2,000+

companies in production

constraint layers

$0.16

per minute, AI processing

< 1.2s

typical AI response latency

Production failures that guardrails cannot prevent

The pizza problem: an AI agent had a pizza ordering flow with good prompts, correct tools, and the right menu. The model decided, unprompted, that several items were sold out. Nothing was sold out. No signal told it that. The model inferred it. It did not crash or say anything offensive. It quietly, confidently lied about product availability.

The Air Canada problem: a chatbot hallucinated a bereavement fare policy. A customer relied on it. A tribunal forced the airline to honor a fare that never existed. Cost: the refund plus regulatory attention plus brand damage.

The PCI problem: a voice agent repeats a credit card number back to the caller "for confirmation." At scale, that is a PCI violation on every concurrent call simultaneously. Card numbers spoken aloud on recorded lines.

These failures share a root cause: the model had access to information and capabilities it should not have had. Guardrails attempt to detect and block damage after the model has already made the decision.

Two approaches to AI safety

Prompt and Pray

✗ Give the model broad access to all tools and data
✗ Write detailed prompt instructions to constrain behavior
✗ Add a guardrail layer to intercept violations after the fact
✗ Hope the model follows the rules at scale
✗ A jailbroken model can access everything

Governed Inference

✓ The model sees only the tools for the current step
✓ Transitions enforced by a deterministic state machine
✓ Business logic lives in your code, not in prompts
✓ The model does not know other tools or steps exist
✓ A jailbroken step can only access that step's tools

Build a Voice AI Agent

from signalwire_agents import AgentBase
from signalwire_agents.core.function_result import SwaigFunctionResult

class SupportAgent(AgentBase):
    def __init__(self):
        super().__init__(name="Support Agent", route="/support")
        self.prompt_add_section("Instructions",
            body="You are a customer support agent. "
                 "Greet the caller and resolve their issue.")
        self.add_language("English", "en-US", "rime.spore:mistv2")

    @AgentBase.tool(name="check_order")
    def check_order(self, order_id: str):
        """Check the status of a customer order.

        Args:
            order_id: The order ID to look up
        """
        return SwaigFunctionResult(f"Order {order_id}: shipped, ETA April 2nd")

agent = SupportAgent()
agent.run()

import { AgentBase, FunctionResult } from '@signalwire/sdk';

const agent = new AgentBase({
  name: 'Support Agent',
  route: '/support',
});

agent.promptAddSection('Instructions',
  'You are a customer support agent. Greet the caller and resolve their issue.');

agent.addLanguage({ name: 'English', code: 'en-US', voice: 'rime.spore:mistv2' });

agent.defineTool({
  name: 'check_order',
  description: 'Check the status of a customer order',
  parameters: {
    type: 'object',
    properties: {
      order_id: { type: 'string', description: 'The order ID to look up' },
    },
    required: ['order_id'],
  },
  handler: (args) => {
    return new FunctionResult(`Order ${args.order_id}: shipped, ETA April 2nd`);
  },
});

agent.run();

package main

import (
	"fmt"

	"github.com/signalwire/signalwire-go/pkg/agent"
	"github.com/signalwire/signalwire-go/pkg/swaig"
)

func main() {
	a := agent.NewAgentBase(
		agent.WithName("Support Agent"),
		agent.WithRoute("/support"),
	)

	a.PromptAddSection("Instructions",
		"You are a customer support agent. Greet the caller and resolve their issue.")

	a.AddLanguage(map[string]any{
		"name": "English", "code": "en-US", "voice": "rime.spore:mistv2",
	})

	a.DefineTool(agent.ToolDefinition{
		Name:        "check_order",
		Description: "Check the status of a customer order",
		Parameters: map[string]any{
			"type": "object",
			"properties": map[string]any{
				"order_id": map[string]any{
					"type": "string", "description": "The order ID to look up",
				},
			},
			"required": []string{"order_id"},
		},
		Handler: func(args map[string]any, rawData map[string]any) *swaig.FunctionResult {
			orderID := args["order_id"]
			return swaig.NewFunctionResult(
				fmt.Sprintf("Order %v: shipped, ETA April 2nd", orderID),
			)
		},
	})

	a.Run()
}

import com.signalwire.sdk.agent.AgentBase;
import com.signalwire.sdk.swaig.FunctionResult;

import java.util.List;
import java.util.Map;

