Bohea

Governing AI agents that touch money: the agent proposes, it never executes 让碰钱的 AI Agent 受治理:agent 只提议,永不执行

One rule holds the whole design up: the agent can propose, it can never act on anything material. Every write — a payment, a journal entry, an account change — leaves the model's reach and passes through an authorization service the model cannot author or bypass, and then a human with the right role. Governance built as architecture, not as a carefully worded prompt. 整套设计靠一条铁律撑起来:agent 可以提议,但永远不能对任何有物质后果的东西动手。每一个写操作——一笔付款、一条记账、一次账户变更——都离开模型可及范围,过一个模型无法编写、也无法绕过的授权服务,再过一个有对应角色的人。治理是当架构来建,不是靠一段措辞讲究的提示词。

Agent GovernanceAgent 治理MCPLeast Privilege最小权限Stripe / Escrow

Why "just prompt it carefully" fails为什么"把提示词写仔细点"注定失败

If the model holds a tool that can move money, then the safety of your money depends on the model's judgment on every single call — including the calls where a retrieved email, a poisoned document, or an ambiguous instruction pushed it somewhere you didn't intend. A prompt is a request for good behavior. It is not an enforcement boundary. The moment a material action is reachable from inside the model's tool surface, you've made the model your last line of defense — and the model is precisely the part you can't fully predict. 如果模型手里握着一个能动钱的工具,那你钱的安全就取决于模型在每一次调用上的判断——包括那些被检索到的邮件、被投毒的文档、或一句有歧义的指令带偏的调用。提示词是一种"请你表现良好"的请求,它不是一道强制边界。一旦某个有物质后果的动作能从模型的工具面里够得着,你就把模型变成了最后一道防线——而模型恰恰是你没法完全预测的那部分。

So the fix isn't a better prompt. It's to make the dangerous action unreachable from where the model lives. 所以解法不是更好的提示词,而是让危险动作从模型所在的地方根本够不着

The one rule, and how each guarantee is enforced那一条铁律,以及每条保证怎么被强制

The agent reads from least-privilege, read-only sources and drafts a proposed action. That proposal — never a direct write — is all it can emit. Everything that matters is enforced in a layer the agent has no tool to reach: agent 从最小权限、只读的数据源读取,起草一个"提议的动作"。它能吐出的只有这个提议——绝不是一次直接写入。所有要紧的事,都强制在一个 agent 没有任何工具能触达的层里:

A worked example: where money actually escapes an escrow flow一个实例:钱到底从一条托管支付流的哪里溜走

The same instinct — assume the dangerous path will be taken, and design so it's contained — is what separates an escrow flow that holds from one that quietly leaks. Two parties negotiate, they agree, a hold goes on the card. Drawn end to end, here are four places the money actually escapes, and the design answer for each: 同一种直觉——假设那条危险路径一定会被走到,并把它设计成可控——正是"守得住的托管支付流"和"悄悄漏钱的托管支付流"之间的分界。两方谈判、达成一致、卡上放一笔预授权。把它端到端画出来,以下是钱真正溜走的四个地方,以及每个的设计对策:

The through-line贯穿其中的那条线

Whether it's an accounting agent or a payment flow, the discipline is the same: keep the irreversible action out of reach of the part you can't fully trust, make every consequential number carry its source, give each integration only the access it needs, and assume the ugly path will be taken so you design for it up front. It's the same rule I apply on the industrial side — the safety-critical limit is re-checked on the controller, never trusted from the layer above. Governance you can bypass isn't governance. 无论是一个记账 agent 还是一条支付流,纪律都一样:把不可逆的动作,放在你没法完全信任的那部分够不着的地方;让每个有后果的数字都带着它的来源;只给每个集成它真正需要的那点权限;并假设最丑的那条路一定会被走到,于是提前为它做设计。这和我在工业侧用的是同一条规则——安全关键的限值在控制器侧重新核验,绝不从上层拿来就信。能被绕过的治理,不叫治理。

This is how I design these systems — the pattern comes from years of backend work and from building production LLM pipelines and MCP tool-calling systems where a wrong write has a real cost. 这就是我设计这类系统的方式——这套模式来自多年后端工作,以及构建那些"一次写错就有真实代价"的生产级 LLM 流水线与 MCP 工具调用系统的经历。

← All notes← 全部笔记