WritingBooksAboutCommunityContactCommunity

Environment Boundaries and Constraints: Building Safe AI Agent Systems

Michael BrenndoerferJuly 17, 202518 min read

Learn how to define what your AI agent can and cannot do through access controls, action policies, rate limits, and scope boundaries. Master the art of balancing agent capability with security and trust.

Environment Boundaries and Constraints

In the previous sections, we explored how our assistant perceives its environment and takes actions within it. But here's a crucial question: should your agent have unlimited access to everything? Can it read any file, call any API, or execute any command?

The answer, of course, is no. Just as you wouldn't give a new employee access to every system on day one, your AI agent needs clearly defined boundaries. These constraints aren't limitations in a negative sense. They're protective guardrails that make your agent safer, more predictable, and easier to trust.

Let's explore how to define what your agent can and cannot do, and why these boundaries matter for building reliable AI systems.

Why Boundaries Matter

Think about a physical assistant working in your office. You might give them access to your calendar and email, but probably not your bank account or medical records. You'd want them to schedule meetings, but not delete important files. These natural boundaries exist because they match the assistant's role and minimize risk.

Your AI agent needs the same kind of thoughtful constraints. Without them, several problems can emerge:

Accidental damage: An agent trying to "help" by cleaning up files might delete something important. We've all seen overzealous automation go wrong. Clear boundaries prevent these well-intentioned mistakes.

Security risks: If your agent can access sensitive data, what happens if someone tricks it through prompt injection? Or if it logs information it shouldn't? Limiting access reduces the blast radius of any security issue.

Unpredictable behavior: When an agent has too many options, its decision-making becomes harder to reason about. Constraints actually make behavior more predictable by reducing the possibility space.

User trust: People are more comfortable with agents that have clear, limited permissions. "This agent can read your calendar and send emails" is much easier to trust than "This agent can do anything on your computer."

Let's see how to implement these boundaries in practice.

Types of Environment Constraints

When designing your agent's environment, you'll typically work with several categories of constraints. Each serves a different purpose in keeping your agent safe and effective.

Access Constraints

Access constraints define what data and resources your agent can reach. These are your first line of defense.

For our personal assistant, you might specify:

  • Read access: Calendar events, contact list, recent emails
  • Write access: Calendar events, draft emails (but not sent emails)
  • No access: File system, browser history, system settings

Here's how you might implement this in code:

In[3]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for its superior reasoning about permissions

class AgentEnvironment:
    def __init__(self, allowed_resources):
        self.allowed_resources = set(allowed_resources)
        self.access_log = []
    
    def check_access(self, resource_type, operation):
        """Verify if the agent can perform this operation"""
        permission = f"{resource_type}:{operation}"
        
        if permission in self.allowed_resources:
            self.access_log.append({
                "resource": resource_type,
                "operation": operation,
                "allowed": True
            })
            return True
        else:
            self.access_log.append({
                "resource": resource_type,
                "operation": operation,
                "allowed": False
            })
            return False

## Set up environment with specific permissions
env = AgentEnvironment(allowed_resources=[
    "calendar:read",
    "calendar:write",
    "email:read",
    "email:draft"  # Note: not email:send
])

## Agent tries to access calendar
if env.check_access("calendar", "write"):
    print("Agent can modify calendar")

## Agent tries to send email
if not env.check_access("email", "send"):
    print("Agent cannot send emails without approval")
Out[3]:
Console
Agent can modify calendar
Agent cannot send emails without approval

This simple permission system ensures your agent can only touch what you've explicitly allowed. Notice how we separate read and write operations. This granularity matters because reading data is generally safer than modifying it.

Action Constraints

Beyond what your agent can access, you need to control what actions it can take. Some operations are inherently more risky than others.

