A boundary is not a boundary if the thing being constrained can reach across it. In-process middleware — the dominant pattern in agent frameworks today — shares memory with the agent it is supposedly governing. A prompt that can write Python can patch the middleware. A prompt that can write imports can import around it. A prompt that can call os.environ can disable the feature flag.
The post generalizes from the multimodal specifics of last week to the full governance question: what are the minimum structural properties of a boundary that holds?
Publishing April 22, 2026. Subscribe to the feed or follow the author on LinkedIn to be notified. All posts.