Learn / Agentic on-ramp

Deterministic guardrails, agent judgment, and where the rules should live

The consensus on deterministic versus agentic workflows is already settled: use both, deterministic guardrails around agent judgment. The unanswered question is where the deterministic half should live. Not scattered across code, not buried in prompts, but in a governed process record the agent reads from.

Almost every serious piece on this topic lands in the same place, and it is the right place. A deterministic workflow is predictable and provable but rigid: it cannot handle the case nobody scripted. An agentic workflow is flexible but hard to constrain: it can wander exactly where you most need it not to. So you combine them. You give the agent judgment where the work genuinely varies, and you wrap it in deterministic rules where variation is not allowed. That much is settled, and this article takes it as given rather than relitigating it.

The problem is that the consensus stops one question short. Everyone agrees you need deterministic guardrails. Almost nobody says where those guardrails should live. And that omission is where good architectures quietly go wrong, because the two default homes for the deterministic half are both bad.

The two places rules go by default, and why both fail

Scattered across application code. The instinctive move is to encode the rules where the agent is wired up: a validation here, a required-approval check there, a guard clause in the function that calls the model. It works at first. Then the rules multiply, they live only where engineering can see them, and they start to drift out of sync with the operation they were supposed to enforce. The quality lead who owns the process cannot read the code, cannot tell whether the enforced rule matches the current SOP, and cannot change it without a ticket. The guardrail exists, but nobody who is accountable for it can see it or prove it.

Buried in the prompt. The other instinct is to write the rules into the agent's instructions. "Always require sign-off before releasing. Never accept the shipment if the check fails." This feels natural because the prompt is right there, but it is the worst home a rule can have. A prompt is not versioned in any form an auditor accepts. It has no owner. It mixes the hard constraint in with tone, examples, and phrasing, so the rule is invisible inside a wall of text. And anyone who can edit the prompt can silently weaken the rule, with no review and no trace. A guardrail you cannot govern is not a guardrail. It is a suggestion.

The reframe: the deterministic half of a hybrid workflow is not implementation detail to bury next to the agent. It is the governed process, and it deserves a home that treats it that way: one place, owned, versioned, under sign-off, and readable by the agent rather than reimplemented inside it.

Where the deterministic half should live

The rules belong in a process record that sits above both the code and the prompt, and that the agent reads from at run time. Concretely, that record holds the deterministic half as first-class content: the decision points and the conditions that resolve them, the checks that must pass, the approvals required, the named owners, and the scenario branches that decide which of those apply to the case. It is versioned and under sign-off, so a change to a guardrail is a governed event with an audit trail, not a quiet prompt edit. And it is exposed over an interface, so the agent queries the current process and acts inside it instead of carrying a private copy of the rules that drifts.

This gives you a clean division of labor. The deterministic part lives in the process record: the guardrails, stated once, governed, and provable. The agentic part lives in the model: the judgment, exercised inside the route the process resolved. The agent is not guessing at the constraints and it is not enforcing them from memory. It reads them from the one place that owns them, the same place a human would read them from, and every step it takes is attributable to a version you approved. That is the practical shape of a process record an agent can read, and the layer that holds it is a process system of record.

Why this is the missing half of the consensus

The hybrid answer is not wrong, it is just incomplete in a way that matters. Saying "deterministic guardrails plus agent judgment" without saying where the guardrails live is like specifying that a building needs a foundation without saying it should be under the building. The guardrails end up smeared across code and prompts, two layers that cannot version, cannot show an owner, and cannot answer an auditor. Then the hybrid workflow that looked correct on a slide fails the moment someone asks to see the rule, prove it was in force, or change it under control.

Put the deterministic half in a governed process record and the whole hybrid holds together. The scenario branches decide which guardrails apply, so the determinism is scenario-aware rather than a single rigid path. The agent brings judgment inside those guardrails. And if you are wondering why this matters enough to get right, it is the same reason so many agent projects stall in the first place: read why AI agents fail on the process layer, and if you are also handing the agent SOPs, why those SOPs are usually not agent-ready.

Common questions

What is the difference between deterministic and agentic workflows?

A deterministic workflow runs a fixed path: the same inputs always produce the same steps, in the same order, with no room for interpretation. An agentic workflow lets a model decide what to do next based on the situation, so it can handle cases nobody scripted in advance. Deterministic is predictable but rigid. Agentic is flexible but harder to constrain and prove. The interesting question is not which one wins. It is how to combine them so the agent has judgment where you want it and none where you do not.

Should I use a deterministic or an agentic workflow?

Almost always both, which is the consensus answer. Use deterministic rules for the parts that must not vary: the checks that have to pass, the approvals required, the steps a regulator expects to see every time. Use agent judgment for the parts that genuinely depend on the case and cannot be fully scripted. The real design decision is not the split itself, which most people agree on. It is where the deterministic half lives, because that determines whether your guardrails are governable or scattered.

Where should the deterministic rules actually live?

Not scattered across application code, where only engineering can see or change them and a rule can drift out of sync with the operation. Not buried in prompts, where they are invisible, unversioned, and quietly editable by anyone who touches the prompt. They should live in a governed process record: one place that owns the decision points, scenarios, owners, and required checks, is versioned and under sign-off, and is readable by the agent over an interface. Then the guardrails are one thing you can point to, prove, and change under control, rather than logic smeared across two layers that were never meant to hold it.

Why not just put the rules in the prompt?

Because a prompt is the worst place to keep a rule you need to govern. It is not versioned in a way an auditor accepts, it has no owner, it mixes the constraint in with instructions and tone, and anyone can change it without review or trace. The moment a deterministic rule matters enough to enforce, it matters enough to govern, and a prompt cannot govern anything. Keep the rule in a process record the agent reads, and let the prompt point at it rather than contain it.

Give your guardrails a governed home.

Bring one process you want an agent to run to a 30-minute pilot session. Leave with the deterministic half living in FLOW: owned, versioned, scenario-aware, and readable by the agent.

Book a pilot →