarah's patient intake assistant has come a long way. It remembers conversations through the Session Service, answers questions using organizational knowledge from the Data Service, and generates helpful responses through the Model Service. But patients don't just want information. They want to schedule appointments, submit intake forms, and verify insurance eligibility. Every conversation that ends with "please call our front desk to schedule" represents a failure to deliver the experience patients expect.

This transition from conversation to action is where AI applications become genuinely powerful. When an assistant only generates text, mistakes are recoverable. A hallucinated policy or inaccurate insurance detail is annoying, but the patient calls the front desk, gets correct information, and moves on. The blast radius is limited because the assistant can't do anything.

6.1 Reframing tools as platform-managed capabilities

6.1.1 The tool service contract

6.1.2 Tool definitions beyond function schemas

6.1.3 The SDK interface

6.2 The tool registry: namespacing and discovery

6.2.1 Capability-based discovery

6.2.2 Version control

6.3 Tool execution: adapters, credentials and reliability

6.3.1 The adapter pattern

6.3.2 Credential isolation

6.3.3 The credential store interface

6.3.4 Synchronous and asynchronous execution

6.4 Interoperability: the Model Context Protocol (MCP)

6.4.1 From NxM to N+M, and then to M

6.4.2 The architecture of MCP: hosts, clients and servers

6.4.3 The three MCP primitives

6.4.4 What MCP does not cover

6.4.5 Integrating MCP with the platform

6.5 Tool execution safeguards

6.5.1 Resource limits

6.5.2 Circuit breakers

6.6 Guardrails: not just filters, but execution policies

6.7 Guardrails in practice: input, output and behavioral policies

6.7.1 Input guardrails: protecting the system

6.7.2 Output guardrails: the last line of defense

6.7.3 Behavioral guardrails: controlling actions and logic

6.8 Declarative policy and observability