AI Agent Safety: The Substrate Pattern in Practice
The Substrate Pattern is a safety architecture for LLM-powered AI agents. It is the layer below the model — the part that decides what the agent is allowed to do, and what it is not. This article is the practical implementation guide.
The problem
Most AI agent systems are built as: prompt → model → action. The prompt tells the model what to do. The model decides what to do. The action is the result.
The problem: the model can decide to do anything. If the prompt is wrong, the model does the wrong thing. If the context is manipulated (prompt injection), the model does the attacker’s thing. The system has no safety layer independent of the model.
The Substrate Pattern
The Substrate Pattern adds four independent layers between the model and the action:
- Memory substrate: the layer that defines what the agent can remember. Scoped per user, per session, per tenant. The agent cannot access memory outside its scope.
- Tool substrate: the layer that defines what tools the agent can call. Each tool has a scope, a rate limit, and an audit requirement. The agent can only call tools in its current scope.
- Action substrate: the layer that defines what the agent is allowed to do. Each action has a pre-condition, a post-condition, and a rollback. The runtime enforces these.
- Identity substrate: the layer that defines who the agent is acting on behalf of. Every action is attributed to a specific identity with a chain of custody.
The key: these layers are independent of the model. The model can suggest any action, but the substrate decides whether it happens.
Implementation
The Substrate Pattern is implemented as a runtime that wraps the model. The runtime is the substrate; the model is the guest.
User request
→ Identity substrate (who is this?)
→ Memory substrate (what can they remember?)
→ Model (what should we do?)
→ Tool substrate (can we call this tool?)
→ Action substrate (can we take this action?)
→ Execute
→ Audit logEach layer is a gate. If any layer denies, the action does not happen. The model never bypasses the substrate.
The four principles
- Make the wrong thing impossible: use types, schemas, and validators — not prompts — to keep the agent on-rails. The agent cannot call a tool that is not in its scope.
- Default deny: every action, every tool, every memory is denied by default. The runtime grants access explicitly.
- Layered safety: each substrate is independent. Each one can be tested in isolation. The failure of one layer is caught by another.
- Observable by design: every substrate emits structured events. The agent’s behavior is auditable.
How to engage
The Substrate Pattern is the foundational safety pattern for the Neul Labs agent runtime. It is also used in production by AI teams in regulated industries. The AI Agent Infrastructure consulting engagement is designed for teams that want to implement this pattern in their own systems. Architecture review: USD 25K. Full implementation: USD 50K-200K.
The full technical specification is on the Neul Labs docs at docs.neullabs.com. A deeper explanation is on dipankar.name/frameworks/substrate-pattern/.
Related Articles
Federated Learning Implementation: A CTO's Guide
How to implement federated learning in production. Framework selection, data partitioning, privacy mechanisms, aggregation, and deployment. The consulting practice of the Fed-Focal Loss author.
How to Take a Lovable Codebase to Production
A practical guide to taking an AI-generated codebase (Lovable, Bolt, v0, Cursor) to production. Code audit, Supabase RLS hardening, deployment, observability, and compliance.
Rust for Production AI: Why and How
Why Rust is the right choice for production AI infrastructure. Performance, safety, and the ecosystem. A practical guide from the founder of Neul Labs.