So sorry this happened to you. Models can't police themselves. The guardrail was a paragraph of text. That's not a guardrail. Security has to live at the infra layer. Container inside a micro VM, network policies, scoped tokens, tool restrictions. We built a credential gateway so a domain-management token cannot touch volumeDelete because that permission doesn't exist at the API layer. You decide exactly which tools an agent can call. When you're free, we'd love to help prevent this in the future. DM us.