Guardrails vs Guidelines
In the rush to integrate generative AI into the software development lifecycle, engineering teams frequently confuse two distinct operational concepts: guardrails and guidelines. To put it simply, a guideline advises: it's soft natural-language context, like an AGENTS.md or Skills file, that the model may or may not act on. A guardrail gates: it's a firm, automated constraint that forces an explicit, binary pass/fail and blocks on failure. Relying on soft guidelines for critical validation is why automated code reviews are risky. They're non-deterministic and quietly ignored.
To manage security effectively with AI, teams must look past the underlying foundation model (e.g. Mythos, Opus, GPT-5.5) and focus on the coding harness (e.g. Cursor, CI/CD wrappers, Copilot). It is within the architecture of the harness that the division between soft guidance and hard enforcement is ultimately determined.
A Very Short History of AI Guidance
AI coding tools like Cursor & Claude have already been through 3 different iterations on how to effectively provide guidance on the large language models that they drive.
The OG - Rule Files
Project-scoped configuration and instructions have been around for a long time (think the likes of .editorconfig and .eslintrc). Cursor took this idea and applied to AI coding by allowing you to craft markdown instructions that it would automatically inject into the chat thread (context window) with your AI agent. Globs like src/controllers/** at the top of the rule would allow you to control when instructions were injected.
Proliferation & Consolidation to AGENTS.md
Many AI coding tools shipped their own flavour of these rules files. This resulted in repositories that contained .cursorrules, .github/copilot-instructions.md, GEMINI.md, CONVENTIONS.md, CLAUDE.md files to accommodate all of the different tools being used to develop the codebase. This was difficult to manage because most of these formats had no way to reference shared content (a feature like Claude Code's @README.md imports), so content was duplicated across files and maintenance was a nightmare.
AGENTS.md was born out of this chaos and quickly gained support from most frontier labs that published coding harnesses. Along with this came the ability to nest AGENTS.md files in subdirectories for localized agent context.
The Skills Paradigm Shift (Late 2025)
A side-effect of all of these ways of automatically injecting context into an AI coding agent was that context windows could quickly become polluted with "always on" context that was not necessarily relevant for the task at hand.
To combat the constant prompt stuffing of always-on markdown files, the industry shifted toward on-demand "skills." Instead of flooding the context window continuously, a skill operates on progressive disclosure. It only loads domain-specific guidance, or even executable code blocks, exactly when a task requires it, such as triggering an on-demand debugging or validation routine.
The Fragility of Soft Guidelines
Traditional AI steering relies heavily on context injection mechanisms. As we explored above, this practice began with basic rules files, evolved into repository-wide markdown files, and recently shifted to on-demand "skills" files that load context progressively.
While these tools excel at providing situational business logic, they possess severe architectural limits:
- Maintenance overhead: Repository-level agent files are notoriously difficult to keep updated, forcing the AI to reason using obsolete parameters.
- The context trap: Shoving exhaustive rule sets into a prompt rapidly exhausts the model's reliability.
Modern context windows boast massive token limits, but that headline number is mostly marketing. A model's effective context, the span it can actually recall and act on, is far smaller. It's often less than half of what's advertised. Picture a small smart zone wrapped in a much larger dumb zone. As you fill the window, the model's ability to recall and honor your rules falls off a cliff, and anything buried in the middle gets the worst treatment of all. The decline is gradual rather than a single hard cutoff, but the practical result is the same: the model quietly stops paying attention to your rules.
Impact on Compliance & Security
The real impact of all of these steering mechanisms is that context gets utilised and filled in unpredictable ways. Every AI coding tool has slightly different mechanics, but the result is the same: your context window is flooded automatically with instructions the LLM is expected to honour.
Testing reveals that standard natural-language instructions suffer from a severe compliance deficit, achieving a compliance rate of only 25% to 50%. That means if you have 100 rules (or things you care about) across all your AGENTS.md files, chances are more than half will get ignored, simply because the LLM cannot pay attention to all of them at once.
Surviving the Tower of Logic
This low compliance rate is exactly why leaning on soft advice gets dangerous as automated code generation explodes. We're now up against what I call a tower of logic: a hundred lines of developer prompting expand into a thousand-line plan, which lands as a three-thousand-line pull request. Each layer amplifies the one beneath it, so the human input stays tiny while the code that needs reviewing balloons. Now multiply that by the sheer number of PRs AI lets each developer open, and the review burden stops being something a human team can keep up with.
This is what guardrails are for. Instead of asking one overloaded model to honor a hundred soft rules while it reviews a three-thousand-line PR, you decompose the problem into thousands of granular, inexpensive checks, each one a deterministic guardrail forcing a strict yes-or-no compliance decision. The model never has to "remember" the rule, because the rule is enforced outside its context window. That is the difference between advice the model may ignore and a constraint it cannot.
Written by Simon Harloff.
