we run a browser agent that fills job application forms. after it clicks submit, a verifier reads the page to confirm the application actually landed, because "form filled" and "application received" are different claims.
to prevent double-submissions we gave the submit step a hard rule: click the submit button exactly once, never click anything else, budget of 3 actions. tight, safe, deterministic. felt responsible.
then we audited why some applies died exactly at the finish line. some ATS platforms open a confirmation dialog after you click submit: "are you sure? confirm submission." our agent stood in front of that dialog, forbidden by our own rule from clicking the one button that would finish the job, and timed out.
the safety rule was the bug.
the fix wasn't removing the guardrail. it was making it less deterministic: a confirm dialog on the same page is part of the same submit, a navigation to a new page is not, never click submit itself twice, and a slightly bigger step budget for what we didn't foresee.
the lesson we keep re-learning with agents: every hyper-specific rule you write is a bet that you've seen every case. on the open web you haven't. the rules that survive are about direction ("never resolve ambiguity toward claiming success"), not mechanics ("click exactly N times").
curious where others building agents draw this line. what's your boundary between guardrails and agency?