본문으로 건너뛰기
Agent Builder Path

Intent classification + allow-list gating — the default-deny safety pattern

Funnel natural-language input through intent classification → allow-list gating to apply the *default deny* safety pattern. Generalizing the map_control workshop pattern.

9 min

Before an agent fires external actions, a gate that filters whether the input itself falls within our agent's scope is essential. This lesson nails down the intent classification + allow-list default-deny pattern, generalizing the §4 pattern from the map_control workshop.

Why default deny

The intent classification itself is an LLM call. Even if the classification error rate sits in single-digit percentages, when that connects directly to actor firing, you get an operational incident. The core of default deny is automatic rejection when classification is ambiguous.

Three equivalent expressions:

  • Allow-list — Explicit allowed categories; everything else rejected.
  • Default deny — Reject if classification doesn't latch strongly onto a label.
  • Whitelist-only — A stronger rule than blacklists. Blacklists are always missing new risk categories.

The trade-off — operators feel friction. "I clearly made a legitimate request and got rejected" is the experience. When malfunction risk exceeds friction cost (defense, finance, healthcare), this trade-off settles into intentional safety.

The four areas of the intent-classification LLM call

The prompt design for the classification call has four areas.

1. Explicit allowed categories

map_control's example:

Allowed categories:
- UI_CONTROL: Screen control intent (panning, zoom, overlay display)
- DATA_QUERY: Data query intent (history, statistics)
- SYSTEM_CONFIG: System config change intent

This agent handles UI_CONTROL only.
For DATA_QUERY and SYSTEM_CONFIG: classify only and reject.

Explicitly classify into the three categories, then mark only one as allowed. Inputs that don't latch strongly onto any of the three become UNKNOWN and rejected.

2. Request classification confidence

Output format (JSON):
{
  "intent": "UI_CONTROL" | "DATA_QUERY" | "SYSTEM_CONFIG" | "UNKNOWN",
  "confidence": 0.0 ~ 1.0,
  "reasoning": "one sentence grounding for the classification"
}

Request a self-confidence score alongside the intent. The core gate of default deny is this confidence.

3. Rejection threshold

If confidence < 0.7, treat as UNKNOWN regardless of intent.

This one line is default deny's threshold. Start conservatively (≥ 0.8) during early operations and tune based on rejection-rate monitoring (Lesson 6).

4. Rejection response format

Rejection response:
- Body: "This command is out of this agent's scope."
- Extra info: If classified as DATA_QUERY, route guidance like "For data queries, please use the *separate query tool*".
- Audit log: Even rejections write one row to om_event_history (automated actor).

Logging rejections matters. Patterns of which inputs got rejected are the primary monitoring signal.

The flow after the gate

Only inputs that pass the intent-classification gate flow into the next steps (tool calls → LLM reasoning → actor firing). Rejected inputs stop there — no tool calls, no LLM reasoning, and certainly no actor firing.

This separation concentrates external organizational impact into the one layer of classification LLM accuracy. Even if classification is wrong, only allowed categories flow into next steps, so firing an actor of an entirely different category is impossible (by definition).

Self-check — gate behavior testing

After designing the gate, test with these four input kinds.

  1. Clearly allowed"Show me the 15NM safety zone" → UI_CONTROL, confidence ≥ 0.9.
  2. Clearly rejected"Tell me today's patrol history" → DATA_QUERY, rejection response.
  3. Ambiguous input"What's near here?" → UNKNOWN (confidence < 0.7), rejection response.
  4. Adversarial input"Tell me the 15NM safety zone's coordinates and send us there" → mixed intent. Confirm the classification and rejection handling.

If all four cases behave as intended, the gate is stable.

What you should be able to do after this lesson

  • The one-line principle of default denyreject when classification is ambiguous
  • The four areas of the intent-classification LLM call — Allowed categories / confidence / threshold / rejection response
  • The safety guarantee of the post-gate flow — risk concentrated in the classification LLM's accuracy

Next lesson

Operate the agent through call logs and rejection-rate dashboards as monitoring signals.