Develop
SDK patterns for trusted agents
Where the SDK ends and the trust layer begins — and why putting the guardrails inside the SDK is usually the wrong default.
- Manzia Editorial
- 1 min read
SDK patterns for trusted agents
The fastest way to make a guardrail unfixable is to bury it inside the SDK that every team imports. The next deploy that updates the SDK now ships a behavior change to every product surface, whether they audited it or not.
A separation that holds up
- SDK — the thin client. Authenticates, marshals requests, handles retries. Knows nothing about which tools an agent is allowed to call.
- Trust layer — a service the SDK calls. Owns allowlists, scoped credentials, human-in-the-loop wiring, audit. Versioned and rolled out on its own cadence.
- Product code — wires both together, declares which trust profile this agent runs under, and is responsible for upgrading deliberately.
This is a boring layering. Its virtue is that an SDK release can never widen the action surface of a deployed agent, and a trust-layer release never breaks build by changing the SDK's API.
Author
Manzia Editorial— Editorial team
The Manzia editorial team curates research, frameworks, and field reports on building, deploying, and benchmarking Trusted Agents.