As syntax turns into low cost and plentiful, architectural management turns into the scarce useful resource. Efficient governance begins upstream, the place intent, constraints, and menace fashions form the agent’s working context earlier than era begins. The objective isn’t higher prompting however build-time boundaries that forestall structurally invalid code from coming into the system.
The Frankenstein factories
The darkish factories (as Dan Shapiro calls them) are operating. Tokens fly via trycycles, options ship in a single day, and codebases are ported earlier than breakfast. The speed is actual. And comprehension debt (a time period coined by Addy Osmani) is compounding in silence behind it.
What this period is producing, at scale, deserves its personal identify: Frankenstein factories. Not a critique of any single method however an outline of a structural situation—era engines so efficient at producing working syntax that they’ve industrialized the creation of architecturally ungovernable techniques. The creature walks out of the laboratory spectacular, purposeful, and alive on supply day.
The disaster arrives the day somebody should govern it. To control a system means to carry it accountable to its design boundaries—the flexibility to take a look at it and reliably say why it really works, what is permitted to the touch what, and to categorically forestall forbidden state adjustments earlier than they occur. Victor’s disaster was not the act of creation however the absent governing body.
For prototyping or delivery options quick, unconstrained era is a robust instrument. It optimizes for velocity, and it delivers. However for enterprise fee techniques, insurance coverage underwriting engines, logistics orchestrators, and controlled platforms, the query shouldn’t be “Does the code ship?” however “Who’s liable when it does the flawed factor?” Right here, automating the phrase “YES” to each characteristic request doesn’t remedy the issue. It industrializes it.
Take into account a typical Jira ticket: “Add an e mail notification after a profitable fee.”
A junior developer would possibly try to wedge the email-sending logic immediately into the PaymentProcessor class. A senior architect catches this in code assessment: “No. Fireplace a PaymentSuccessEvent to the message bus.” That human friction—the architectural “No”—retains the system maintainable.
Unconstrained AI brokers lack this assertiveness. By default, they’re the last word yes-men.
Hand that very same ticket to a typical coding agent and it’ll not argue about bounded contexts. It’s going to burn tokens till it produces 300 strains of syntactically excellent code, import an SMTP library immediately into the core of your billing area, and submit a pull request. The checks will go; typical characteristic checks make no assertion about bounded contexts. The CI pipeline will go inexperienced. And structurally, the system is now a catastrophe.
This occurs not via malice however due to how agentic loops are constructed. With out specific architectural constraints, the system’s emergent habits is to satisfy quick person intent. The agent is orchestrated to ship the characteristic, to not defend the structure. Comprehension debt is the structural consequence: AI generates syntax sooner than human beings can learn or govern it. Anticipating a probabilistic mannequin to implement structural integrity by itself is a class error. With no governing body, the agent will all the time take the trail of least resistance to a “YES.”
You can not repair code overproduction by hiring extra folks to learn it nor by operating the era loop sooner. The one scalable reply is to construct a concrete riverbed earlier than you activate the water.
If the present period automates the phrase “YES,” we must always automate the phrase “NO.”
Securing the runtime surroundings prevents the monster from escaping. However to forestall it from being constructed within the first place, we have to step again into the IDE and the CI/CD pipeline. We have to govern era.
The nice softening: Shifting danger from construct time to runtime
Compilers by no means assured appropriate software program. You may write catastrophic logically damaged techniques in C, Java, or another compiled language. However compilers served a vital engineering goal: They deterministically ruled a particular layer of structural danger.
By imposing laborious execution constraints—syntax validity, kind compatibility, linkage guidelines, and executable viability—the compiler acted as an automatic boundary. It didn’t confirm enterprise intent, area correctness, or architectural high quality. What it did was get rid of a complete class of low-level structural failure earlier than execution ever started.
That delegation of danger is without doubt one of the quiet triumphs of software program engineering. Our self-discipline has all the time superior by mechanizing one class of ensures so people can give attention to the subsequent layer of abstraction. We automated machine-level structural correctness so engineers might spend their cognitive power on utility logic. Later, we pushed extra ensures upward, into schemas, testing, static evaluation, architectural patterns, and operational controls.
