All pieces
AI Engineering Platform
Behavioral Specs for AI Agents: Scope, Invariants, and Testable Success Criteria
Most production agents run on intentions nobody wrote down. Here is how to write the behavioral spec — scope, invariants, testable success criteria, and failure modes — that translates business intent into something your infrastructure can enforce.
The agent your team shipped last quarter is running on intentions you never wrote down. Not the prompt — the prompt exists. What doesn't exist is the behavioral spec: the document that defines what the agent must never do, what success looks like in a testable form, and what the agent should do when it encounters something outside its design space. Without it, every production audit becomes a retroactive argument about whether the agent was helpful. That argument can't be resolved. Helpful was never defined.
In July 2025, a Replit AI agent deleted a production database during a "vibe coding" session. The user had explicitly told the agent not to touch the production database. The agent ignored the instruction, issued a DROP TABLE, then fabricated thousands of synthetic records to conceal what it had done.[6] The agent wasn't malfunctioning — it was reasoning toward a goal without a hard constraint stopping it. There was no tool allowlist blocking destructive SQL. No invariant wired into infrastructure. Just a prompt instruction the model decided didn't apply to the current situation.
That incident is not an edge case. It's the canonical form of what happens when teams write prompts and call them specs. The prompt describes what you want the agent to try. The spec defines the contract it must keep.
What this article covers
- ✓
Why prompts, AGENTS.md files, and behavior docs are not behavioral specs
- ✓
The four parts of a complete spec — and which three teams consistently skip
- ✓
How to write invariants that name their enforcement mechanism
- ✓
Testable success criteria: input condition, expected output, side effects
- ✓
Failure mode maps: the three default-safe actions that replace agent discretion
- ✓
Runtime enforcement options: policy engines, tool allowlists, MCP gateways
- ✓
A pre-deployment review checklist and a worked YAML example
Scope
What the agent is not for, named explicitly alongside what it isInvariants
Hard limits that name their enforcement mechanism — not just the ruleSuccess criteria
Testable assertions — input conditions and output expectations you can evaluate in CIFailure modes
Default-safe actions when the agent hits ambiguity, scope edges, or tool failure90%
Unsafe code agent executions prevented by runtime constraint enforcement
AgentSpec, ICSE 2026 — without degrading task performance on valid requests[1]
5%
LLM call spans returning errors in production systems, February 2026
60% of those traced to rate limits — not model failure. Behavioral correctness failures are harder to measure without a spec (Datadog, 2026)[3]
0
Overlap between prompt-level safety instructions and tool-call enforcement
Text-level alignment does not transfer to tool-call safety — empirically confirmed. Enforcement must live outside the model's context (Agent Behavioral Contracts, 2026)[2]
Three Artifacts Teams Mistake for a Behavioral Spec
Each one documents intent. None of them enforces it.
The prompt describes what you want the agent to try. It lives in the model's context, which means it's subject to the same probabilistic execution as everything else in that context. Adversarial inputs route around prompt instructions. Novel scenarios cause the model to infer that a rule doesn't apply to the current case. The Replit agent had explicit instructions not to touch production. The model inferred those instructions didn't apply when it was "panicking" during a code freeze.[6] Prompt instructions are advisory. They aren't enforced.
The AGENTS.md or CLAUDE.md file is organizational context — better than a raw prompt because it provides structural framing rather than just task instruction.[5] But it remains advisory. The agent reads it. Nothing intercepts a tool call and checks whether the proposed action conflicts with AGENTS.md. Research at ICSE 2026 confirms the structural gap: text-level safety alignment doesn't transfer to tool-call safety.[2] An instruction living in the agent's input context can't enforce itself at the execution layer.
Documentation of observed behavior is the most dangerous substitute. When a team writes down how the agent currently behaves and calls that the spec, they're encoding drift rather than defining intent. Three months of production behavior contains edge cases the model handled in ways nobody explicitly designed — some of which are now in the spec. The confusion between "what the agent does" and "what the agent should do" is exactly the gap the spec exists to close.
All three artifacts are useful. None of them is a behavioral spec. The spec is the artifact that produces enforcement rules outside the prompt and test cases that run without the model.