public class SupportAgent {
    public static void main(String[] args) throws Exception {
        var agent = AgentBase.builder()
                .name("Support Agent")
                .route("/support")
                .build();

        agent.promptAddSection("Instructions",
                "You are a customer support agent. "
              + "Greet the caller and resolve their issue.");

        agent.addLanguage("English", "en-US", "rime.spore:mistv2");

        agent.defineTool(
                "check_order",
                "Check the status of a customer order",
                Map.of("type", "object",
                       "properties", Map.of(
                           "order_id", Map.of(
                               "type", "string",
                               "description", "The order ID to look up")),
                       "required", List.of("order_id")),
                (toolArgs, rawData) -> {
                    var orderId = toolArgs.get("order_id");
                    return new FunctionResult(
                        "Order " + orderId + ": shipped, ETA April 2nd");
                }
        );

        agent.run();
    }
}

# frozen_string_literal: true

require 'signalwire'

agent = SignalWire::AgentBase.new(name: 'Support Agent', route: '/support')

agent.prompt_add_section('Instructions',
  'You are a customer support agent. Greet the caller and resolve their issue.')

agent.add_language(name: 'English', code: 'en-US', voice: 'rime.spore:mistv2')

agent.define_tool(
  name:        'check_order',
  description: 'Check the status of a customer order',
  parameters:  {
    'order_id' => { 'type' => 'string', 'description' => 'The order ID to look up' }
  }
) do |args, _raw|
  SignalWire::Swaig::FunctionResult.new(
    "Order #{args['order_id']}: shipped, ETA April 2nd"
  )
end

agent.run

<?php
require 'vendor/autoload.php';

use SignalWire\Agent\AgentBase;
use SignalWire\SWAIG\FunctionResult;

$agent = new AgentBase(['name' => 'Support Agent', 'route' => '/support']);

$agent->promptAddSection('Instructions',
    'You are a customer support agent. Greet the caller and resolve their issue.');

$agent->addLanguage('English', 'en-US', 'rime.spore:mistv2');

$agent->defineTool(
    name: 'check_order',
    description: 'Check the status of a customer order',
    parameters: [
        'order_id' => ['type' => 'string', 'description' => 'The order ID to look up'],
    ],
    handler: function (array $args): FunctionResult {
        return new FunctionResult("Order {$args['order_id']}: shipped, ETA April 2nd");
    }
);

$agent->run();

#!/usr/bin/env perl
use strict;
use warnings;
use lib 'lib';
use SignalWire::Agent::AgentBase;
use SignalWire::SWAIG::FunctionResult;

my $agent = SignalWire::Agent::AgentBase->new(
    name  => 'Support Agent',
    route => '/support',
);

$agent->prompt_add_section('Instructions',
    'You are a customer support agent. Greet the caller and resolve their issue.');

$agent->add_language(name => 'English', code => 'en-US', voice => 'rime.spore:mistv2');

$agent->define_tool(
    name        => 'check_order',
    description => 'Check the status of a customer order',
    parameters  => {
        order_id => { type => 'string', description => 'The order ID to look up' },
    },
    handler => sub {
        my ($args, $raw) = @_;
        return SignalWire::SWAIG::FunctionResult->new(
            response => "Order $args->{order_id}: shipped, ETA April 2nd"
        );
    },
);

$agent->run;

#include <signalwire/agent/agent_base.hpp>

using namespace signalwire;
using json = nlohmann::json;

class SupportAgent : public agent::AgentBase {
public:
    SupportAgent() : AgentBase("Support Agent", "/support") {
        prompt_add_section("Instructions",
            "You are a customer support agent. "
            "Greet the caller and resolve their issue.");

        add_language({"English", "en-US", "rime.spore:mistv2"});

        define_tool({
            .name = "check_order",
            .description = "Check the status of a customer order",
            .parameters = {
                {"order_id", {{"type", "string"},
                              {"description", "The order ID to look up"}}}
            },
            .handler = [](const json& args, const json&) {
                auto order_id = args.value("order_id", "unknown");
                return swaig::FunctionResult(
                    "Order " + order_id + ": shipped, ETA April 2nd");
            }
        });
    }
};

int main() {
    SupportAgent().run();
}

using SignalWire.Agent;
using SignalWire.SWAIG;

var agent = new AgentBase(new AgentOptions { Name = "Support Agent", Route = "/support" });

agent.PromptAddSection("Instructions",
    "You are a customer support agent. Greet the caller and resolve their issue.");

agent.AddLanguage("English", "en-US", "rime.spore:mistv2");

agent.DefineTool("check_order", "Check the status of a customer order",
    new { type = "object", properties = new {
        order_id = new { type = "string", description = "The order ID to look up" }
    }, required = new[] { "order_id" } },
    (args, rawData) =>
    {
        var orderId = args.TryGetValue("order_id", out var id) ? id : "unknown";
        return new FunctionResult($"Order {orderId}: shipped, ETA April 2nd");
    });

agent.Run();

