Hooks: The Deterministic Safety Net for AI Agents
Prakash Rengarajan
23 Jun, 2026
5 min read
The common assumption when deploying an AI agent is that safety is the model's job. Write a careful system prompt, add guardrail language, and the agent will behave. This assumption holds until it does not — and in an enterprise workflow, when it does not, the failure is in production and in the audit log.
Prompt guardrails are probabilistic. They live inside the model, and a sufficiently unusual input can move them. The parts of your system that must never move — that enforce hard policy regardless of what the model is told — need to live somewhere the model cannot reach.
That place is the platform's deterministic runtime. On Ontoz, it is called Hooks.
What a Hook is
A Hook is a Groovy or JavaScript function attached at one of seven named extension points in the lifecycle of a Copilot or Agentic Task. They are not prompt instructions. They are interceptors that run in the platform, before and after the model acts.
| Hook point | What it enforces |
|---|---|
| onSessionStart | Hydrate context, inject case summary, set per-session token and step budgets |
| beforeToolCall | Veto, rewrite, or redact tool arguments before the tool fires |
| afterToolCall | Sanitize results before the model sees them — PII redaction, schema clamping |
| onMessage | Inspect model output; classify, route, or block |
| onGuardrailViolation | Decide whether to retry with a corrective message, escalate, or terminate |
| onHandoff | Fired when a Copilot escalates to a human or another agent — carries summary and state |
| onSessionEnd | Persist transcript summary, emit metrics, write audit log entry |
The model reasons. The runtime enforces.
This split is deliberate. Prompt instructions are good at shaping tone, framing reasoning, and providing soft constraints. They are not reliable for hard policy.
If a field must never be readable by a particular agent, that rule should not live in the system prompt — it should live on the field itself, enforced by the runtime regardless of what the prompt says. The beforeToolCall hook intercepts at the platform level: it inspects the arguments a model is about to pass to a write tool and can veto the call before it fires. The model never knows the veto happened. Similarly, afterToolCall strips PII from a tool's return value before the model incorporates it into its next response.
This is the same discipline software engineers apply to safe functions: invariants are enforced at the call site, in the type system, in the test suite — not in the function's own output text. Hooks bring that discipline to AI.
Escalation is first-class
When an agent cannot complete its objective within its permitted scope, the onGuardrailViolation hook decides the path: retry with a corrective message, terminate and report, or escalate to a fallback human task. This is not a crash — it is a designed handoff.
The onHandoff hook fires at that moment and carries the full session summary and current state to wherever the work goes next, whether that is a human reviewer or a different agent with broader scope. Nothing is lost; everything is documented.
Why this matters for enterprise AI
Model choice, fine-tuning, alignment, and evaluation all matter. But the platform layer is where enterprise reliability is actually built. An agent system where what the model can do and what the model will do are the same thing — not because the prompt is airtight, but because the runtime makes it so — is the only kind that holds up under a compliance review.
Hooks are how Ontoz makes that guarantee.
