Use this when an LLM is influencing customer communications, approvals, operations, or any workflow where a wrong answer has real cost.
The short answer: do not treat safety as one line in the system prompt. Use layers: input checks, constrained output, deterministic rules, confidence routing, and human escalation.
What you will get in 10 minutes
- A simple layered safety model
- When to use confidence gating
- How to combine policy rules with human review
- The metrics that tell you whether the controls are working
Use this when
- The assistant can trigger actions or approvals
- You need policy consistency across teams or regions
- Risk is asymmetric, meaning one wrong answer is expensive
- You are relying on “be careful” instructions today
The 60-second answer
Use five layers:
- define allowed and disallowed actions
- constrain the output contract
- validate with deterministic checks
- gate by confidence or evidence sufficiency
- escalate to human review when needed
That gives you something more durable than prompt-only guardrails.
Layer 1: Policy definition
Start with explicit operational rules, not vague values statements.
Examples:
- “Never approve refunds above this amount”
- “Never answer legal interpretation questions without escalation”
- “Do not reveal internal account notes”
If the policy cannot be written clearly for a human reviewer, the model will not enforce it reliably either.
Layer 2: Constrained output
Use schemas, enums, and review flags instead of free-form text when the output drives a workflow.
Examples:
action = approve | deny | escalateneedsReview = true | falsepolicyReason = enum
This reduces the space where the model can improvise.
Layer 3: Deterministic checks
Anything that can be checked with code should be checked with code.
Examples:
- amount thresholds
- allowlists and blocklists
- required fields present
- region or account eligibility
The model should interpret messy inputs. Your application should enforce hard rules.
Layer 4: Confidence and evidence gating
Confidence gating is useful when the risk of a false positive is high.
Route to review when:
- the model lacks strong evidence
- the retrieved context conflicts
- the classification is low-confidence
- the task is novel or edge-case heavy
Do not use confidence bands as magic truth scores. Treat them as routing signals that must be calibrated against real examples.
Layer 5: Human review and auditability
Review is part of the safety system, not a fallback for poor design.
A good review payload includes:
- proposed action
- reason
- evidence used
- policy or threshold triggered
- prior steps already taken
That makes the review queue usable and auditable.
Where teams go wrong
Common mistake:
- “We added a strong system prompt, so safety is covered.”
Better approach:
- prompt for interpretation
- schema for output
- code for hard checks
- routing for uncertainty
- review for sensitive cases
What to measure
Track:
- policy violation rate
- false-accept rate
- false-escalation rate
- review rate
- escalation correctness
If review volume is too high, you may be gating too aggressively. If review volume is too low and errors are slipping through, you are likely under-gating.
Copyable safety and gating checklist
For one workflow, answer:
- What actions are allowed?
- What actions are never allowed?
- Which rules can be checked deterministically?
- Which cases require review?
- Which metric would show under-gating?
- Which metric would show over-gating?
Common failure modes
- relying on prompt wording instead of control layers
- letting the model decide policy thresholds
- no evidence capture for review
- never recalibrating confidence thresholds
- no audit trail for escalated decisions
How StackSpend helps
Safety systems change workflow economics. More review, more retries, or more escalation all show up in cost. Tracking spend by workflow makes it easier to see whether a “safer” design is operating within an acceptable cost envelope.