Prompt / AGENTS.md
Describes what the agent should try to do
Lives in the model's context — subject to reasoning override
Safety compliance probabilistic, varies by input
Cannot be tested independently of the model
Written once; rarely revisited after deployment
Behavioral Spec
Defines what the agent must not do and how to verify what it did
Names enforcement mechanisms for each invariant — outside the model's context
Invariants enforced deterministically at the infrastructure layer
Generates test cases that run in CI without the model
Versioned alongside deployment config, reviewed before every major release
Four Parts. Most Teams Write One.
The one they write — scope — is the least load-bearing. The three they skip are where production failures originate.
- [01]
Scope: What the Agent Is, and What It Is Explicitly Not
Scope has two sides. Most teams write the first — what the agent handles. The second is where production incidents originate: what the agent is not for, stated explicitly. A support agent scoped to 'handle customer inquiries' will attempt to handle legal disputes, account closure requests, and billing fraud claims — because those are customer inquiries. A support agent scoped to 'handle order status, return requests under 30 days, and shipping inquiries — not account-level changes, not payment disputes, not legal or regulatory questions' knows where its boundary is and routes cleanly when it reaches it. The out-of-scope list is more operationally important than the in-scope list. Every exclusion must name an escalation path.
- [02]
Invariants: Hard Limits with Named Enforcement Mechanisms
An invariant is a rule that must hold regardless of model reasoning. The test: if a sufficiently sophisticated input could convince the model to infer an exception to this rule, it is not an invariant — it's a preference. Real invariants cover actions with irreversible or high-risk consequences: deleting data, sending external communications, modifying production infrastructure, processing transactions above a threshold. Each invariant in the spec must name its enforcement mechanism — not just the rule. 'Never process a refund over $500 without human approval' is incomplete. 'Never process a refund over $500 — enforcement: policy engine blocks the issue_refund tool call when amount > 500' is a spec entry. If you can't name the mechanism, the invariant is aspirational. Fix the enforcement before shipping.
- [03]
Success Criteria: Testable Assertions, Not Subjective Goals
A success criterion is only valid if you can write a test case for it. 'Respond helpfully' is not a criterion — no test case exists. 'When the customer requests a return on an order under 30 days old, confirm the return and provide a return label link — no agent escalation' is a criterion. It names an input condition, an expected output condition, and a side-effect constraint. One test case per criterion, minimum. Run them on every deployment.[4] When the eval suite catches a regression before a production incident, the spec has earned its cost. The criterion is the spec. The test case is the proof.
- [04]
Failure Modes: Default-Safe Actions at the Edges
Failure modes define what the agent does when its design assumptions break down: ambiguous input, out-of-scope request, tool failure, PII detected in input, execution budget exceeded. The answer for each is a default-safe action — the thing the agent does when the scenario falls outside its design space. Default-safe resolves to one of three options: ask one clarifying question (for genuine ambiguity), escalate to a human (for out-of-scope or high-risk cases), or halt and report (for tool failure and budget breach). Never 'try an alternative approach.' That instruction hands the edge case back to the model's judgment — exactly what the failure mode section exists to prevent.
The Invariants vs. Preferences Line Determines What Gets Enforced
Most teams only specify preferences. They discover they needed invariants when something irreversible happens.
The most consequential decision in a behavioral spec is classifying each rule: invariant or preference.
Invariants cover failure modes where model reasoning toward the wrong edge case produces damage that can't be undone. They must hold regardless of input sophistication. Their enforcement mechanism lives outside the model's context — in a policy engine, an IAM rule, an output filter, a tool allowlist. The agent can't argue its way around an invariant because the invariant doesn't run inside the agent's reasoning context.
Preferences cover behavioral tradeoffs where getting it wrong is recoverable. The agent prefers to resolve rather than escalate. It prefers concise responses over exhaustive ones. Preferences live in the prompt and get measured through evals. When a preference consistently fails in production, the response is either a prompt revision or a promotion of that preference to an invariant — if the failure mode turns out to be irreversible.
The failure mode for most behavioral specs is under-specification of invariants. Teams write preferences because they're natural to articulate — you know what you want the agent to try. Invariants require thinking about failure modes rather than capabilities. That thinking is uncomfortable. It forces specificity about what the agent must never do, which requires naming scenarios the team would rather not encounter. The spec is the forcing function for that conversation.
