AI Agent Security: 7 Guardrails Every Production Agent Needs
Autonomous agents are powerful — and dangerous without proper guardrails. Here are the 7 security patterns that separate demos from production-ready agents.
DevForge Team
AI Development Educators
The Gap Between Demo and Production
An agent that works in a demo is not an agent ready for production. Demo agents run on happy paths with forgiving inputs. Production agents face adversarial users, unexpected edge cases, runaway loops, and sensitive data.
The difference between a demo and a production agent is guardrails.
Here are the 7 patterns professional AI engineers implement before shipping any autonomous agent.
Guardrail 1: Max Iterations (Hard Cap)
Every agent needs a hard cap on the number of reasoning/action cycles it can perform. Without one, a confused agent can loop indefinitely, burning tokens and money.
async function runAgent(goal, tools) {
const MAX_ITERATIONS = 15;
let iteration = 0;
while (iteration < MAX_ITERATIONS) {
iteration++;
// agent loop
}
return { success: false, error: "Max iterations exceeded", iterations: iteration };
}Set it to 10–20 for most tasks. Log every time you hit the cap — frequent cap-outs indicate a flawed prompt or stuck agent.
Guardrail 2: Stuck Detection
Max iterations catches infinite loops eventually. Stuck detection catches them immediately.
function isStuck(recentToolCalls, windowSize = 3) {
if (recentToolCalls.length < windowSize) return false;
const recent = recentToolCalls.slice(-windowSize);
const firstCall = JSON.stringify(recent[0]);
return recent.every(call => JSON.stringify(call) === firstCall);
}If the last 3 tool calls are identical in name and input, the agent is stuck and should be terminated.
Guardrail 3: Path Guards (Prevent File System Abuse)
Agents that can read and write files need explicit boundaries. Without path guards, a prompt injection could trick your agent into reading .env files or SSH keys.
const BLOCKED_PATTERNS = [/\.env/i, /secrets/i, /credentials/i, /\.ssh/i, /node_modules/];
const WORKSPACE_ROOT = path.resolve("./workspace");
function validatePath(filePath) {
if (BLOCKED_PATTERNS.some(p => p.test(filePath))) {
throw new Error("Access denied: " + filePath + " matches a blocked pattern");
}
const resolved = path.resolve(filePath);
if (!resolved.startsWith(WORKSPACE_ROOT)) {
throw new Error("Access denied: path traversal attempt blocked");
}
return resolved;
}Path traversal attacks (../../etc/passwd) are the most common attack vector for file-system-enabled agents.
Guardrail 4: Rate Limiting Per Tool
Rate limiting prevents runaway agents from exhausting external API quotas or hammering databases.
class ToolRateLimiter {
constructor() {
this.calls = new Map();
this.limits = {
search_web: { maxCalls: 10, windowMs: 60_000 },
run_query: { maxCalls: 30, windowMs: 60_000 },
send_email: { maxCalls: 3, windowMs: 60_000 },
default: { maxCalls: 50, windowMs: 60_000 },
};
}
check(toolName) {
const now = Date.now();
const limit = this.limits[toolName] || this.limits.default;
const recent = (this.calls.get(toolName) || []).filter(t => now - t < limit.windowMs);
if (recent.length >= limit.maxCalls) {
throw new Error("Rate limit exceeded for " + toolName);
}
this.calls.set(toolName, [...recent, now]);
}
}Guardrail 5: Human-in-the-Loop (HITL) for Destructive Actions
Some actions are irreversible: deleting files, sending emails, deploying to production. These should always require human approval.
const ALWAYS_REQUIRE_APPROVAL = ["delete_file", "drop_table", "send_email", "deploy"];
async function executeWithApproval(toolName, input, approvalCallback) {
if (ALWAYS_REQUIRE_APPROVAL.includes(toolName)) {
const approved = await approvalCallback({ tool: toolName, input });
if (!approved) return "Action cancelled by user.";
}
return await executeTool(toolName, input);
}The agent cannot proceed without an explicit human decision.
Guardrail 6: Audit Logging
You can't debug what you can't see. Every tool call should be logged with enough context to reconstruct exactly what the agent did.
function logToolCall(toolName, input, result) {
const sanitized = { ...input };
["password", "token", "secret", "key"].forEach(k => {
if (sanitized[k]) sanitized[k] = "[REDACTED]";
});
auditLog.push({
timestamp: new Date().toISOString(),
tool: toolName,
input: sanitized,
result: String(result).slice(0, 500),
});
}Never log raw credentials or full sensitive outputs. Always sanitize before writing.
Guardrail 7: Output Sanitization
Agents can accidentally leak sensitive information in their final outputs — API keys read from config files, PII from database contents.
const SENSITIVE_PATTERNS = [
/sk-[a-zA-Z0-9]{20,}/g,
/sk-ant-[a-zA-Z0-9-]+/g,
/Bearer [a-zA-Z0-9._-]+/g,
];
function sanitizeOutput(text) {
return SENSITIVE_PATTERNS.reduce((t, pattern) => t.replace(pattern, "[REDACTED]"), text);
}Apply this to every agent response before returning to the user.
The Security Mindset
Treat your agent like an untrusted third party. Even if the LLM is well-behaved, prompt injection, edge cases, and bugs can cause unexpected behavior. Your guardrails are the last line of defense.
Defense in depth means all 7 guardrails working together — no single guardrail is sufficient on its own.
The Agentic AI Developer Certification covers all of these patterns with hands-on implementation exercises, including building a complete guardrail system from scratch.