Over time, we additionally intentionally softened sure boundaries in alternate for pace. Dynamic languages, richer runtimes, reflection, and more and more summary frameworks all traded deterministic compile-time ensures for developer velocity and suppleness. The newly uncovered danger was absorbed elsewhere: runtime validation, automated testing, observability, and engineering self-discipline.
At this time, with agentic AI, we’re softening boundaries once more, extra radically than ever earlier than.
Pure language has change into a high-level management airplane for software program era. Arbitrary textual content more and more shapes executable habits. And in that shift, we have now blurred one of many oldest boundaries in computing: the separation between information and directions.
Exterior the mannequin, that boundary nonetheless exists. Programs implement permission scopes, schema contracts, sandboxing, and execution insurance policies. However contained in the inference context, these protections collapse into the identical token stream.
System prompts, retrieved paperwork, person messages, instrument outputs, and exterior content material all stream via the identical neural weights. There isn’t a laborious privilege boundary between instruction and enter. Trendy fashions might resist naive assaults like “Ignore earlier directions,” however they continue to be susceptible to oblique injections disguised as professional operational context. A malicious instruction embedded in a buyer e mail, a webpage, or a instrument response shouldn’t be processed as passive information. It will possibly change into behavioral affect.
Contained in the context window, untrusted textual content can form management stream. That’s the actual softening.
We’re producing syntax at machine pace, however we have now dissolved the structural gate that when constrained how techniques have been constructed. The result’s a large shift of danger from construct time to runtime. Code that seems structurally sound throughout era might violate architectural boundaries, introduce unsafe execution paths, or change into behaviorally compromised the second hostile context enters the loop.
The conclusion is easy: The truth that AI-generated code runs is not a significant proxy for system correctness.
Syntax is plentiful. Execution is simple. Structural governance is what’s lacking.
We outsourced the writing of logic to machines, however we didn’t construct a deterministic boundary that governs what these machines are allowed to generate.
If we wish management again, we can not depend on human code assessment at machine pace. We should rebuild the build-time gate.
From dependency bloat to tailored structure
For many years, the business’s default response to complexity was abstraction by accumulation: monolithic frameworks, sprawling dependency timber, and ever-thicker layers of indirection. Importing a 50-megabyte library to keep away from repetitive boilerplate was a rational trade-off when developer time and cognitive bandwidth have been the scarce sources. For AI brokers, that trade-off adjustments.
This isn’t an argument in opposition to foundational infrastructure. Mature primitives—like SQLAlchemy in Python or Spring Boot in Java—stay important exactly as a result of their conventions are extensively discovered and predictable. The issue isn’t abstraction however opacity. When core enterprise logic disappears behind proprietary decorators, inner frameworks, or customized orchestration layers, execution turns into a black field. An agent can not safely purpose about code it can not hint. It wants direct visibility into causality: what adjustments state, what enforces invariants, and the place tasks start and finish. Hidden stream degrades reasoning into guesswork; guesswork silently turns into architectural drift.
On the similar time, AI drives the price of procedural code towards zero. Boilerplate is not costly. Readability is. The design query shifts from “How a lot can we summary away?” to “How a lot should stay specific for protected reasoning?” The reply is tailored structure: skinny infrastructure, specific area logic, laborious boundaries, and narrowly scoped parts with seen contracts. The worth is not in how a lot code you keep away from writing however in how clearly the system declares its boundaries.
That very same opacity additionally breaks verification. AI assessment can catch native defects, dangerous patterns, and implementation errors, but it surely stays blind to architectural drift and lacking enterprise intent except these constraints are explicitly encoded. In any case, in the event you ask a mannequin to assessment code generated from the very same obscure Jira ticket, do you truly get verification, or do you simply engineer a round hallucination, the place the AI politely revalidates its personal blind spots?
The Context Compilation Sample
The Context Compilation Sample governs era within the IDE and the CI/CD pipeline earlier than a single syntactically believable line ever reaches a human reviewer. If the Resolution Intelligence Runtime (DIR) is the vault door that protects execution in manufacturing, context compilation is the blueprint that forestalls the monster from being constructed within the lab.
