Agency17 June 20264 min read

Building a senior-colleague AI: versioned skills and gated tools

A loose-cannon agent is dangerous and a shackled one is useless. The way out is to put the judgment in versioned, fail-closed skill definitions and to gate which tools the agent can touch per skill and per turn. Capable without being a liability.

tsukumo

Building a senior-colleague AI: versioned skills and gated tools

Short version: there are two easy ways to build an agent and both are wrong. A loose-cannon agent with every tool and one giant prompt is a liability. A shackled agent that has to ask permission for everything is useless. The version worth shipping sits in the middle, and it is built, not prompted: the judgment lives in versioned, fail-closed skill definitions, the tools are gated per skill and per turn, and anything irreversible goes through a confirmation step. We built one for a fiduciary, where the agent has to be genuinely useful and genuinely safe at the same time.

Why "one big prompt with all the tools" fails#

Because it makes capability and safety the same dial, and you cannot turn one without the other.

When an agent has every tool and a single sprawling system prompt, the only way to make it safer is to make it more timid, and the only way to make it more capable is to make it more dangerous. There is no separation. You also cannot review the thing: behavior is buried in prose, changes are untracked, and a regression is invisible until it acts. The fix is to stop expressing capability as prompt text and start expressing it as structured, versioned skills.

Skills as versioned artifacts#

A skill is a unit of capability you can edit, review, and roll back, not a paragraph you tune by feel.

Each skill defines a task, how to perform it, and which tools it may use. Crucially, it is a tracked artifact, loaded from a system of record rather than hard-coded in a prompt. That gives you three things a giant prompt never does.

| Skill as a versioned artifact | Capability buried in a prompt |
|-------------------------------|-------------------------------|
| Edit and roll back deliberately | Change by feel, hope nothing regresses |
| Review like code | Behavior hidden in prose |
| Loaded from a system of record | Hard-coded and scattered |
| Fail-closed if missing | Silent, unpredictable fallback |

When skills load fail-closed, a skill that cannot be validated simply is not available, and the agent does less. It never falls back to an unrestricted default, because a missing guardrail that leaves the agent more capable than intended is the exact failure you are trying to design out.

Gating tools per skill and per turn#

The tools an agent can reach are decided by the active skill, and re-checked every turn.

A drafting skill exposes drafting tools and nothing that moves money. A reconciliation skill exposes the tools reconciliation needs and no more. Because gating is re-evaluated per turn, the available toolset tracks what the agent is actually doing right now, not what it might conceivably need someday.

The mental model is a trusted colleague, not a locked-down intern. A senior colleague is not less capable for staying in their lane. They are trusted precisely because they do. Gating gives the agent that same shape: full capability inside the current task, no reach outside it.

A confirmation step before the irreversible#

Capability and safety stop being the same dial the moment you add a checkpoint at the irreversible actions.

In front of anything that cannot be undone, a payment, an external send, a destructive change, sits a confirmation middleware. The agent can be fully capable right up to that line and still not cross it unsupervised. This is what lets you turn the capability dial all the way up: the irreversible actions are guarded structurally, so a confident agent is safe by construction rather than by hoping it stays cautious.

Shackled, loose, or senior?#

| Loose cannon | Shackled bot | Senior colleague |
|--------------|--------------|------------------|
| All tools, always | Asks before everything | Right tools for the task |
| Prompt-tuned by feel | Hard rules everywhere | Versioned, reviewable skills |
| Fails open | Fails by stopping | Fails closed, stays useful |
| Dangerous | Useless | Capable and safe |

The senior-colleague column is the only one that is both shippable and trustworthy, and you cannot prompt your way into it. It is an architecture: versioned skills, per-turn tool gating, fail-closed loading, a confirmation step at the edge.

What this means for your team#

If you want an agent people actually trust with real work, stop tuning one big prompt and start designing skills. Make each skill a versioned artifact that grants specific tools. Gate those tools by what the agent is doing now. Fail closed. Put a human checkpoint at the irreversible edge. The model is the easy part; the skill-and-gating layer is what turns a clever demo into a colleague.

We build these where the work is real and the mistakes are expensive. If your team wants an agent that is capable without being a liability, that's the work we do.

Common questions

What is a versioned skill for an AI agent?

A skill is a defined unit of capability: a description of a task, how to do it, and which tools it is allowed to use. Versioning it means it lives as a tracked artifact you can change, review, and roll back, rather than as text buried in one giant prompt. The agent's behavior becomes something you edit deliberately and audit, not something you tune by feel.

What does 'gating tools per skill and per turn' mean?

It means the set of tools the agent can call is restricted by which skill is active, and re-evaluated each turn. A skill for drafting only exposes drafting tools; it cannot reach a tool that moves money. Per-turn gating means the available tools track what the agent is currently doing, so it can never call something outside the current task.

How do you keep a gated agent from being uselessly restricted?

By making skills grant real capability, not by removing it. The point is not fewer tools, it's the right tools for the current task and nothing else. A senior colleague isn't less capable for staying in their lane; they're trusted because they do. Gating plus a confirmation step on irreversible actions gives you capable and safe at once.

What is fail-closed skill loading?

It means if a skill can't be loaded or validated, the agent does without it rather than falling back to an unrestricted default. The dangerous failure mode is a missing guardrail silently leaving the agent more capable than intended. Fail-closed makes the absence of a skill reduce what the agent can do, never expand it.

Want this running on your team?

Talk to us about your team