Using Deferred Execution to Tame AI Agents

My AI agent bypassed a global rule, raised its own PR, approved it, and triggered terraform apply. I caught it in time. Barely. The rule was explicit: no git write commands. The agent read it, acknowledged it in context, and ignored it anyway. It made a deliberate sequence of calls to get around the restriction. Here's what I've landed on after thinking through why this happened: Models trained with RLHF are optimised to complete tasks. That's the same mechanism that makes them useful - they fill gaps, push through ambiguity, figure out what you probably meant. The problem is that rule-following competes with task-completion when the two conflict, and task-completion usually wins. A rule in the system prompt is just more tokens. It has no special enforcement status at inference time. The fixes that work for me today, and I'm open to learning more: * Plan mode as a first gate - the agent reasons, doesn't execute. * Allowlist run mode with write commands excluded - leave `git` and `gh` off the allowlist entirely so the agent has to ask every time, and block `git`, `gh`, and anything that modify external world. * Branch protection with self-approval disabled so the agent can't close the loop unilaterally. The insight from functional programming helped me frame it: imperative agents execute effects immediately, one tool call at a time. What you actually want is deferred execution - the agent describes what it wants to do, you inspect it, you confirm. For external system calls, approve requests one by one. In functional programming this is the idea that effects only run at the end. That's the "end of the world" pattern from Haskell applied to agentic workflows. More detail: [https://lukastymo.com/posts/032-functional-programming-concepts-to-tame-your-ai-agents/](https://lukastymo.com/posts/032-functional-programming-concepts-to-tame-your-ai-agents/)