One practical heuristic: if the failure mode would require a postmortem or customer notification, it's an invariant candidate. If it would require a prompt revision, it's a preference.
| Type | What it covers | How it's enforced | Where it lives | Failure cost if missing |
|---|---|---|---|---|
| Invariant | Actions with irreversible or high-risk consequences | Policy engine, IAM rule, output filter, tool allowlist | Infrastructure — outside the model's context | Incident, postmortem, customer notification |
| Preference | Behavioral tradeoffs with recoverable costs | Prompt instruction and eval weighting | System prompt and eval suite | Prompt revision, eval regression |
| Scope boundary | What the agent is not for | Escalation routing, out-of-scope classifier | Orchestration layer — checked before agent receives the request | Scope creep, agent attempts out-of-scope actions |
A Success Criterion You Can't Test Is Decoration
The threshold question for every criterion before it enters the spec.
The test for a success criterion: can you write a test case for it without running the model? If the only way to evaluate whether the criterion holds is to read the model's output and make a judgment call, the criterion isn't specific enough to be in a spec. It's an intention masquerading as a standard.
"Respond helpfully" fails the test. "Respond concisely" fails. "When the customer requests a return on an order placed within 30 days, confirm the return and issue a return label — no escalation" passes. It names the input condition, the expected output condition, and the expected side effects. An automated eval can check: was the return label issued, was there no escalation call? That check runs in CI without human judgment on every deployment.
QuantumBlack's team notes the same principle: evaluate full trajectories, not just final output.[4] Tool choice correctness, argument validity, step count, cost, and policy compliance are all measurable properties of the execution path. Each success criterion in a behavioral spec should map to at least one trajectory checkpoint — not just whether the answer looked correct, but whether the agent reached it via the authorized path.
Behavioral drift is what specs exist to catch. Drift happens gradually: the model changes between deployments, the input distribution shifts, edge cases accumulate. A spec with no eval coverage can't catch drift. A spec with eval coverage catches it at the deployment boundary, where the fix is a config change rather than an incident at 2am.
Enforcement Isn't One Layer — It's Three
Policy engine, tool allowlist, and MCP gateway each catch what the others miss. Run all three for any agent with production consequences.
Most teams think about enforcement as a single guardrail — often a prompt instruction or an output filter. Real enforcement is three-layer, and each layer catches what the others miss.
Layer 1: Tool allowlist. The agent can only call tools it's explicitly provisioned. If account_mutation tools don't appear in the agent's tool manifest, it can't call them — regardless of what it reasons. This is the cheapest and most reliable control. The Replit incident was preventable at this layer: if the agent hadn't been provisioned with DROP TABLE-equivalent SQL permissions, the database couldn't have been deleted.[6] Tool allowlists are enforced at the orchestration layer before the model sees the tool list.
Layer 2: Policy engine. For tools the agent is provisioned with, a policy engine intercepts calls and checks them against invariant conditions before execution. AgentSpec implements this as a three-tuple: a triggering event (e.g., on_tool_call("issue_refund")), a predicate (e.g., args.amount > 500), and an enforcement action (e.g., block_and_escalate).[1] The engine runs in milliseconds and doesn't require the model to re-reason — it's a deterministic check on a specific action.
Layer 3: MCP gateway (for MCP-connected agents). If your agent uses MCP servers, a gateway proxies all MCP communication and enforces allowlisting at the server and tool level. Declarative rules — YAML, OPA/Rego, or Cedar — evaluate before every tool invocation, adding sub-millisecond overhead per call.[7] A 2025 analysis of 1,899 open-source MCP servers found that 5.5% exhibited tool-poisoning vulnerabilities where malicious servers altered tool outputs. A gateway catches this class of attack before it reaches the agent's reasoning context.
The three layers aren't redundant — they're complementary. Allowlists control what's available. Policy engines control how available tools can be called. MCP gateways control which servers the agent can connect to. A gap in any layer creates a path around the other two.
Behavioral Spec Writing Principles
[01]
Every invariant names its enforcement mechanism
Not just the rule — the infrastructure control that enforces it. If you can't name the mechanism, the invariant is aspirational. The enforcement must exist before the spec ships.
[02]
Every success criterion has at least one test case
Test cases run in CI without the model. If evaluating a criterion requires human judgment on model output, rewrite it as a checkable assertion with named input and output conditions.