Consider these action tiers:

Safe actions (can happen automatically):

  • Reading information
  • Generating text or summaries
  • Performing calculations
  • Searching within allowed data

Moderate actions (might need confirmation):

  • Creating calendar events
  • Drafting emails
  • Saving notes or files
  • Making API calls to external services

High-risk actions (always need confirmation):

  • Sending emails or messages
  • Deleting data
  • Making purchases
  • Changing system settings

Here's how you might implement action constraints:

In[6]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for its ability to reason about action safety

class ActionPolicy:
    def __init__(self):
        self.safe_actions = {"read", "search", "calculate", "summarize"}
        self.confirm_actions = {"create", "draft", "save"}
        self.restricted_actions = {"send", "delete", "purchase"}
    
    def requires_confirmation(self, action):
        """Check if this action needs user approval"""
        if action in self.safe_actions:
            return False
        elif action in self.confirm_actions:
            return "optional"  # Could be configured per user
        elif action in self.restricted_actions:
            return True
        else:
            return True  # Unknown actions require confirmation by default

policy = ActionPolicy()

## Agent wants to send an email
action = "send"
if policy.requires_confirmation(action):
    print(f"Action '{action}' requires user confirmation")
    # In a real system, you'd prompt the user here
    user_approved = input("Approve this action? (yes/no): ")
    if user_approved.lower() == "yes":
        print("Proceeding with send...")
    else:
        print("Action cancelled")

Notice the three-tier system. This gives you flexibility. A power user might configure their agent to automatically create calendar events, while a cautious user might want to review every action.

Rate and Resource Constraints

Even for allowed actions, you might want to limit how often or how much your agent can do something. This prevents runaway behavior and controls costs.

In[4]:
Code
## Example (GPT-5)
## Using GPT-5 for this straightforward rate limiting example

from datetime import datetime, timedelta

class RateLimiter:
    def __init__(self, max_calls, time_window):
        self.max_calls = max_calls
        self.time_window = time_window  # in seconds
        self.calls = []
    
    def can_proceed(self, action):
        """Check if we're within rate limits"""
        now = datetime.now()
        
        # Remove old calls outside the time window
        cutoff = now - timedelta(seconds=self.time_window)
        self.calls = [call for call in self.calls if call > cutoff]
        
        # Check if we're under the limit
        if len(self.calls) < self.max_calls:
            self.calls.append(now)
            return True
        else:
            return False

## Limit API calls to 10 per minute
api_limiter = RateLimiter(max_calls=10, time_window=60)

## Agent tries to make an API call
if api_limiter.can_proceed("api_call"):
    print("Making API call...")
else:
    print("Rate limit exceeded. Please wait.")
Out[4]:
Console
Making API call...

Rate limiting is especially important for actions that cost money (like API calls) or could annoy users (like sending notifications). It's a safety net that prevents your agent from going haywire.

Scope Constraints: Defining the Sandbox

Beyond individual permissions, you can define broader scope constraints that limit where your agent operates. Think of this as creating a sandbox for your agent to play in.

File System Boundaries

If your agent needs file access, restrict it to specific directories:

In[5]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for its careful reasoning about file system safety

import os
from pathlib import Path

class FileSystemBoundary:
    def __init__(self, allowed_paths):
        # Convert to absolute paths and normalize
        self.allowed_paths = [
            Path(p).resolve() for p in allowed_paths
        ]
    
    def is_allowed(self, file_path):
        """Check if a file path is within allowed boundaries"""
        try:
            file_path = Path(file_path).resolve()
            
            # Check if the path is under any allowed directory
            for allowed in self.allowed_paths:
                try:
                    file_path.relative_to(allowed)
                    return True
                except ValueError:
                    continue
            
            return False
        except Exception:
            return False

## Agent can only access files in these directories
fs_boundary = FileSystemBoundary(allowed_paths=[
    "/home/user/documents/agent_workspace",
    "/home/user/notes"
])

## Test some paths
test_paths = [
    "/home/user/documents/agent_workspace/data.txt",  # Allowed
    "/home/user/notes/meeting.txt",  # Allowed
    "/home/user/.ssh/id_rsa",  # Not allowed
    "/etc/passwd"  # Definitely not allowed
]

for path in test_paths:
    allowed = fs_boundary.is_allowed(path)
    print(f"{path}: {'✓ Allowed' if allowed else '✗ Blocked'}")
Out[5]:
Console
/home/user/documents/agent_workspace/data.txt: ✓ Allowed
/home/user/notes/meeting.txt: ✓ Allowed
/home/user/.ssh/id_rsa: ✗ Blocked
/etc/passwd: ✗ Blocked

This prevents your agent from accidentally (or maliciously) accessing sensitive files. Notice how we use resolve() to handle symbolic links and relative paths. Security boundaries need to be airtight.