This isn’t “immediate engineering,” which merely asks a probabilistic mannequin for a greater reply. What we want is build-time governance: two layers of protection assembled earlier than the LLM inference is even triggered. The primary is structured context injection (assembling the immediate from prioritized artifacts). The second is postgeneration static verification (deterministic AST checks that implement guidelines no probabilistic mannequin can override). The immediate construction biases era towards compliant options; the static checks make declared, machine-verifiable boundary violations unimaginable to merge.
Deterministic build-time governance shouldn’t be a return to formal software program specification (like UML), neither is it merely “immediate engineering disguised as Markdown.” It’s a mechanical constraint on the era house that makes explicitly declared boundary violations rejectable by design. Context compilation doesn’t get rid of architectural assessment or exchange engineering judgment. As a substitute, it ensures that the agent operates inside an outlined riverbed of allowed structural invariants.
Engineering evolves every time implicit guidelines change into specific declarations. Software improvement is now crossing that boundary. The senior engineer’s new job is declarative boundary engineering: explicitly declaring what the system is completely forbidden from doing.
The failure shouldn’t be within the frameworks. The failure is within the course of: pointing an unconstrained AI agent at a codebase stuffed with invisible magic and anticipating a CI/CD pipeline designed for human-generated code to catch what goes flawed. The reply is to construct a compiler for the agent’s context.
The Context Compilation Sample is the staged pipeline that makes this concrete.
Step 1: The context artifacts
Probably the most strategically beneficial code in your repository might not stay in src/. It lives in /context. The pipeline consumes versioned artifacts resembling intent.md, boundaries.md, and threat-model.md, every authored by a specialist earlier than a single line of code is generated. (Possession and function tasks are lined in “Artifact-Certain Roles and Accountability” under.) What issues right here is that these recordsdata are the inputs to the compiler: With out them, there’s nothing to compile.
To forestall cognitive overlap, their roles have to be fiercely separated: boundaries.md declares structural invariants (e.g., dependency route, allowed communication paths, and occasion emission), whereas threat-model.md fashions adversarial constraints as declarative abuse eventualities (e.g., immediate injection and secrets and techniques exfiltration) that have to be mechanically blocked.
boundaries.md warrants a exact definition, as a result of it anchors your entire build-time governance mannequin. In observe, boundaries are usually outlined at module or bounded-context granularity (e.g., /billing/* or /danger/*), not per class or per repository. They’re applied utilizing hybrid artifacts: a pure language doc designed to constrain the LLM, tightly paired with a deterministic rule for the CI runner.
Take into account this concrete instance of how an architectural boundary is explicitly declared and enforced:
1. boundaries.md (for the LLM context)
This Markdown file is injected into the agent’s immediate. It defines the vocabulary, architectural constraints, and allowed interactions.
Module: Billing
Ontology: Order, Bill, PaymentEvent
Rule: Zero exterior community I/O is allowed on this area. You need to NEVER import requests or smtplib.2. semgrep-rule.yml (for the CI/CD runner)
This static file goes to the CI pipeline to mechanize the boundary. It ensures the code verify is absolutely deterministic.
guidelines:
# Block forbidden imports on the module boundary
- id: block-external-io-in-billing
patterns:
- pattern-either:
- sample: import smtplib
- sample: import requests
message: "Structure Violation: Exterior I/O is strictly forbidden within the billing area."
severity: ERROR
languages: [python]
paths:
embrace: ["src/billing/**"]
# Area layer should not speak to DB driver immediately
- id: block-db-driver-in-domain
patterns:
- pattern-either:
- sample: import sqlalchemy
- sample: from sqlalchemy import ...
- sample: import psycopg2
- sample: from psycopg2 import ...
message: "Structure Violation: Area layer should use Repository abstraction, not database drivers immediately."
severity: ERROR
languages: [python]
paths:
embrace:
- "src/billing/area/**"Crucially, these Semgrep/CI guidelines are human-authored (or human-reviewed) precommit artifacts. We don’t depend on an LLM to generate the safety gates on the fly. The AI reads the Markdown to information its era; the CI runner executes the static YAML to implement the boundary.
If these artifacts keep present, they actively govern the generated codebase. Stale or malformed context turns into context debt: The pipeline will implement strictly no matter was declared, even when the declaration is flawed. Governance artifacts are manufacturing code. They require strict versioning, specific possession, and periodic assessment similar to the executable logic they constrain. That’s why core artifacts like boundaries.md require rigorous peer assessment, not simply informal updates.
