As syntax turns into low cost and plentiful, architectural management turns into the scarce useful resource. Efficient governance begins upstream, the place intent, constraints, and menace fashions form the agent’s working context earlier than era begins. The purpose isn’t higher prompting however build-time boundaries that stop structurally invalid code from getting into the system.
The Frankenstein factories
The darkish factories (as Dan Shapiro calls them) are operating. Tokens fly by means of trycycles, options ship in a single day, and codebases are ported earlier than breakfast. The speed is actual. And comprehension debt (a time period coined by Addy Osmani) is compounding in silence behind it.
What this period is producing, at scale, deserves its personal identify: Frankenstein factories. Not a critique of any single method however an outline of a structural situation—era engines so efficient at producing working syntax that they’ve industrialized the creation of architecturally ungovernable programs. The creature walks out of the laboratory spectacular, practical, and alive on supply day.
The disaster arrives the day somebody should govern it. To control a system means to carry it accountable to its design boundaries—the power to take a look at it and reliably say why it really works, what is permitted to the touch what, and to categorically stop forbidden state modifications earlier than they occur. Victor’s disaster was not the act of creation however the absent governing body.
For prototyping or transport options quick, unconstrained era is a strong device. It optimizes for velocity, and it delivers. However for enterprise cost programs, insurance coverage underwriting engines, logistics orchestrators, and controlled platforms, the query will not be “Does the code ship?” however “Who’s liable when it does the improper factor?” Right here, automating the phrase “YES” to each characteristic request doesn’t clear up the issue. It industrializes it.
Take into account a typical Jira ticket: “Add an electronic mail notification after a profitable cost.”
A junior developer would possibly try to wedge the email-sending logic straight into the PaymentProcessor class. A senior architect catches this in code evaluation: “No. Fireplace a PaymentSuccessEvent to the message bus.” That human friction—the architectural “No”—retains the system maintainable.
Unconstrained AI brokers lack this assertiveness. By default, they’re the final word yes-men.
Hand that very same ticket to a typical coding agent and it’ll not argue about bounded contexts. It’ll burn tokens till it produces 300 strains of syntactically excellent code, import an SMTP library straight into the core of your billing area, and submit a pull request. The checks will go; typical characteristic checks make no assertion about bounded contexts. The CI pipeline will go inexperienced. And structurally, the system is now a catastrophe.
This occurs not by means of malice however due to how agentic loops are constructed. With out specific architectural constraints, the system’s emergent conduct is to satisfy instant consumer intent. The agent is orchestrated to ship the characteristic, to not defend the structure. Comprehension debt is the structural consequence: AI generates syntax sooner than human beings can learn or govern it. Anticipating a probabilistic mannequin to implement structural integrity by itself is a class error. With out a governing body, the agent will at all times take the trail of least resistance to a “YES.”
You can not repair code overproduction by hiring extra folks to learn it nor by operating the era loop sooner. The one scalable reply is to construct a concrete riverbed earlier than you activate the water.
If the present period automates the phrase “YES,” we must always automate the phrase “NO.”
Securing the runtime surroundings prevents the monster from escaping. However to forestall it from being constructed within the first place, we have to step again into the IDE and the CI/CD pipeline. We have to govern era.
The good softening: Shifting danger from construct time to runtime
Compilers by no means assured right software program. You may write catastrophic logically damaged programs in C, Java, or every other compiled language. However compilers served an important engineering function: They deterministically ruled a particular layer of structural danger.
By imposing laborious execution constraints—syntax validity, sort compatibility, linkage guidelines, and executable viability—the compiler acted as an automatic boundary. It didn’t confirm enterprise intent, area correctness, or architectural high quality. What it did was remove a complete class of low-level structural failure earlier than execution ever started.
That delegation of danger is among the quiet triumphs of software program engineering. Our self-discipline has at all times superior by mechanizing one class of ensures so people can give attention to the following layer of abstraction. We automated machine-level structural correctness so engineers might spend their cognitive vitality on utility logic. Later, we pushed extra ensures upward, into schemas, testing, static evaluation, architectural patterns, and operational controls.