Network Boundaries

Similarly, you might restrict which external services your agent can contact:

In[6]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for security-conscious network boundary logic

from urllib.parse import urlparse

class NetworkBoundary:
    def __init__(self, allowed_domains, blocked_domains=None):
        self.allowed_domains = set(allowed_domains)
        self.blocked_domains = set(blocked_domains or [])
    
    def can_access(self, url):
        """Check if the agent can access this URL"""
        try:
            domain = urlparse(url).netloc
            
            # Check blocklist first
            if domain in self.blocked_domains:
                return False
            
            # Check allowlist
            if self.allowed_domains:
                return domain in self.allowed_domains
            
            # If no allowlist, allow by default (except blocked)
            return True
            
        except Exception:
            return False

## Agent can only access specific APIs
net_boundary = NetworkBoundary(
    allowed_domains=[
        "api.weather.com",
        "api.calendar.google.com",
        "api.openai.com"
    ],
    blocked_domains=[
        "malicious-site.com"
    ]
)

## Test some URLs
if net_boundary.can_access("https://api.weather.com/forecast"):
    print("✓ Can fetch weather data")

if not net_boundary.can_access("https://random-website.com"):
    print("✗ Cannot access arbitrary websites")
Out[6]:
Console
✓ Can fetch weather data
✗ Cannot access arbitrary websites

Network boundaries are crucial for preventing data leakage and ensuring your agent only communicates with trusted services.

Training vs. Production Environments

As you develop your agent, you'll work in different environments with different constraints. Understanding this distinction helps you test safely and deploy confidently.

Training and Testing Environments

When you're developing and testing your agent, you want an environment that:

  • Mimics production but uses fake or sanitized data
  • Allows experimentation without real consequences
  • Provides detailed logging for debugging
  • Can be reset easily when things go wrong

Here's a simple way to distinguish environments:

In[7]:
Code
## Example (GPT-5)
## Using GPT-5 for this straightforward environment configuration

import os

class EnvironmentConfig:
    def __init__(self, mode="development"):
        self.mode = mode
        self.setup_environment()
    
    def setup_environment(self):
        """Configure based on environment mode"""
        if self.mode == "development":
            self.database = "test_db"
            self.api_calls_enabled = False
            self.require_confirmations = False
            self.verbose_logging = True
            self.use_real_data = False
            
        elif self.mode == "staging":
            self.database = "staging_db"
            self.api_calls_enabled = True
            self.require_confirmations = True
            self.verbose_logging = True
            self.use_real_data = False
            
        elif self.mode == "production":
            self.database = "prod_db"
            self.api_calls_enabled = True
            self.require_confirmations = True
            self.verbose_logging = False
            self.use_real_data = True
    
    def can_perform_action(self, action):
        """Check if action is allowed in this environment"""
        if self.mode == "development":
            # In development, log but allow most things
            print(f"[DEV] Would perform: {action}")
            return True
        else:
            # In production, actually check permissions
            return self.check_real_permissions(action)

## Initialize for development
config = EnvironmentConfig(mode="development")

print(f"Running in {config.mode} mode")
print(f"Using database: {config.database}")
print(f"Real API calls: {config.api_calls_enabled}")
Out[7]:
Console
Running in development mode
Using database: test_db
Real API calls: False

In development mode, your agent might print what it would do instead of actually doing it. This lets you test logic without consequences. When you move to production, those same actions become real.

Production Constraints

Production environments need stricter boundaries:

In[8]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for production-grade safety logic

class ProductionEnvironment:
    def __init__(self):
        self.safety_checks_enabled = True
        self.audit_logging = True
        self.rate_limits = {
            "email": {"max": 50, "window": 3600},  # 50 per hour
            "api_call": {"max": 1000, "window": 3600},
            "file_write": {"max": 100, "window": 3600}
        }
    
    def execute_action(self, action_type, action_data):
        """Execute an action with production safety checks"""
        
        # Check rate limits
        if not self.check_rate_limit(action_type):
            return {
                "success": False,
                "error": "Rate limit exceeded"
            }
        
        # Perform safety checks
        if self.safety_checks_enabled:
            safety_result = self.run_safety_checks(action_type, action_data)
            if not safety_result["safe"]:
                self.log_security_event(action_type, safety_result)
                return {
                    "success": False,
                    "error": f"Safety check failed: {safety_result['reason']}"
                }
        
