Docs/00 foundations/02 the harness principle

The Harness Principle

The LLM is one component. The harness is the product.


Purpose

Every production AI system requires a deterministic wrapper around the model. This wrapper — the harness — is what separates a demo from a product. The harness validates, authorizes, executes, and logs every action the model proposes.


Why

LLMs are probabilistic. They produce the statistically likely next token, not the guaranteed correct action. Without a harness:

  • Invalid outputs reach users
  • Unauthorized operations execute
  • Failures produce no audit trail
  • Cost spirals without enforcement
  • Security boundaries exist only in the system prompt (trivially bypassable)

The harness moves these guarantees from the model layer (probabilistic) to the code layer (deterministic).


The Standard Harness Architecture


The Seven Harness Components

1. Input Validation

Treat all user input as untrusted. Validate types, lengths, allowed characters, and injection patterns before passing to the model.

What to validate:

  • Input length (prevent context stuffing attacks)
  • Allowed characters and encoding
  • Prompt injection patterns (Ignore previous instructions...)
  • Business logic bounds (user can only query their own data)

2. Authorization Check

The model cannot enforce authorization — it doesn't know who the user is. The harness does.

Pattern: Resolve user identity and permissions before context assembly. Never pass authorization decisions to the model.

3. Context Assembly

Deterministically construct the context window. The model receives only what it's authorized to see.

Pattern: Pull context from structured sources (databases, vector stores) with explicit permission filtering — never from raw user input alone.

4. Output Schema Validation

Enforce a strict schema on model output. Use Pydantic (Python), Zod (TypeScript), or structured output APIs.

# Correct: Enforce schema
from pydantic import BaseModel
class AgentAction(BaseModel):
    action: Literal["search", "create", "update", "delete"]
    target: str
    parameters: dict[str, str]

response = client.beta.chat.completions.parse(
    model="gpt-4o",
    response_format=AgentAction,
    messages=[...]
)
# Wrong: Trust model output as-is
raw_output = response.choices[0].message.content
eval(raw_output)  # ← Never do this

5. Safety Filter

Apply rule-based safety checks on validated output. These are deterministic — they do not delegate safety decisions to another model.

Pattern: Maintain a blocklist of forbidden operations, patterns, and targets. Apply before execution.

6. Tool Execution Gate

For agentic systems, require explicit approval for high-impact operations. Never let the model directly execute writes, deletions, or external calls without a gate.

Tiered approach:

  • Tier 1 (auto-approve): Read-only operations
  • Tier 2 (log + execute): Reversible writes
  • Tier 3 (human approval): Irreversible or high-impact operations

7. Audit Logging

Log every harness decision — not just final actions. This is non-negotiable for enterprise deployments.

Minimum log payload:

{
  "timestamp": "ISO8601",
  "session_id": "uuid",
  "user_id": "string",
  "input_hash": "sha256",
  "model": "provider/model-version",
  "tokens_used": { "input": 0, "output": 0, "cost_usd": 0.0 },
  "action_proposed": "string",
  "action_approved": true,
  "execution_result": "string",
  "latency_ms": 0
}

Tradeoffs

Benefit Cost
Reliability and predictability Additional latency (validation layers)
Auditability and compliance Engineering complexity
Security enforcement More code to maintain
Cost control Upfront design time

The tradeoffs are non-negotiable for production. A system without a harness is a demo, not a product.


Anti-Patterns

❌ Security through system prompt

# Wrong
system: "Never access files outside /data directory"

# Right
harness: validate_path(tool_input.path, allowed_prefix="/data")

System prompts are instructions to a probabilistic model. They are not access controls.

❌ Trusting structured output because you asked for JSON

The model can return invalid JSON, valid JSON with wrong schema, or valid JSON with harmful content. Validate all three.

❌ The "smart model" exception

"This model is too smart to need guardrails." This statement predicts a future incident with high confidence. All models hallucinate. All models can be manipulated. The harness exists for the times they are.


Enterprise Considerations

  • EU AI Act Article 9: Requires risk management systems for high-risk AI — the harness IS the risk management system. Document each component.
  • SOC 2 / ISO 27001: Audit logging (component 7) is mandatory. Ensure logs are tamper-evident and retained per your compliance period.
  • Financial services: Tier 3 approvals must be human-in-the-loop for regulated operations. No exceptions.
  • Healthcare (HIPAA): Input validation must prevent PHI from entering model context unless explicitly authorized and logged.

Checklist

  • Input validation rejects prompt injection patterns
  • Authorization resolved before context assembly
  • Context filtered by user permissions
  • Output validated against strict schema
  • Safety filter applied before execution
  • Tool execution gate enforced by tier
  • Every harness decision logged with minimum payload
  • Logs are immutable and retained per compliance requirement