Over time, we additionally intentionally softened sure boundaries in change for pace. Dynamic languages, richer runtimes, reflection, and more and more summary frameworks all traded deterministic compile-time ensures for developer velocity and adaptability. The newly uncovered danger was absorbed elsewhere: runtime validation, automated testing, observability, and engineering self-discipline.
In the present day, with agentic AI, we’re softening boundaries once more, extra radically than ever earlier than.
Pure language has turn into a high-level management airplane for software program era. Arbitrary textual content more and more shapes executable conduct. And in that shift, we have now blurred one of many oldest boundaries in computing: the separation between knowledge and directions.
Outdoors the mannequin, that boundary nonetheless exists. Methods implement permission scopes, schema contracts, sandboxing, and execution insurance policies. However contained in the inference context, these protections collapse into the identical token stream.
System prompts, retrieved paperwork, consumer messages, device outputs, and exterior content material all move by means of the identical neural weights. There is no such thing as a laborious privilege boundary between instruction and enter. Fashionable fashions might resist naive assaults like “Ignore earlier directions,” however they continue to be weak to oblique injections disguised as professional operational context. A malicious instruction embedded in a buyer electronic mail, a webpage, or a device response will not be processed as passive knowledge. It may turn into behavioral affect.
Contained in the context window, untrusted textual content can form management move. That’s the actual softening.
We’re producing syntax at machine pace, however we have now dissolved the structural gate that after constrained how programs have been constructed. The result’s a large shift of danger from construct time to runtime. Code that seems structurally sound throughout era might violate architectural boundaries, introduce unsafe execution paths, or turn into behaviorally compromised the second hostile context enters the loop.
The conclusion is simple: The truth that AI-generated code runs is now not a significant proxy for system correctness.
Syntax is plentiful. Execution is simple. Structural governance is what’s lacking.
We outsourced the writing of logic to machines, however we didn’t construct a deterministic boundary that governs what these machines are allowed to generate.
If we wish management again, we can not depend on human code evaluation at machine pace. We should rebuild the build-time gate.
From dependency bloat to tailored structure
For many years, the trade’s default response to complexity was abstraction by accumulation: monolithic frameworks, sprawling dependency bushes, and ever-thicker layers of indirection. Importing a 50-megabyte library to keep away from repetitive boilerplate was a rational trade-off when developer time and cognitive bandwidth have been the scarce sources. For AI brokers, that trade-off modifications.
This isn’t an argument towards foundational infrastructure. Mature primitives—like SQLAlchemy in Python or Spring Boot in Java—stay important exactly as a result of their conventions are extensively discovered and predictable. The issue isn’t abstraction however opacity. When core enterprise logic disappears behind proprietary decorators, inside frameworks, or customized orchestration layers, execution turns into a black field. An agent can not safely purpose about code it can not hint. It wants direct visibility into causality: what modifications state, what enforces invariants, and the place duties start and finish. Hidden move degrades reasoning into guesswork; guesswork silently turns into architectural drift.
On the similar time, AI drives the price of procedural code towards zero. Boilerplate is now not costly. Readability is. The design query shifts from “How a lot can we summary away?” to “How a lot should stay specific for secure reasoning?” The reply is tailored structure: skinny infrastructure, specific area logic, laborious boundaries, and narrowly scoped parts with seen contracts. The worth is now not in how a lot code you keep away from writing however in how clearly the system declares its boundaries.
That very same opacity additionally breaks verification. AI evaluation can catch native defects, dangerous patterns, and implementation errors, nevertheless it stays blind to architectural drift and lacking enterprise intent until these constraints are explicitly encoded. In spite of everything, should you ask a mannequin to evaluation code generated from the very same obscure Jira ticket, do you truly get verification, or do you simply engineer a round hallucination, the place the AI politely revalidates its personal blind spots?
The Context Compilation Sample
The Context Compilation Sample governs era within the IDE and the CI/CD pipeline earlier than a single syntactically believable line ever reaches a human reviewer. If the Resolution Intelligence Runtime (DIR) is the vault door that protects execution in manufacturing, context compilation is the blueprint that forestalls the monster from being constructed within the lab.