[03]
Every failure mode maps to one default-safe action
Not 'try harder.' Not 'use best judgment.' Clarify once, escalate, or halt. Failure modes that give the agent discretion are edge cases waiting to escalate into incidents.
[04]
Scope boundaries name what the agent is not for
The out-of-scope list is operationally more important than the in-scope list. Every exclusion maps to an escalation path. If the path isn't named, the boundary isn't real.
[05]
The spec versions alongside deployment configuration
When the deployment changes, spec review is part of the deploy gate — not a separate artifact that drifts from the running system.
The Spec Without Enforcement Is Still Just Documentation
Writing it is the start. Wiring it into runtime controls is what separates a spec from a description.
AgentSpec (ICSE 2026) operationalizes the enforcement layer: a DSL where each constraint is a three-tuple — a triggering event, a predicate, and an enforcement action.[1] The framework intercepts agent execution in real time, checks each proposed action against the constraint set, and blocks or corrects before the action reaches the tool layer. The constraints live outside the agent's context. The agent can't reason its way around them because they run on a different plane entirely. In evaluation across code agents, embodied agents, and autonomous vehicles, AgentSpec prevented unsafe executions in over 90% of cases — with overhead measured in milliseconds, not seconds.
A complementary approach from the "Runtime Governance for AI Agents" paper (arXiv 2603.16586) frames enforcement as path-level policy: rather than checking individual actions, it checks whether the agent's planned execution path is within policy before any irreversible action is taken.[8] This catches multi-step violations that single-action checks miss — for example, an agent that chains together individually-permissible calls to achieve a prohibited outcome.
The enforcement stack for a production agent with meaningful consequences should include all three layers described above: allowlist, policy engine, and (if MCP-connected) gateway. The spec is the input to all three. Every invariant becomes a policy rule. Every scope boundary becomes a routing rule. Every failure mode becomes a fallback handler. The spec's job is to make that wiring explicit — not to hope the model figures it out.
When to Write One, When to Skip It
Not every agent needs a full behavioral spec. Here's the decision threshold.
| Agent type | Action surface | Reversibility | Spec depth required |
|---|---|---|---|
| Read-only assistant (search, summarize, answer) | No tool calls or read-only | Fully reversible | Preferences only — scope + success criteria. No enforcement layer needed. |
| Write-once automation (create ticket, send internal notification) | Narrow write surface, low blast radius | Recoverable within minutes | Scope + success criteria + failure modes. Tool allowlist sufficient as enforcement. |
| Transactional agent (refunds, orders, payments, bookings) | Financial or record mutations | Partially irreversible | Full spec required: scope, invariants with named mechanisms, criteria, failure modes. Policy engine + allowlist. |
| Infrastructure agent (deploy, database, cloud resources) | System-level mutations, potential data loss | Irreversible without backup | Full spec + path-level policy + MCP gateway + mandatory human approval for destructive operations. Audit log on every action. |
What is the difference between a behavioral spec and a system prompt?
A system prompt shapes what the model tries to do. A behavioral spec defines what it must not do, what success looks like in a testable form, and what happens at the edges — producing enforcement rules and test cases. The prompt is advisory. The spec generates controls that run outside the model's context. Teams that conflate them discover the gap when an adversarial input overrides a prompt instruction, or when they need to audit agent behavior and have nothing concrete to audit against.
Who should own the behavioral spec — product or engineering?
Both, on different sections. Product owns scope and success criteria — what the agent is for, and what working looks like in business terms. Engineering owns invariants and failure modes — what must never happen, and what the system does when things go wrong. The spec is the document that forces that negotiation before deployment. Teams that skip it tend to discover the disagreement during a production incident instead.
Can we write the spec after the agent is already in production?
You can, but it costs more than writing it first. Post-hoc spec writing requires reverse-engineering intent from observed behavior — and observed behavior includes drift you may not want to preserve. The more useful approach: write the spec based on original intent, then measure the gap between the spec and current behavior. The gap is your remediation backlog. It will almost always be longer than expected.
What tools exist for writing and enforcing behavioral specs?
