If you've built anything with LangGraph past the demo stage, you've probably had the same uneasy moment I did. The agent works, it's calling tools, it's doing real things, and then you realize the only thing stopping it from doing the wrong real thing is a line in the prompt that says "please don't."
A prompt isn't a control. The agent can be talked into ignoring it, some upstream input can steer it somewhere you didn't expect, and either way the tool call just runs. Once that tool call can move money, hit prod, or touch customer data, "the model seemed confident" isn't where you want your safety to live.
So here's how to put a real check in front of the tool call instead. I'll use Faramesh, the open source thing I've been building for exactly this. It's a local daemon that sits in front of your agent's tool calls and returns permit / deny / defer based on a policy you write. No LLM in the decision path, so the same call always gets the same answer.
The whole thing takes about 10 minutes. Every command below is copy-pasteable. I'll be clear about the one or two spots where you swap in your own stuff.
How it works in one picture
Your agent tries to run a tool. Before it actually runs, the call hits Faramesh, which checks it against your policy:
- permit -> runs normally
- deny -> blocked, the agent never gets to run it
-
defer -> paused and sent to a human to approve or reject
You write that policy in a single file called
governance.fms. That file is the heart of Faramesh. It's the one place that defines what your agents are allowed to do, you commit it to your repo like any other code, and the daemon enforces whatever's in it.
Step 1: install
curl -fsSL https://install.faramesh.dev/install.sh | bash
faramesh --version
If faramesh --version prints a version number, you're good.
Step 2: let it generate your governance.fms
From the root of your agent project, run:
faramesh init
This detects your framework and the tools your agent uses, and writes a starter governance.fms for you. You don't have to write it from scratch. Open it up and it'll look something like this:
runtime {
mode = "enforce"
wal_dir = "./wal"
}
agent "langgraph-agent" {
default deny
rules {
permit http/get
permit crm/read
defer payment/refund reason: "refund needs a human"
deny billing/delete_account
}
}
Here's how to read that, because this is the part that actually matters:
-
mode = "enforce"means decisions are live. (There's also a shadow mode if you just want to watch what would happen first, more on that at the end.) -
default denymeans anything you don't explicitly allow is blocked. So a tool you forgot about can't quietly slip through. This is the safe default and I'd leave it. - Each line under
rulesis a decision.permitlets it run,denyblocks it outright,deferpauses it for a human. This is the file you edit. The tool names (http/get,payment/refund, etc.) match the names of your actual tools, so swap these for whatever your agent actually does. The rule of thumb:permitthe safe reads,deferanything risky or irreversible (payments, deletes, external emails),denythe stuff that should never happen automatically.
Step 3: name your tools to match
Faramesh checks tool calls by name, so your LangGraph tools just need names that line up with your policy scopes. In LangChain/LangGraph that's the first argument to @tool:
from langchain_core.tools import tool
@tool("http/get")
def http_get(url: str) -> str:
return fetch(url)
@tool("payment/refund")
def payment_refund(amount: int) -> str:
return issue_refund(amount)
So @tool("payment/refund") is the thing the defer payment/refund line in your policy is talking about. Keep the names consistent and you're done here.
Step 4: turn on interception
Add these two lines near the top of your agent script, before you build your graph:
from faramesh.adapters.langchain import install_langchain_interceptor
install_langchain_interceptor(include_langgraph=True, fail_open=False)
That's the whole integration. You don't rewrite your ToolNode and you don't wrap every tool by hand, it patches LangGraph's execution path so every tool call gets checked.
One flag to understand: fail_open=False. It means if the daemon ever errors or can't reach a decision, the call is denied, not waved through. You want enforcement to fail closed, if something breaks, the safe move is to not run the action.
Step 5: run it
Run your agent under governance with dev, which enforces your policy locally while you're still testing:
faramesh dev
Then run your agent as you normally would (in another terminal or however you launch it). Every tool call now routes through Faramesh.
When you're happy with how it behaves and want full enforcement, switch on:
faramesh apply
faramesh apply compiles your governance.fms and starts the daemon in full enforce mode.
Now watch what happens. When your agent calls http/get, it just runs. When it calls payment/refund, it doesn't, it pauses and waits, because you set that to defer. You'll get a pending approval. List and resolve it like this:
faramesh approvals list
faramesh approvals approve <id> # or: faramesh approvals deny <id>
Approve, and the original call resolves and runs. Deny, and it never happens. Either way the call, the decision, and the reason all land in an audit log you can read back later with faramesh explain <action-id>.