This isn’t “immediate engineering,” which merely asks a probabilistic mannequin for a greater reply. What we want is build-time governance: two layers of protection assembled earlier than the LLM inference is even triggered. The primary is structured context injection (assembling the immediate from prioritized artifacts). The second is postgeneration static verification (deterministic AST checks that implement guidelines no probabilistic mannequin can override). The immediate construction biases era towards compliant options; the static checks make declared, machine-verifiable boundary violations inconceivable to merge.
Deterministic build-time governance will not be a return to formal software program specification (like UML), neither is it merely “immediate engineering disguised as Markdown.” It’s a mechanical constraint on the era area that makes explicitly declared boundary violations rejectable by design. Context compilation doesn’t remove architectural evaluation or exchange engineering judgment. As a substitute, it ensures that the agent operates inside an outlined riverbed of allowed structural invariants.
Engineering evolves every time implicit guidelines turn into specific declarations. Software improvement is now crossing that boundary. The senior engineer’s new job is declarative boundary engineering: explicitly declaring what the system is completely forbidden from doing.
The failure will not be within the frameworks. The failure is within the course of: pointing an unconstrained AI agent at a codebase stuffed with invisible magic and anticipating a CI/CD pipeline designed for human-generated code to catch what goes improper. The reply is to construct a compiler for the agent’s context.
The Context Compilation Sample is the staged pipeline that makes this concrete.
Step 1: The context artifacts
Probably the most strategically beneficial code in your repository might now not reside in src/. It lives in /context. The pipeline consumes versioned artifacts resembling intent.md, boundaries.md, and threat-model.md, every authored by a specialist earlier than a single line of code is generated. (Possession and function duties are coated in “Artifact-Sure Roles and Accountability” under.) What issues right here is that these information are the inputs to the compiler: With out them, there’s nothing to compile.
To stop cognitive overlap, their roles have to be fiercely separated: boundaries.md declares structural invariants (e.g., dependency route, allowed communication paths, and occasion emission), whereas threat-model.md fashions adversarial constraints as declarative abuse eventualities (e.g., immediate injection and secrets and techniques exfiltration) that have to be mechanically blocked.
boundaries.md warrants a exact definition, as a result of it anchors the whole build-time governance mannequin. In apply, boundaries are sometimes outlined at module or bounded-context granularity (e.g., /billing/* or /danger/*), not per class or per repository. They’re carried out utilizing hybrid artifacts: a pure language doc designed to constrain the LLM, tightly paired with a deterministic rule for the CI runner.
Take into account this concrete instance of how an architectural boundary is explicitly declared and enforced:
1. boundaries.md (for the LLM context)
This Markdown file is injected into the agent’s immediate. It defines the vocabulary, architectural constraints, and allowed interactions.
Module: Billing
Ontology: Order, Bill, PaymentEvent
Rule: Zero exterior community I/O is allowed on this area. It's essential to NEVER import requests or smtplib.2. semgrep-rule.yml (for the CI/CD runner)
This static file goes to the CI pipeline to mechanize the boundary. It ensures the code examine is absolutely deterministic.
guidelines:
# Block forbidden imports on the module boundary
- id: block-external-io-in-billing
patterns:
- pattern-either:
- sample: import smtplib
- sample: import requests
message: "Structure Violation: Exterior I/O is strictly forbidden within the billing area."
severity: ERROR
languages: [python]
paths:
embrace: ["src/billing/**"]
# Area layer should not speak to DB driver straight
- id: block-db-driver-in-domain
patterns:
- pattern-either:
- sample: import sqlalchemy
- sample: from sqlalchemy import ...
- sample: import psycopg2
- sample: from psycopg2 import ...
message: "Structure Violation: Area layer should use Repository abstraction, not database drivers straight."
severity: ERROR
languages: [python]
paths:
embrace:
- "src/billing/area/**"Crucially, these Semgrep/CI guidelines are human-authored (or human-reviewed) precommit artifacts. We don’t depend on an LLM to generate the safety gates on the fly. The AI reads the Markdown to information its era; the CI runner executes the static YAML to implement the boundary.
If these artifacts keep present, they actively govern the generated codebase. Stale or malformed context turns into context debt: The pipeline will implement strictly no matter was declared, even when the declaration is improper. Governance artifacts are manufacturing code. They require strict versioning, specific possession, and periodic evaluation identical to the executable logic they constrain. That’s why core artifacts like boundaries.md require rigorous peer evaluation, not simply informal updates.