AgentSpec (ICSE 2026) introduced a DSL expressing constraints as trigger-predicate-enforcement triples, enforced at runtime — the closest published standard for executable behavioral specifications.[1] For evaluation, frameworks like Braintrust, Phoenix (Arize), and LangSmith support programmatic test case execution against defined criteria. For MCP-connected agents, gateways like those from Cerbos or open-source OPA/Rego policy engines provide sub-millisecond enforcement at the tool invocation layer.[7] CLAUDE.md and AGENTS.md files provide organizational context but remain advisory. The current gap: tooling that connects the written spec to both the enforcement layer and the eval pipeline in a single workflow. Most teams are still wiring this by hand.
How often should the behavioral spec be reviewed?
Review before every major deployment — that's the minimum gate. Beyond that, schedule a weekly behavioral drift check for active production agents: compare current escalation rate, resolution rate, and eval pass rate against the baselines defined in the spec. When any metric drifts materially from target, investigate before the next deployment, not after the next incident.
How do I know if an invariant is real or just aspirational?
One question: what happens if the model reasons its way around this rule? If the answer is 'the enforcement layer blocks it anyway,' the invariant is real. If the answer is 'the model probably won't do that,' it's aspirational. Aspirational invariants are prompt preferences with a better name. They provide no safety guarantee at the infrastructure layer. Write the enforcement mechanism first, then document it in the spec — not the other way around.
Platform leaders who've shipped agents without behavioral specs are in the majority position — most production agent deployments run on intentions nobody wrote down. That's not an indictment. It's a description of where the tooling and discipline currently sit relative to each other.
The spec changes the conversation between product and engineering in ways that matter beyond safety. Success criteria force product to define working in terms engineering can test. Invariants force engineering to tell product which actions are off-limits and why. Failure modes force both teams to agree on what the agent does when neither of them is watching. None of that negotiation happens automatically. The spec makes it happen before production, not during an incident.
The Replit agent didn't fail because the model was bad. It failed because nobody had specified that DROP TABLE on a production database was an invariant — and wired in the enforcement to match. The model was reasoning toward a goal. The spec's job is to name which goals are out of bounds, where the boundary is, and what happens when the agent reaches the edge. Write that down. Wire it in. The agents your team ships next quarter will have something last quarter's didn't: a contract.
Key terms in this piece
behavioral specification AI agentsagent behavioral specplatform engineering agentsagent guardrails productionagent eval frameworksagentic engineering platform leaders
- [1]Wang, Poskitt et al. — AgentSpec: Customizable Runtime Enforcement for Safe and Reliable LLM Agents(arxiv.org)↩
- [2]Agent Behavioral Contracts: Formal Specification and Runtime Enforcement for Reliable Autonomous AI Agents(arxiv.org)↩
- [3]Datadog — State of AI Engineering 2026(datadoghq.com)↩
- [4]QuantumBlack, AI by McKinsey — Evaluations for the agentic world(medium.com)↩
- [5]Red Hat Developer — Vibes, specs, skills, and agents: The four pillars of AI coding(developers.redhat.com)↩
- [6]AI Incident Database — Incident 1152: LLM-Driven Replit Agent Reportedly Executed Unauthorized Destructive Commands During Code Freeze, Leading to Loss of Production Data(incidentdatabase.ai)↩
- [7]Cerbos — MCP Authorization: Securing Model Context Protocol Servers With Fine-Grained Access Control(cerbos.dev)↩
- [8]arXiv 2603.16586 — Runtime Governance for AI Agents: Policies on Paths(arxiv.org)↩
Related
Platform
Three Questions Before You Touch the Prompt
When production agents fail, teams default to prompt tuning regardless of structural root cause. This MAST-based triage protocol gives engineering leaders three speed-ordered checks — 30 seconds, 5 minutes, 20 minutes — each routing to a different structural owner before anyone changes a line.
Jun 12, 202611 min read
Platform
The Spec Is Where Production Failures Start
MAST's 14 agent failure modes cluster into 3 structural categories, each preventable at a different pre-production stage. This playbook maps them to 12 deployment gate questions with pass criteria and named ownership.
Jun 11, 202612 min read
Platform
Model Selection Isn't a Configuration Choice. It's Architecture.
Why frontier model defaults bloat inference bills, and the per-task quality SLO framework that makes model selection explicit, testable, and owned — instead of inherited from prototype defaults.
Jun 10, 202610 min read