        # Log for audit
        if self.audit_logging:
            self.log_action(action_type, action_data)
        
        # Execute the actual action
        result = self.perform_action(action_type, action_data)
        return result
    
    def run_safety_checks(self, action_type, action_data):
        """Run safety checks before executing"""
        # Check for suspicious patterns
        if action_type == "email" and "urgent" in str(action_data).lower():
            # Might be a phishing attempt
            return {"safe": False, "reason": "Suspicious email content"}
        
        # Add more checks as needed
        return {"safe": True}
    
    def log_action(self, action_type, action_data):
        """Log actions for audit trail"""
        # In a real system, this would write to a secure log
        print(f"[AUDIT] {action_type}: {action_data}")
    
    def check_rate_limit(self, action_type):
        """Check if action is within rate limits"""
        # Simplified for example
        return True
    
    def perform_action(self, action_type, action_data):
        """Actually perform the action"""
        return {"success": True, "message": "Action completed"}
    
    def log_security_event(self, action_type, details):
        """Log security events for review"""
        print(f"[SECURITY] Blocked {action_type}: {details['reason']}")

## Production environment with full safety checks
prod_env = ProductionEnvironment()

## Try to execute an action
result = prod_env.execute_action(
    "email",
    {"to": "user@example.com", "subject": "Meeting notes"}
)
print(result)
Out[8]:
Console
[AUDIT] email: {'to': 'user@example.com', 'subject': 'Meeting notes'}
{'success': True, 'message': 'Action completed'}

Notice how production adds layers of protection: rate limiting, safety checks, audit logging. These aren't needed in development, but they're essential when real users and real data are involved.

Implementing a Complete Boundary System

Let's bring everything together into a cohesive boundary system for our personal assistant. This combines all the constraint types we've discussed:

In[9]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for its ability to reason about complex permission systems

class AgentBoundarySystem:
    def __init__(self, config):
        self.access_policy = config.get("access_policy", {})
        self.action_policy = config.get("action_policy", {})
        self.rate_limiters = config.get("rate_limiters", {})
        self.scope_boundaries = config.get("scope_boundaries", {})
        self.environment_mode = config.get("environment", "production")
    
    def can_execute(self, action_request):
        """
        Check if an action can be executed given all constraints.
        Returns (allowed, reason) tuple.
        """
        action_type = action_request["type"]
        resource = action_request.get("resource")
        
        # Check access permissions
        if not self.check_access_permission(resource, action_type):
            return False, "Access denied: insufficient permissions"
        
        # Check action policy
        if self.requires_confirmation(action_type):
            if not action_request.get("user_confirmed"):
                return False, "Action requires user confirmation"
        
        # Check rate limits
        if not self.check_rate_limit(action_type):
            return False, "Rate limit exceeded"
        
        # Check scope boundaries
        if not self.within_scope(action_request):
            return False, "Action outside allowed scope"
        
        return True, "Action allowed"
    
    def check_access_permission(self, resource, action):
        """Check if we have permission for this resource/action combo"""
        if resource not in self.access_policy:
            return False
        return action in self.access_policy[resource]
    
    def requires_confirmation(self, action_type):
        """Check if action needs user confirmation"""
        return self.action_policy.get(action_type, {}).get("confirm", False)
    
    def check_rate_limit(self, action_type):
        """Check rate limits for this action type"""
        if action_type in self.rate_limiters:
            return self.rate_limiters[action_type].can_proceed(action_type)
        return True
    
    def within_scope(self, action_request):
        """Check if action is within allowed scope"""
        # Check file system boundaries
        if "file_path" in action_request:
            fs_boundary = self.scope_boundaries.get("filesystem")
            if fs_boundary and not fs_boundary.is_allowed(action_request["file_path"]):
                return False
        
        # Check network boundaries
        if "url" in action_request:
            net_boundary = self.scope_boundaries.get("network")
            if net_boundary and not net_boundary.can_access(action_request["url"]):
                return False
        
        return True

## Configure the boundary system
config = {
    "access_policy": {
        "calendar": ["read", "write"],
        "email": ["read", "draft"],
        "contacts": ["read"]
    },
    "action_policy": {
        "send": {"confirm": True},
        "delete": {"confirm": True},
        "read": {"confirm": False}
    },
    "rate_limiters": {
        "email": RateLimiter(max_calls=50, time_window=3600)
    },
    "scope_boundaries": {
        "filesystem": FileSystemBoundary(["/home/user/agent_workspace"]),
        "network": NetworkBoundary(["api.weather.com", "api.calendar.google.com"])
    },
    "environment": "production"
}

boundary_system = AgentBoundarySystem(config)

