Agent patterns become valuable when tools, memory, and iterative planning help complete a task that would otherwise stall. They become dangerous when we skip the review discipline that complexity demands.
The first architecture question is not “how autonomous can this be?” It is “what should the system be allowed to do, and what evidence will prove it did the right thing?” Boundaries answer that question.
What Makes Something an Agent Workflow
An agent workflow usually has four moving parts:
- A model that interprets the goal and decides what to do next.
- Tools that let the model read, search, write, call APIs, or run commands.
- State that carries progress, context, and artifacts across steps.
- Review gates that decide whether the output can be trusted or acted on.
A simple chat prompt may only produce text. An agent workflow can change the world around it. It can fetch source material, create files, update tickets, call services, or trigger follow-up work.
That extra capability is useful, but it expands the blast radius. If the agent misunderstands the task, uses stale context, or trusts an unsupported claim, the mistake can move from a draft into a system of record.
Boundaries keep that from happening silently.
Boundary Types
Useful agent boundaries are concrete. “Be careful” is not a boundary. “Read-only access to these three repositories and no external messages without approval” is a boundary.
Data Boundaries
Data boundaries define what the workflow can read and what it must not expose.
Examples:
- read only approved source folders
- exclude private messages, customer records, credentials, or financial data
- use sanitized examples instead of real client details
- return links or references instead of copying sensitive source text
Data boundaries matter because models are good at blending context. If restricted material enters the prompt, the output may reuse it in places it does not belong.
Tool Boundaries
Tool boundaries define what the workflow can do.
Examples:
- read files but do not write them
- create draft tickets but do not submit them
- run tests but do not deploy
- search public docs but do not send email
The risk is not just that a tool call fails. The risk is that it succeeds at the wrong thing.
Action Boundaries
Action boundaries define which operations require approval.
Examples:
- publishing content
- sending a message
- updating a production record
- changing user access
- spending money
- deleting or replacing data
The more consequential the action, the more explicit the gate should be.
Cost and Time Boundaries
Agent workflows can loop, retry, fan out, or process more data than expected.
Examples:
- maximum number of model calls
- maximum number of retry attempts
- maximum parallel workers
- maximum runtime
- stop condition when the workflow cannot prove progress
Cost controls are not just budget controls. They are also reliability controls. A workflow that keeps running after it is stuck is usually hiding a design problem.
Escalation Boundaries
Escalation boundaries define when the agent stops and asks for help.
Examples:
- required source is missing
- the same validation failure happens twice
- the task requires broader permissions
- the output includes unverifiable claims
- the next step would affect an external person or system
A good agent is allowed to stop. A bad one improvises past the point where it still has enough authority or context to be trusted.
Autonomy Tiers
Think in tiers rather than a single yes/no answer.
Tier 1: Read-Only Assistant
The agent can inspect, summarize, classify, and recommend. It cannot write to systems of record or send messages.
Use this tier when:
- the workflow is new
- source boundaries are still being tested
- output quality is not yet measured
- the task involves sensitive or consequential material
This is the safest place to start.
Tier 2: Draft Producer
The agent can create draft artifacts, but a person reviews before anything is published, sent, merged, or applied.
Use this tier when:
- the task is repeatable
- a human can review the output efficiently
- the cost of a bad draft is low
- the final action still needs judgment
Most workplace AI workflows should live here for a while.
Tier 3: Approval-Gated Operator
The agent can prepare an action and queue it for approval. The approval step is explicit and auditable.
Use this tier when:
- the action is structured
- approval criteria are known
- the system can show exactly what will change
- rollback or correction is possible
Examples include creating a draft ticket, staging a content update, or preparing a pull request.
Tier 4: Bounded Autonomous Operator
The agent can complete a narrow action without human approval, but only inside a tight envelope.
Use this tier only when:
- the task is low-risk and reversible
- inputs and outputs are well understood
- monitoring exists
- failure handling is explicit
- the system logs what happened
Do not jump here because the demo looked good once.
Worked Example: Document Triage Agent
Imagine a team receives a shared folder of documents and wants an agent to identify which ones look like policies, procedures, project notes, or duplicates.
Weak boundary design:
- The agent can read the folder.
- It can organize files however it wants.
- It reports what it changed.
This sounds efficient, but it is risky. A misclassification could move or rename important files. The agent may not know which folder contains drafts, records, or restricted material.
Stronger boundary design:
- The agent has read-only access to the source folder.
- It writes a classification report to a separate review folder.
- The report includes file path, proposed category, confidence, and reason.
- It flags low-confidence items instead of guessing.
- A person reviews the report before any files are moved.
- A second tool, not the classifier, performs approved moves from the reviewed report.
The stronger version separates analysis from action. That separation is what makes the workflow reviewable.
Boundary Anti-Patterns
Watch for these patterns during design review.
Silent Write-Back
The agent updates the system of record while presenting the change as a draft or recommendation.
Fix: make write operations separate, visible, and approval-gated unless the action is low-risk and preapproved.
Unbounded Tool Access
The agent has every available tool because “it might need them.”
Fix: give the agent only the tools required for the job. If one workflow needs many unrelated tools, split the workflow.
God Context
The orchestrator carries all source content, all intermediate output, and all instructions in one growing context.
Fix: use artifact references and summaries. Keep source material in durable storage and pass only what each step needs.
Autonomy as a Shortcut Around Process
The agent skips review, QA, or approvals because the team wants velocity.
Fix: treat review gates as part of the architecture. If the organization would require review from a human worker, the agent does not magically remove that requirement.
Compact Design Checklist
Before increasing autonomy, answer these questions:
- What exact sources may the agent read?
- What exact tools may it use?
- What actions are forbidden?
- What actions require approval?
- What does the agent write, and where?
- What proof shows the task is complete?
- What happens after two failures?
- Who reviews high-impact or low-confidence output?
- How is cost or runtime bounded?
- How can the workflow be resumed after interruption?
If any answer is vague, keep the workflow in a lower autonomy tier.
Knowledge Check
Review each scenario and choose the safest autonomy tier.
- Summarizing a public product announcement for an internal reading list.
- Drafting a customer email that explains a missed deadline.
- Creating remediation tickets from an architecture drift report.
- Renaming files in a shared legal folder based on document content.
- Producing a weekly list of public AI articles for a team newsletter.
For each one, identify:
- the data boundary
- the action boundary
- the human review point
- the evidence required before completion
The goal is not to make everything manual. The goal is to automate only inside a boundary that the team can explain, monitor, and defend.