Back to blogs

Hooks: The Deterministic Safety Net for AI Agents

P

Prakash Rengarajan

23 Jun, 2026

5 min read

The common assumption when deploying an AI agent is that safety is the model's job. Write a careful system prompt, add guardrail language, and the agent will behave. This assumption holds until it does not — and in an enterprise workflow, when it does not, the failure is in production and in the audit log.

Prompt guardrails are probabilistic. They live inside the model, and a sufficiently unusual input can move them. The parts of your system that must never move — that enforce hard policy regardless of what the model is told — need to live somewhere the model cannot reach.

That place is the platform's deterministic runtime. On Ontoz, it is called Hooks.

What a Hook is

A Hook is a Groovy or JavaScript function attached at one of seven named extension points in the lifecycle of a Copilot or Agentic Task. They are not prompt instructions. They are interceptors that run in the platform, before and after the model acts.

Hook pointWhat it enforces
onSessionStartHydrate context, inject case summary, set per-session token and step budgets
beforeToolCallVeto, rewrite, or redact tool arguments before the tool fires
afterToolCallSanitize results before the model sees them — PII redaction, schema clamping
onMessageInspect model output; classify, route, or block
onGuardrailViolationDecide whether to retry with a corrective message, escalate, or terminate
onHandoffFired when a Copilot escalates to a human or another agent — carries summary and state
onSessionEndPersist transcript summary, emit metrics, write audit log entry

The model reasons. The runtime enforces.

This split is deliberate. Prompt instructions are good at shaping tone, framing reasoning, and providing soft constraints. They are not reliable for hard policy.

If a field must never be readable by a particular agent, that rule should not live in the system prompt — it should live on the field itself, enforced by the runtime regardless of what the prompt says. The beforeToolCall hook intercepts at the platform level: it inspects the arguments a model is about to pass to a write tool and can veto the call before it fires. The model never knows the veto happened. Similarly, afterToolCall strips PII from a tool's return value before the model incorporates it into its next response.

This is the same discipline software engineers apply to safe functions: invariants are enforced at the call site, in the type system, in the test suite — not in the function's own output text. Hooks bring that discipline to AI.

Escalation is first-class

When an agent cannot complete its objective within its permitted scope, the onGuardrailViolation hook decides the path: retry with a corrective message, terminate and report, or escalate to a fallback human task. This is not a crash — it is a designed handoff.

The onHandoff hook fires at that moment and carries the full session summary and current state to wherever the work goes next, whether that is a human reviewer or a different agent with broader scope. Nothing is lost; everything is documented.

Why this matters for enterprise AI

Model choice, fine-tuning, alignment, and evaluation all matter. But the platform layer is where enterprise reliability is actually built. An agent system where what the model can do and what the model will do are the same thing — not because the prompt is airtight, but because the runtime makes it so — is the only kind that holds up under a compliance review.

Hooks are how Ontoz makes that guarantee.

Join the Waitlist