## Test various actions
test_actions = [
    {
        "type": "read",
        "resource": "calendar",
        "description": "Read calendar events"
    },
    {
        "type": "send",
        "resource": "email",
        "description": "Send email",
        "user_confirmed": False
    },
    {
        "type": "write",
        "resource": "calendar",
        "description": "Create calendar event"
    }
]

for action in test_actions:
    allowed, reason = boundary_system.can_execute(action)
    status = "✓ Allowed" if allowed else "✗ Blocked"
    print(f"{status}: {action['description']} - {reason}")
Out[9]:
Console
✓ Allowed: Read calendar events - Action allowed
✗ Blocked: Send email - Access denied: insufficient permissions
✓ Allowed: Create calendar event - Action allowed

This complete system checks every aspect of an action before allowing it. It's comprehensive but still readable and maintainable.

Practical Considerations

When implementing boundaries for your agent, keep these principles in mind:

Start restrictive, then relax: It's easier to grant new permissions than to revoke them. Begin with tight constraints and loosen them as you gain confidence in your agent's behavior.

Make boundaries visible: Users should know what your agent can and cannot do. Don't hide limitations. Instead, communicate them clearly: "I can read your calendar but I'll ask before creating events."

Log boundary violations: When your agent tries to do something it can't, log it. These logs reveal where your constraints might be too tight or where your agent's logic needs improvement.

Test boundaries explicitly: Write tests that verify your agent respects its boundaries. Try to make it access forbidden resources or exceed rate limits. Your boundary system should catch these attempts.

Consider context: Some boundaries might change based on context. Your agent might have more permissions during work hours than at night, or more access when you're actively interacting with it than when it's running autonomously.

Here's a simple context-aware boundary system:

In[10]:
Code
## Example (Claude Sonnet 4.5)
## Using Claude Sonnet 4.5 for context-aware permission logic

from datetime import datetime

class ContextAwareBoundaries:
    def __init__(self, base_permissions):
        self.base_permissions = base_permissions
    
    def get_permissions(self, context):
        """Get permissions based on current context"""
        permissions = self.base_permissions.copy()
        
        # More permissions during work hours
        if self.is_work_hours():
            permissions["email"].append("send")
            permissions["calendar"].append("delete")
        
        # More permissions when user is actively present
        if context.get("user_present"):
            permissions["files"] = ["read", "write"]
        
        return permissions
    
    def is_work_hours(self):
        """Check if it's currently work hours"""
        now = datetime.now()
        return 9 <= now.hour < 17 and now.weekday() < 5

## Base permissions (always available)
base_perms = {
    "calendar": ["read"],
    "email": ["read", "draft"],
    "contacts": ["read"]
}

boundaries = ContextAwareBoundaries(base_perms)

## Get permissions for current context
context = {"user_present": True}
current_permissions = boundaries.get_permissions(context)

print("Current permissions:", current_permissions)
Out[10]:
Console
Current permissions: {'calendar': ['read'], 'email': ['read', 'draft'], 'contacts': ['read'], 'files': ['read', 'write']}

Context-aware boundaries make your agent more flexible while maintaining safety. The agent has more freedom when it makes sense (during work hours, when you're present) and less when risks are higher.

Balancing Safety and Capability

The art of setting boundaries is finding the right balance. Too restrictive, and your agent can't help effectively. Too permissive, and you risk security issues or unpredictable behavior.

Here are some guidelines for finding that balance:

Match boundaries to use cases: If your agent's job is to manage your calendar, it needs write access to calendars. But it probably doesn't need to access your file system. Let the agent's purpose guide your constraints.

Layer your defenses: Don't rely on a single boundary. Combine access controls, action policies, rate limits, and scope boundaries. If one layer fails, others provide backup protection.

Make risky actions reversible: When possible, design your system so mistakes can be undone. Draft emails instead of sending them immediately. Create calendar events that can be easily deleted. This gives you a safety net.

Provide escape hatches: Sometimes your agent needs to do something outside its normal boundaries. Provide a way for users to grant temporary elevated permissions for specific tasks, with clear warnings about the risks.