Step 2: The context compiler
Dumping all Markdown recordsdata into the system immediate is typically acceptable for small initiatives and small artifacts. However because the codebase grows or the context window fills with too many competing constraints, fashions start to undergo from “misplaced within the center” degradation and silently ignore what issues most.
The time period “context compiler” would possibly sound like a magical enterprise heavy-lift, however the actuality is totally mundane. In its easiest type, it’s only a deterministic context meeting layer mixed with a routing mechanism.
As a substitute of treating context as a flat pile of paperwork, the compiler assembles it into an ordered construction. As a result of completely different artifacts apply to completely different components of the mission, boundaries.md within the /billing module would possibly implement strict isolation, whereas the one in /frontend is likely to be rather more permissive.
In observe, the compiler might take one among these kinds:
Handbook choice: The developer merely factors their IDE or agent to a structured set of Markdown recordsdata.
An earthly script: A primary Python or bash script that understands a listing construction. It concatenates the .md recordsdata to construct the LLM’s system immediate and arms the .yml recordsdata on to the CI runner.
Device-mediated context protocols: Devoted mechanisms (e.g., MCP) that enable the agent to question the workspace and dynamically assemble the required boundaries immediately inside the IDE, bypassing the necessity for guide script invocation.
Take into account a sensible listing construction:
/context
/world
coding-standards.md
/area
/billing
boundaries.md
threat-model.md
semgrep-rule.yml
/danger
boundaries.md
threat-model.md
semgrep-rule.yml
/frontend
boundaries.md
threat-model.md
semgrep-rule.ymlWhen producing code for the billing module, the script reads /world and /billing. The compiler merely scopes the principles primarily based on the listing, completely focusing the agent’s consideration on the boundaries that matter whereas wiring the corresponding YAML guidelines for deterministic CI verification.
Step 3: Strict boundary hierarchy (resolving conflicts)
When confronted with conflicting directions, LLMs don’t throw a compilation error. They hallucinate a harmful compromise. The compiler prevents this by imposing a deterministic priority of declared constraints earlier than the immediate is assembled:
Menace mannequin > Boundaries > Coding requirements > Intent + acceptance standards
Safety and architectural boundaries unconditionally overrule characteristic supply. This operates at two ranges. On the immediate stage (delicate enforcement), constraint ordering biases era towards compliant options. On the postgeneration stage (laborious enforcement), deterministic code checks parse the generated syntax, confirm structural invariants, and immediately fail the construct on violation.
“Decision” on this context doesn’t imply an LLM philosophically negotiating between two Markdown recordsdata. It means deterministic rejection by way of CI. If the intent.md asks to “e mail a receipt to the person,” however boundaries.md forbids exterior community calls within the billing module, an unconstrained AI would possibly attempt to generate an SMTP name. The battle is mechanically “resolved” when the CI pipeline runs a static rule (derived from semgrep-rule.yml) and immediately fails the construct. The developer (context orchestrator) should then intervene and alter the design to make use of an occasion bus as an alternative. The hierarchy is enforced by deterministic code evaluation, not LLM reasoning. A rejected construct shouldn’t be essentially a rejected enterprise want; it’s a sign that declared boundaries and meant functionality have to be reconciled explicitly earlier than regeneration. (This mechanical rejection bodily executes throughout the adversarial verification section in step 5).
We don’t use AI for this validation. We use present, confirmed AST instruments and code linters like Semgrep, Bandit, or CodeQL to implement these boundaries in CI/CD.
Nevertheless, we have to be exact about what this governance truly achieves. Deterministic checks implement invariants, not the structure as an entire. You may statically implement forbidden imports, forbidden outbound I/O, strict layering, and schema conformance. You can not statically implement area semantics, combination possession correctness, delicate coupling, or conceptual cohesion. Deterministic verification doesn’t show architectural correctness. It proves compliance with explicitly declared structural invariants.