Step 2: The context compiler
Dumping all Markdown information into the system immediate is typically acceptable for small tasks and small artifacts. However because the codebase grows or the context window fills with too many competing constraints, fashions start to endure from “misplaced within the center” degradation and silently ignore what issues most.
The time period “context compiler” would possibly sound like a magical enterprise heavy-lift, however the actuality is solely mundane. In its easiest type, it’s only a deterministic context meeting layer mixed with a routing mechanism.
As a substitute of treating context as a flat pile of paperwork, the compiler assembles it into an ordered construction. As a result of totally different artifacts apply to totally different components of the mission, boundaries.md within the /billing module would possibly implement strict isolation, whereas the one in /frontend may be rather more permissive.
In apply, the compiler might take considered one of these kinds:
Guide choice: The developer merely factors their IDE or agent to a structured set of Markdown information.
A secular script: A primary Python or bash script that understands a listing construction. It concatenates the .md information to construct the LLM’s system immediate and palms the .yml information on to the CI runner.
Software-mediated context protocols: Devoted mechanisms (e.g., MCP) that enable the agent to question the workspace and dynamically assemble the required boundaries straight inside the IDE, bypassing the necessity for handbook script invocation.
Take into account a sensible listing construction:
/context
/international
coding-standards.md
/area
/billing
boundaries.md
threat-model.md
semgrep-rule.yml
/danger
boundaries.md
threat-model.md
semgrep-rule.yml
/frontend
boundaries.md
threat-model.md
semgrep-rule.ymlWhen producing code for the billing module, the script reads /international and /billing. The compiler merely scopes the foundations based mostly on the listing, completely focusing the agent’s consideration on the boundaries that matter whereas wiring the corresponding YAML guidelines for deterministic CI verification.
Step 3: Strict boundary hierarchy (resolving conflicts)
When confronted with conflicting directions, LLMs don’t throw a compilation error. They hallucinate a harmful compromise. The compiler prevents this by imposing a deterministic priority of declared constraints earlier than the immediate is assembled:
Risk mannequin > Boundaries > Coding requirements > Intent + acceptance standards
Safety and architectural boundaries unconditionally overrule characteristic supply. This operates at two ranges. On the immediate degree (delicate enforcement), constraint ordering biases era towards compliant options. On the postgeneration degree (laborious enforcement), deterministic code checks parse the generated syntax, confirm structural invariants, and immediately fail the construct on violation.
“Decision” on this context doesn’t imply an LLM philosophically negotiating between two Markdown information. It means deterministic rejection by way of CI. If the intent.md asks to “electronic mail a receipt to the consumer,” however boundaries.md forbids exterior community calls within the billing module, an unconstrained AI would possibly attempt to generate an SMTP name. The battle is mechanically “resolved” when the CI pipeline runs a static rule (derived from semgrep-rule.yml) and immediately fails the construct. The developer (context orchestrator) should then intervene and alter the design to make use of an occasion bus as an alternative. The hierarchy is enforced by deterministic code evaluation, not LLM reasoning. A rejected construct will not be essentially a rejected enterprise want; it’s a sign that declared boundaries and supposed functionality have to be reconciled explicitly earlier than regeneration. (This mechanical rejection bodily executes through the adversarial verification section in step 5).
We don’t use AI for this validation. We use current, confirmed AST instruments and code linters like Semgrep, Bandit, or CodeQL to implement these boundaries in CI/CD.
Nonetheless, we have to be exact about what this governance truly achieves. Deterministic checks implement invariants, not the structure as an entire. You may statically implement forbidden imports, forbidden outbound I/O, strict layering, and schema conformance. You can not statically implement area semantics, mixture possession correctness, refined coupling, or conceptual cohesion. Deterministic verification doesn’t show architectural correctness. It proves compliance with explicitly declared structural invariants.
Step 4: Era
Context as code issues provided that generated syntax is verified towards the identical boundaries that formed it. With a compiled, conflict-free context hierarchy, the developer agent generates code inside an remoted consumer area sandbox. On this fleeting fraction of a second, the agent contained in the developer’s IDE consumes the narrowed, precompiled system immediate and outputs the precise payment_service.py. Its function is constrained synthesis: translating the boundaries in boundaries.md and the imperatives in intent.md into code.
