The Deterministic Boundary
Version: 1.0.0
Last updated: 2026-07-16
Purpose
Place probabilistic judgment and deterministic enforcement on the correct sides of an AI system boundary.
Why
“50/50” is a mnemonic, not a staffing, code-volume, or runtime quota. The correct split follows risk: use models for interpretation and generation; use code for identity, authorization, invariants, execution, accounting, and audit.
How
- List every proposed operation and its failure impact.
- Assign semantic work—classification, extraction, drafting, ranking—to the model.
- Assign enforceable policy—permissions, limits, schemas, transactions—to deterministic code.
- Validate the proposal against current authoritative state.
- Require approval for irreversible or high-impact actions.
- Evaluate both model quality and boundary enforcement.
const proposal = ProposalSchema.parse(await model.propose(request));
authorize(user, proposal.action, proposal.resource);
enforceBusinessLimits(proposal);
const result = await executeInTransaction(proposal);
await audit({ userId: user.id, proposal, result });
When
Apply this boundary to every feature that uses model output downstream, especially agents, financial operations, access-controlled retrieval, and external communications.
Tradeoffs
| Choice | Benefit | Cost |
|---|---|---|
| Deterministic execution gate | Prevents unauthorized effects | Additional implementation |
| Human approval for high impact | Reduces irreversible harm | Higher latency |
| Model-only drafting | Fast iteration | Requires downstream verification |
Anti-Patterns
- Literal 50/50 allocation: invents a precision the heuristic does not support.
- Authorization by prompt: asks the model whether a user may act.
- Semantic rules in regex alone: forces ambiguous language understanding into brittle code.
- Model executes its own proposal: collapses the control and data planes.
Enterprise Considerations
Map actions to risk tiers, segregation-of-duties controls, approval SLAs, and audit retention. Policy engines and resource APIs—not prompts—must remain the source of truth.
Checklist
- Every side effect has a deterministic authorization check
- Model output is schema-validated
- Business invariants are enforced against authoritative state
- Irreversible actions require proportionate approval
- Audit records link proposal, decision, actor, and result
- The split is justified by risk, not an arbitrary percentage
Changelog
- 1.0.0 (2026-07-16): Reframed the 50/50 mnemonic as a risk-based deterministic boundary.
Version: AIES v1.0.0✏️ Edit this page on GitHub