Skip to main content

PGAR Boundary ③: LLM Proposal

Blueprint · ← Agentic app · LLM proposal · PEP + PDP →

The LLM operates on conversation and tool schemas. It proposes tool calls. It does not permit them.

THE CLAIM

The LLM boundary is proposal-only. Authority, tokens, and policy text stop at the agentic app adapter.

Appropriate LLM work

TaskWhy prediction is fine
Parse user intentLanguage understanding
Select tool sequencePlanning
Draft user-facing explanationFluency
Propose retrieve_documents argsSearch strategy

Inappropriate LLM work (belongs in PDP)

TaskOwner
"Is this wire allowed?"PDP
"May this principal see corpus X?"PDP
"Does amount exceed limit?"PDP
"Record approval for audit"PEP

Tool manifest

Only tools in the manifest appear in the LLM schema. Unknown proposals are rejected by the agentic app before PEP.

See Domain: tool registry.

Failure classes

  • Policy in system prompt: limits as instructions instead of PDP
  • Credential injection: env vars visible to model runtime
  • Unbounded tools: dynamic schema includes admin operations
  • Proposal = execution: framework auto-runs tools without PEP

Trace fields

model_id, tools_in_schema, proposal, proposal_in_manifest, llm_payload_hash

See: Token & session boundary · Boundary overview