An AI agent with write access to production is not a tool. It's an actor with judgment. Before any agent touches production data, six infrastructure layers must be in place. Not five. Not "we'll add the sixth next sprint." Six. No exceptions.
According to AI Plumber's governance-first framework, these six pipes make the difference between a governed agent and an uncontrolled liability. Skip any one of them and you don't have a production system — you have an incident waiting for a trigger.
Identity & Authentication
Every agent gets a unique, constrained identity. Not a shared API key. Not "the service account." A named identity with scoped permissions that defines exactly what this agent can read, write, and execute. If you can't answer "which agent did this?" within 30 seconds, you don't have identity management — you have a mystery.
Audit Logging
Every action the agent takes is recorded in an immutable audit log. Every input it received, every output it generated, every external call it made, every decision point it hit. This is not optional observability — this is your evidence trail when a regulator asks "what happened and why." Without audit logs, debugging becomes archaeology.
Rate Limiting & Cost Guardrails
Hard limits on API spend per action, per hour, and per day. A single misconfigured agent loop can generate thousands of dollars in API calls within minutes. Cost guardrails are not budgeting — they're circuit breakers. When the guardrail trips, the agent stops. Not slows down. Stops.
Input/Output Validation
Every input the agent receives and every output it produces passes through validation. Schema validation. Content filtering. PII detection. Prompt injection defense. The agent should never be able to produce an output that your system can't verify is safe and well-formed. Garbage in, garbage out is not acceptable when "out" means "written to production."
Rollback Capability
Every write action the agent performs must be reversible within a defined time window. If the agent updates a database record, there's a before-state snapshot. If it sends a message, there's a recall mechanism. If it modifies a configuration, there's a previous-version restore. Irreversible writes by AI agents in production is not a feature — it's a design failure.
Human-in-the-Loop Escalation
When the agent encounters uncertainty above a defined threshold, it escalates to a human. Not silently. Not in a log nobody reads. A real-time escalation to a human who can approve, modify, or reject the action. The threshold is configurable. The escalation path is mandatory. An agent that can't ask for help is an agent that will make irreversible mistakes in silence.