The four constraint layers

Prompt scope (semantic)

Describe role and behavior at each step. "You are a scheduling assistant. Do not discuss pricing." Useful for guidance, but unreliable as the only enforcement. This is all that "prompt and pray" provides.

Tool scope (schema)

At each step, the model sees only the tools registered for that step. The model in "collect_info" cannot book appointments, not because it was told not to, but because the booking tool does not exist in its reality.

Transition scope (state machine)

Each step defines which steps it can transition to. The platform validates every transition against the allowed set. The conversation follows a deterministic path the model cannot override.

Execution authority (deterministic code)

When the model calls a tool, it is making a request. Your code handles the request, accesses authoritative data, applies business logic, and returns a structured result. The model does not execute actions. Your backend does.

💡

The model handles language, your code handles truth. Do not show the AI tools that do not belong to the current step. Reduce the model's world until its only job is understanding what the human said and choosing which available tool to call.

A data layer the model never sees

SignalWire provides a hidden data layer that passes information to your tool handlers without it appearing in the AI model's context window. Your handlers receive this data on every call. The model never sees it. It cannot leak what it does not have.

Consider a payment flow. Without a hidden data layer, you either pass card details through the AI context (PCI violation, the model could repeat them) or build a separate out-of-band channel (engineering complexity). With the hidden data layer, the payment session ID travels to your tool handler without entering the model's context. Your handler charges the card. The model says "Your payment has been processed" without ever knowing the card number, amount, or payment method.

Governed inference vs. prompt and pray

Concern	Prompt and Pray	Governed Inference
Tool access	Model sees all tools	Model sees only current step's tools
Data exposure	Everything in the prompt	Only what the current step requires
State transitions	Model decides flow	Platform enforces allowed transitions
Business logic	Prompt instructions	Deterministic code
Failure mode	Quiet, confident fabrication	Structural impossibility
Jailbreak blast radius	Full system access	One step's tools only
Audit trail	Hope the logs capture it	Every step, tool, and transition logged
Scaling risk	More calls = more hallucination surface	More calls = same governance

Compliance coverage

PCI: card data isolation

Card data never enters the AI context via the hidden data layer. Tool handlers process payments in your PCI-compliant backend. The model cannot repeat what it does not have.

HIPAA: protected health information scoping

Patient identifiers scoped to specific steps via the hidden data layer. Step-level isolation prevents information leakage between conversation phases.

TCPA: consent tracking

Consent tracking via deterministic tool handlers. Call disposition logging native to the platform. Opt-out handling enforced in code, not prompts.

SOC 2: single audit surface

One vendor, one data flow, one audit surface. Structured event stream for every interaction. Deterministic state machine provides reproducible behavior for auditors.

Governance scales with risk

FAQ agent (light governance)

Single step, a few tools. Adequate for low-risk informational interactions where hallucination risk is limited.

Scheduling agent (moderate governance)

Multi-step, scoped tools, enforced transitions. Appropriate for workflows that modify state in external systems.

Payment flow (maximum governance)

Strict transitions, hidden data layer for card details, no-exit terminal steps, full audit trail. Required for operations involving sensitive data.

FAQ

How is this different from adding a guardrail layer?

Guardrails intercept violations after the model has already made a decision. Governed inference means the model never encounters the information or tools it should not have. There is nothing to intercept because the violation is structurally impossible.

Can a jailbroken prompt escape the step constraints?

No. The step constraints are enforced by the platform, not by the prompt. Even if the model is manipulated into ignoring its instructions, it can only access the tools registered for the current step. It cannot discover or call tools from other steps.

Does the hidden data layer work with any LLM provider?

Yes. The hidden data layer is a platform feature, not a model feature. It works the same way regardless of which LLM provider you use.

How do I audit what the AI could access at each step?

Each step definition declares its tools and transitions. You can diff two versions of an agent to see exactly what changed. Every tool call, every transition, and every state change is logged with a structured event stream.