Step 5: Adversarial verification (destructive area)
This section checks whether or not the generated code crossed a forbidden boundary. Earlier than the event cycle begins, the adversarial context supplier defines menace vectors in threat-model.md. As a result of a Markdown file solely guides the LLM softly, the governance platform engineer bridges the hole to determinism by translating these declarative threats into matching executable guidelines (like semgrep-rule.yml) wired into the CI gates. If the menace mannequin identifies server-side request forgery or secrets and techniques exfiltration as a danger for the /frontend module, the corresponding CI rule parses the generated code and immediately fails the construct if a identified assault sample or insecure execution sink is detected.
The pipeline doesn’t ask an LLM to learn the Markdown and assess if the code is secure. It mechanically executes the prewritten guidelines derived from it. If a generative agent helps draft the rule set, it does so earlier than the cycle in an remoted sandbox, and a human evaluations the consequence earlier than it enters CI. Step 5 doesn’t show general correctness; it proves that declared structural and safety boundaries are enforced.
Like several static gate, deterministic boundary checks commerce flexibility for security and can often reject legitimate implementations. That friction is intentional: Express override and artifact refinement are a part of the governance loop.
AI code evaluation might determine suspicious code, nevertheless it can not certify that declared boundaries survived era. Step 5 due to this fact depends on deterministic CI guidelines, not on a probabilistic mannequin deciphering the pull request.
Step 6: Acceptance verification (constructive area)
This section checks whether or not the generated code solves the enterprise downside. The acceptance-criteria.md defines the anticipated conduct not as a obscure consumer story, however as a machine-executable contract (e.g., utilizing Gherkin syntax):
Situation: Profitable cost emits notification
Given a legitimate cost of 100 EUR
When the transaction completes
Then the PaymentSuccessEvent is revealed to the message busThe CI pipeline parses this precise Markdown block and runs the corresponding take a look at suite. Step 6 supplies what step 5 can not: verification towards a declared supply contract.
The code is permitted solely when it passes adversarial checks and satisfies the acceptance standards. With out step 5, the system might violate structural boundaries. With out step 6, it might implement the improper intent. Each contracts should maintain.
Artifact-bound roles and accountability
The standard SDLC is a linear cascade: Necessities move to structure, then to code, then to QA. In an period the place a machine generates 10,000 strains of syntax within the time it takes to fetch a espresso, that handoff is a deadly bottleneck.
Within the context matrix, specialists outline parallel, impartial constraint vectors earlier than era begins. The titles on enterprise playing cards keep the identical. The artifacts they produce change solely.
| Outdated function | New function | Artifact | Accountability |
| Enterprise analyst | Intent definer | intent.md + acceptance-criteria.md |
Outline the “what” and the deterministic proof that it was delivered |
| Software program architect | World builder | boundaries.md |
Outline area ontology, architectural invariants, and allowed interplay patterns |
| QA & safety engineer | Adversarial context supplier | threat-model.md |
Outline menace vectors and abuse paths earlier than era |
| Platform engineer/DevOps | Governance platform engineer | Compiler pipeline + CI gates (semgrep-rule.yml) |
Operationalize declared constraints into nonbypassable enforcement gates |
| Developer | Context orchestrator | coding-standards.md + crucial code |
Resolve artifact conflicts, steer era workflows, implement crucial paths, and refine context high quality |
On this mannequin, accountability is distributed and artifact certain. Slightly than handing off work downstream, every function owns particular upstream actions and constraints.