If you want to test before you enforce
Flipping straight to enforce on a live agent is nerve-wracking, so you don't have to. Set the runtime to shadow mode (or run faramesh dev) and Faramesh will log what it would have blocked or deferred without actually stopping anything. You watch the decisions against real traffic, tune your rules until they're right, then switch to enforce. Way less scary than guessing.
Why deterministic, instead of "ask another LLM"
There's a popular pattern where you put a second LLM in front of the first one to judge whether an action is safe. I think that's the wrong bet for enforcement. The thing you're worried about is your agent getting manipulated into a bad action. If your guard is also an LLM, it can be manipulated too. You're using a promptable thing to protect a promptable thing.
A rule engine doesn't have that problem. deny billing/delete_account means the account does not get deleted. Same input, same answer, every time, and you can hand the log to an auditor without shrugging. The agent doesn't get the final say on what it's allowed to do, which, once it's touching real systems, is sort of the entire point.
Repo's here if you want to try it or dig into how it works: github.com/faramesh/faramesh-core. It works with a bunch of other frameworks too (LangChain, CrewAI, AutoGen, MCP, others), LangGraph's just what I used here. If you try it and something's confusing or broken, I'd love to hear it, that feedback is what's making it better right now :)
Top comments (3)
This is a well-written and practical article that addresses one of the biggest gaps in many LLM agent implementations: the misconception that prompt instructions alone constitute security. The walkthrough is clear, the examples are realistic, and the step-by step integration makes it easy for developers to evaluate the approach.
One aspect I particularly appreciate is the emphasis on deterministic policy enforcement. Separating governance from the LLM's reasoning process is an important architectural decision, especially for production systems where tools can perform irreversible actions such as financial transactions, infrastructure changes, or customer data operations. Adopting a default-deny model and supporting human approval workflows are both strong security practices.
That said, there are a few areas where the article could be strengthened.
First, the discussion focuses almost entirely on tool-level authorization. In production environments, policy decisions often depend on runtime context rather than only the tool name. Factors such as user identity, authentication level, tenant, resource ownership, execution environment, request origin, and time-based restrictions are frequently required to make correct authorization decisions. Demonstrating attribute-based or context-aware policies would provide a more complete picture.
Second, the examples illustrate policy enforcement but don't explore policy composition or conflict resolution. As systems grow, organizations typically need layered policies (global, application, team, and environment-specific). Explaining how Faramesh handles policy precedence, inheritance, and overrides would help readers understand its scalability.
Third, while deterministic enforcement is an excellent choice for authorization, there is an opportunity to clarify that deterministic rules and LLM-based evaluation solve different problems. Rule engines excel at making consistent permit/deny decisions, whereas LLMs remain valuable for tasks such as semantic risk analysis, anomaly detection, sensitive content classification, or generating explanations. A hybrid architecture using deterministic enforcement for final authorization while leveraging LLMs for advisory analysis can often provide the strongest overall security posture.
I'd also be interested in seeing additional discussion around operational concerns, such as performance overhead, concurrent approval workflows, distributed deployments, policy versioning, rollback strategies, high availability configurations, and integration with existing observability platforms. These topics become increasingly important as organizations move from proof-of-concept deployments to production environments.
Overall, this is a thoughtful introduction to policy enforcement for AI agents. It highlights an issue that many teams overlook and proposes a practical solution that aligns with established security principles. Expanding the discussion to cover context-aware authorization, enterprise policy management, and production-scale operations would make an already strong article even more valuable for practitioners building secure agentic systems.
I appreciate your comment here, and yeah I actually agree with a lot of it.
I kept the post pretty simple on purpose, mostly just the basic LangGraph/tool-call flow. The context-aware rules, policy layering, precedence, rollout/rollback stuff, etc. is where it gets more interesting, but that probably needs its own post instead of cramming it into this one.
On the LLM point, I think we’re very very close. I’m not against using LLMs for risk signals, classification, anomaly detection, explanations, all that. I just don’t think putting one in charge of the final “does this tool call run?” decision is not a great solution by any means. That part has to stay deterministic.
I appreciate the thoughtful read, super helpful!
Thank you
Great points, and I completely agree with your approach. Keeping the final execution decision deterministic seems like the safest and most reliable design choice, while using LLMs for classification, risk assessment, and explanations provides the benefits of AI without sacrificing control.
I also think keeping this post focused on the core LangGraph and tool-calling flow was the right decision. The topics you mentioned policy layering, precedence handling, and rollback strategies are substantial enough to deserve their own dedicated discussion.
Looking forward to reading that follow-up post.