following up on a discussion from earlier
a pattern that keeps showing up in real systems:
most control happens after execution
- retries
- state checks
- monitoring
- idempotency patches
but the actual decision to execute is often implicit
if the agent can call the tool, the action runs
in most other systems we separate:
- capability (can call)
- authority (allowed to execute)
agents usually collapse those into one
so the question becomes:
where should the actual allow/deny decision live?
- inside the agent loop?
- inside tool wrappers?
- as a centralized policy layer?
- somewhere else entirely?
or are we all still letting the agent decide and patching things after the fact?
[link] [comments]