Step 4: Technology
Context as code issues provided that generated syntax is verified in opposition to the identical boundaries that formed it. With a compiled, conflict-free context hierarchy, the developer agent generates code inside an remoted person house sandbox. On this fleeting fraction of a second, the agent contained in the developer’s IDE consumes the narrowed, precompiled system immediate and outputs the precise payment_service.py. Its function is constrained synthesis: translating the boundaries in boundaries.md and the imperatives in intent.md into code.
Step 5: Adversarial verification (unfavorable house)
This section checks whether or not the generated code crossed a forbidden boundary. Earlier than the event cycle begins, the adversarial context supplier defines menace vectors in threat-model.md. As a result of a Markdown file solely guides the LLM softly, the governance platform engineer bridges the hole to determinism by translating these declarative threats into matching executable guidelines (like semgrep-rule.yml) wired into the CI gates. If the menace mannequin identifies server-side request forgery or secrets and techniques exfiltration as a danger for the /frontend module, the corresponding CI rule parses the generated code and immediately fails the construct if a recognized assault sample or insecure execution sink is detected.
The pipeline doesn’t ask an LLM to learn the Markdown and assess if the code is protected. It mechanically executes the prewritten guidelines derived from it. If a generative agent helps draft the rule set, it does so earlier than the cycle in an remoted sandbox, and a human critiques the consequence earlier than it enters CI. Step 5 doesn’t show total correctness; it proves that declared structural and safety boundaries are enforced.
Like all static gate, deterministic boundary checks commerce flexibility for security and can often reject legitimate implementations. That friction is intentional: Specific override and artifact refinement are a part of the governance loop.
AI code assessment might determine suspicious code, but it surely can not certify that declared boundaries survived era. Step 5 subsequently depends on deterministic CI guidelines, not on a probabilistic mannequin decoding the pull request.
Step 6: Acceptance verification (optimistic house)
This section checks whether or not the generated code solves the enterprise downside. The acceptance-criteria.md defines the anticipated habits not as a obscure person story, however as a machine-executable contract (e.g., utilizing Gherkin syntax):
Situation: Profitable fee emits notification
Given a sound fee of 100 EUR
When the transaction completes
Then the PaymentSuccessEvent is revealed to the message busThe CI pipeline parses this actual Markdown block and runs the corresponding take a look at suite. Step 6 supplies what step 5 can not: verification in opposition to a declared supply contract.
The code is permitted solely when it passes adversarial checks and satisfies the acceptance standards. With out step 5, the system might violate structural boundaries. With out step 6, it might implement the flawed intent. Each contracts should maintain.
Artifact-bound roles and accountability
The standard SDLC is a linear cascade: Necessities stream to structure, then to code, then to QA. In an period the place a machine generates 10,000 strains of syntax within the time it takes to fetch a espresso, that handoff is a deadly bottleneck.
Within the context matrix, specialists outline parallel, unbiased constraint vectors earlier than era begins. The titles on enterprise playing cards keep the identical. The artifacts they produce change totally.
| Previous function | New function | Artifact | Duty |
| Enterprise analyst | Intent definer | intent.md + acceptance-criteria.md |
Outline the “what” and the deterministic proof that it was delivered |
| Software program architect | World builder | boundaries.md |
Outline area ontology, architectural invariants, and allowed interplay patterns |
| QA & safety engineer | Adversarial context supplier | threat-model.md |
Outline menace vectors and abuse paths earlier than era |
| Platform engineer/DevOps | Governance platform engineer | Compiler pipeline + CI gates (semgrep-rule.yml) |
Operationalize declared constraints into nonbypassable enforcement gates |
| Developer | Context orchestrator | coding-standards.md + essential code |
Resolve artifact conflicts, steer era workflows, implement essential paths, and refine context high quality |
On this mannequin, accountability is distributed and artifact sure. Quite than handing off work downstream, every function owns particular upstream actions and constraints.