- The intent definer (previously enterprise analyst): Owns the enterprise actuality. They translate consumer wants into
intent.mdand outline laboriousacceptance-criteria.md(like BDD eventualities or API contracts). Their job is to formulate necessities so strictly that the pipeline can robotically show supply, performing as the primary line of protection towards obscure “vibe coding.” - The world builder (previously software program architect): Owns the structural gravity. They write
boundaries.mdto ascertain the area ontology and laborious architectural boundaries. As a substitute of reviewing pull requests for drift, their every day exercise is defining what modules are allowed to speak and declaring the structural invariants the generated code should respect. - The adversarial context supplier (previously QA and safety): Owns the destructive area. They anticipate failure modes and outline menace vectors by way of
threat-model.md. Their accountability is figuring out the exact abuse paths that the CI pipeline should block, guaranteeing an LLM by no means checks its personal code. - The governance platform engineer (previously platform engineer/DevOps): Owns the enforcement equipment. They construct the context compiler pipeline and operationalize declared constraints into nonbypassable enforcement gates. Their accountability is the deterministic enforcement pipeline that executes declared governance artifacts at precommit and CI/CD boundaries.
- The context orchestrator (previously developer): Owns era orchestration and important handwritten paths. This can be a hybrid actuality, not the top of programming. They write
coding-standards.md, manually implement zero-trust paths, and resolve runtime exception requests. For the majority of the system, their focus shifts to a meta-level: resolving conflicting constraints, tuning the immediate’s signal-to-noise ratio, and debugging why a given artifact failed to control the agent correctly.
When a failure happens, the investigation shifts from “What was the agent pondering?” to “Which contract failed to control?” As a result of the pipeline deterministically enforces what was explicitly declared, failures are now not opaque hallucinations. They’re traceable collisions between artifact boundaries. A structural flaw cleanly factors to an unbounded boundaries.md. When the pipeline is inexperienced and the contracts are trustworthy, the orchestrator acts as a firewall towards course of failure, not a scapegoat for undocumented assumptions.
The economics of governance
Context compilation makes financial sense solely when the price of architectural failure exceeds the price of specific governance. It provides upfront design work and cognitive overhead, so its worth will depend on how costly a improper system determination can be.
For speedy prototyping, throwaway utility scripts, advertising and marketing websites, or low-stakes inside instruments—the place the worst-case consequence of a hallucination is a misaligned dashboard—let the generative engines run unconstrained. Velocity is the one factor that issues.
For safety-critical automation, buying and selling platforms, healthcare orchestrators, and controlled enterprise programs, the economics invert. Velocity with out deterministic boundaries is just the pace at which you accumulate legal responsibility. A single unconstrained agent importing an insecure dependency right into a cost core prices orders of magnitude greater than the engineer-hours spent writing a boundaries.md contract.
You don’t construct a financial institution vault door for a backyard shed. You apply context compilation the place the systemic value of emergent architectural failure is catastrophic.
Automating the phrase “NO”
When code era turns into low cost, architectural entropy tends to scale with it. That makes publish hoc code evaluation much less efficient, particularly when reviewers spend their consideration on machine-generated boilerplate. A extra sturdy method is context evaluation: peer evaluation of the declarative constraints that form what the machine is allowed to construct. A reviewed boundaries.md can information many later improvement cycles. A reviewed pull request normally governs solely a single change.
The self-discipline has shifted from crucial engineering of procedures to declarative engineering of boundaries.
Let’s return to the Jira ticket that began this dialogue: “Add an electronic mail notification after a profitable cost.”
The enterprise analyst submits the intent.md. Earlier than the developer agent sees the immediate, the context compiler prompts—on the precommit gate or by way of tool-mediated context protocols (e.g., script or MCP) within the IDE—earlier than a line is written. It retrieves the architect’s boundaries.md, which states, “The /area module has zero exterior dependencies. No community calls.” The SMTP import collides with that boundary immediately. Even when the agent generates the import, the construct is not going to survive it—the immediate biases era towards compliant options, and the deterministic static examine in step 5 rejects it on the declared boundary. The Frankenstein is caught within the pipeline, not found in manufacturing three launch cycles later.
Code era is changing into plentiful. Architectural self-discipline is changing into scarce.
Context as code governs what could also be generated. Accountability-oriented brokers govern what could also be proposed. Resolution Intelligence Runtime governs what could also be executed. Three boundaries. One governing body.
The very best-value engineering talent is now not writing syntax. It’s engineering the circumstances beneath which right syntax can emerge.
That’s the means to automate the phrase “NO.”
This text concludes the three-part sequence on engineering boundaries in agentic AI. The repository at github.com/huka81/decision-intelligence-runtime comprises an open supply reference implementation of the ideas described on this sequence.