Review and adjust: Your boundaries aren't set in stone. As you learn how your agent behaves in practice, refine the constraints. Maybe some restrictions are too tight. Maybe others need to be stricter.

Summary

Environment boundaries and constraints are how you make your AI agent safe, predictable, and trustworthy. They define what your agent can access, what actions it can take, and where it can operate.

We've covered several types of constraints:

Access constraints limit what data and resources your agent can reach. You control read and write permissions separately, giving your agent only the access it needs for its job.

Action constraints govern what your agent can do. Safe actions happen automatically, while risky actions require confirmation. This prevents accidents and gives users control over high-stakes operations.

Rate and resource constraints prevent runaway behavior by limiting how often your agent can perform certain actions. This controls costs and prevents your agent from overwhelming external services.

Scope constraints define the sandbox where your agent operates. File system and network boundaries ensure your agent only touches approved resources.

Environment-specific constraints differ between development and production. Testing environments allow experimentation with fake data, while production environments enforce strict safety checks and audit logging.

The key is finding the right balance. Start with tight constraints and relax them as you gain confidence. Make boundaries visible to users. Log violations to understand where constraints might need adjustment. And always layer your defenses so no single failure compromises security.

With well-designed boundaries, your agent becomes something users can trust. They know what it can do, what it can't do, and that it will ask before taking risky actions. This trust is essential for building agents that people actually want to use.

In the next chapter, we'll explore how agents can plan complex, multi-step tasks. Planning requires reasoning about sequences of actions, and those actions will all respect the boundaries we've established here. The constraints we've built become the safe foundation on which more sophisticated agent behaviors can operate.

Glossary

Access Constraint: A rule that limits what data or resources an agent can read or modify. Access constraints typically distinguish between read and write permissions for different resource types.

Action Policy: A set of rules defining which actions an agent can perform automatically and which require user confirmation. Actions are typically categorized by risk level.

Audit Logging: The practice of recording all significant agent actions for later review. Audit logs help with debugging, security monitoring, and compliance.

Boundary System: The complete set of constraints and permissions that define what an agent can and cannot do in its environment. A boundary system combines access controls, action policies, rate limits, and scope restrictions.

Context-Aware Permissions: Permissions that change based on the current situation, such as time of day, user presence, or the specific task being performed. Context awareness allows more flexible security.

Production Environment: The real-world setting where an agent operates with actual user data and real consequences. Production environments require stricter safety checks than development environments.

Rate Limiting: A constraint that limits how often an agent can perform certain actions within a time window. Rate limiting prevents runaway behavior and controls costs.

Scope Boundary: A constraint that defines where an agent can operate, such as which directories it can access or which network domains it can contact. Scope boundaries create a sandbox for agent operations.

Training Environment: A safe setting for developing and testing an agent, typically using fake or sanitized data. Training environments allow experimentation without real-world consequences.

Quiz

Ready to test your understanding? Take this quick quiz to reinforce what you've learned about environment boundaries and constraints for AI agents.

Loading component...

Reference

BIBTEXAcademic
@misc{environmentboundariesandconstraintsbuildingsafeaiagentsystems, author = {Michael Brenndoerfer}, title = {Environment Boundaries and Constraints: Building Safe AI Agent Systems}, year = {2025}, url = {https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents}, organization = {mbrenndoerfer.com}, note = {Accessed: 2025-12-25} }
APAAcademic
Michael Brenndoerfer (2025). Environment Boundaries and Constraints: Building Safe AI Agent Systems. Retrieved from https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents
MLAAcademic
Michael Brenndoerfer. "Environment Boundaries and Constraints: Building Safe AI Agent Systems." 2025. Web. 12/25/2025. <https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents>.
CHICAGOAcademic
Michael Brenndoerfer. "Environment Boundaries and Constraints: Building Safe AI Agent Systems." Accessed 12/25/2025. https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents.
HARVARDAcademic
Michael Brenndoerfer (2025) 'Environment Boundaries and Constraints: Building Safe AI Agent Systems'. Available at: https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents (Accessed: 12/25/2025).
SimpleBasic
Michael Brenndoerfer (2025). Environment Boundaries and Constraints: Building Safe AI Agent Systems. https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents
Direct link:
https://mbrenndoerfer.com/writing/environment-boundaries-constraints-ai-agents