Structural guardrails are what agents need to break corporate siloes

The business case for agents is the ability to cross silos, pulling from the CRM, the support queue, the wiki, and the code index, then acting across all of them. An agent that can't touch the interesting data is not worth running, and one that can becomes a security-review blocker at the enterprise-sale stage.

Across the AI startups I'm watching through 2026, the pattern repeats: layers of prompts telling the model not to share, output scanners checking what the agent sends out, and per-tool allowlists for specific skills, all of them stochastic and at best suggestions.

Bell-LaPadula, the 1973 information-flow model originally designed for military multi-level security systems, already solves this and most companies building agentic systems haven't discovered it yet. The floating-label variant, where a subject's effective clearance rises as it reads, maps cleanly onto conversational agents that start at no clearance and accumulate context through tool calls. Two rules translate into runtime behavior: a read from a higher-sensitivity tool raises the conversation's taint watermark, and a write to a lower-sensitivity destination is refused by the runtime rather than by the prompt. The runtime takes over once information has entered the context, so prompt injection at the ingress stays an upstream problem.

I built a demonstrative middleware for Strands Agents that wires the whole pattern up: strands-tool-boundaries. Share it with your compliance team for inspiration.