- The intent definer (previously enterprise analyst): Owns the enterprise actuality. They translate person wants into
intent.mdand outline laboriousacceptance-criteria.md(like BDD eventualities or API contracts). Their job is to formulate necessities so strictly that the pipeline can routinely show supply, performing as the primary line of protection in opposition to obscure “vibe coding.” - The world builder (previously software program architect): Owns the structural gravity. They write
boundaries.mdto determine the area ontology and laborious architectural boundaries. As a substitute of reviewing pull requests for drift, their each day exercise is defining what modules are allowed to speak and declaring the structural invariants the generated code should respect. - The adversarial context supplier (previously QA and safety): Owns the unfavorable house. They anticipate failure modes and outline menace vectors by way of
threat-model.md. Their accountability is figuring out the exact abuse paths that the CI pipeline should block, making certain an LLM by no means checks its personal code. - The governance platform engineer (previously platform engineer/DevOps): Owns the enforcement equipment. They construct the context compiler pipeline and operationalize declared constraints into nonbypassable enforcement gates. Their accountability is the deterministic enforcement pipeline that executes declared governance artifacts at precommit and CI/CD boundaries.
- The context orchestrator (previously developer): Owns era orchestration and demanding handwritten paths. This can be a hybrid actuality, not the tip of programming. They write
coding-standards.md, manually implement zero-trust paths, and resolve runtime exception requests. For the majority of the system, their focus shifts to a meta-level: resolving conflicting constraints, tuning the immediate’s signal-to-noise ratio, and debugging why a given artifact failed to control the agent correctly.
When a failure happens, the investigation shifts from “What was the agent considering?” to “Which contract failed to control?” As a result of the pipeline deterministically enforces what was explicitly declared, failures are not opaque hallucinations. They’re traceable collisions between artifact boundaries. A structural flaw cleanly factors to an unbounded boundaries.md. When the pipeline is inexperienced and the contracts are sincere, the orchestrator acts as a firewall in opposition to course of failure, not a scapegoat for undocumented assumptions.
The economics of governance
Context compilation makes financial sense solely when the price of architectural failure exceeds the price of specific governance. It provides upfront design work and cognitive overhead, so its worth will depend on how costly a flawed system resolution can be.
For speedy prototyping, throwaway utility scripts, advertising websites, or low-stakes inner instruments—the place the worst-case consequence of a hallucination is a misaligned dashboard—let the generative engines run unconstrained. Velocity is the one factor that issues.
For safety-critical automation, buying and selling platforms, healthcare orchestrators, and controlled enterprise techniques, the economics invert. Velocity with out deterministic boundaries is solely the pace at which you accumulate legal responsibility. A single unconstrained agent importing an insecure dependency right into a fee core prices orders of magnitude greater than the engineer-hours spent writing a boundaries.md contract.
You don’t construct a financial institution vault door for a backyard shed. You apply context compilation the place the systemic price of emergent architectural failure is catastrophic.
Automating the phrase “NO”
When code era turns into low cost, architectural entropy tends to scale with it. That makes submit hoc code assessment much less efficient, particularly when reviewers spend their consideration on machine-generated boilerplate. A extra sturdy method is context assessment: peer assessment of the declarative constraints that form what the machine is allowed to construct. A reviewed boundaries.md can information many later improvement cycles. A reviewed pull request often governs solely a single change.
The self-discipline has shifted from crucial engineering of procedures to declarative engineering of boundaries.
Let’s return to the Jira ticket that began this dialogue: “Add an e mail notification after a profitable fee.”
The enterprise analyst submits the intent.md. Earlier than the developer agent sees the immediate, the context compiler prompts—on the precommit gate or by way of tool-mediated context protocols (e.g., script or MCP) within the IDE—earlier than a line is written. It retrieves the architect’s boundaries.md, which states, “The /area module has zero exterior dependencies. No community calls.” The SMTP import collides with that boundary immediately. Even when the agent generates the import, the construct is not going to survive it—the immediate biases era towards compliant options, and the deterministic static verify in step 5 rejects it on the declared boundary. The Frankenstein is caught within the pipeline, not found in manufacturing three launch cycles later.
Code era is turning into plentiful. Architectural self-discipline is turning into scarce.
Context as code governs what could also be generated. Duty-oriented brokers govern what could also be proposed. Resolution Intelligence Runtime governs what could also be executed. Three boundaries. One governing body.
The best-value engineering ability is not writing syntax. It’s engineering the circumstances underneath which appropriate syntax can emerge.
That’s the potential to automate the phrase “NO.”
This text concludes the three-part collection on engineering boundaries in agentic AI. The repository at github.com/huka81/decision-intelligence-runtime accommodates an open supply reference implementation of the ideas described on this collection.
