Agents and guardrails

We’ve climbed a ladder. Plumbing that moves things. Logic that branches. AI steps that interpret. Copilot that builds from a description. The top rung is the one everyone’s talking about and few are using well: agents. This is where automation stops following a fixed recipe and starts deciding its own steps — and where, for anyone in a regulated field, the questions get serious.

What an agent actually is

A normal Zap is a fixed track: trigger, then these steps, in this order, every time. A Zapier Agent is different. You give it a goal in plain English — “triage each new Signal item: judge relevance, summarise it, score it, and flag the strong ones for me” — and the agent works out how to get there. It reasons, picks which of its available tools to use, takes several actions, and can loop back if the first attempt falls short. The same agent can read a feed, write to a table, post to Slack and pause for a human, all from one instruction, across Zapier’s 9,000-plus connected apps.

The shift is from automation you choreograph to a teammate you delegate to. That’s genuinely powerful. It’s also exactly why you need to slow down before handing it anything that matters.

The capabilities worth knowing

Three features make agents more than a gimmick. Memory lets an agent carry context across runs, so it isn’t starting cold every time. Bring Your Own Model lets you choose which underlying AI powers it. And it can keep a human in the loop by design — pausing to wait for a named person’s approval before it does anything consequential. That last one isn’t a nicety in our world. It’s the whole basis on which an agent can be trusted at all.

The guardrails — and why they matter here

To Zapier’s credit, the platform has built a safety layer, and it maps almost exactly onto health communications anxieties. The guardrails scan for personally identifiable information across more than thirty types, detect prompt-injection attempts, and flag toxic or harmful language and negative sentiment. In plain terms: it tries to stop an agent leaking patient or personal data, being hijacked by malicious text hidden in its inputs, or producing something it shouldn’t.

Take the prompt-injection point seriously. An agent that reads external content — emails, web pages, documents — can be fed instructions buried in that content, designed to make it act against you. In a field where the inputs are clinical documents, KOL correspondence and regulated copy, that is not a theoretical risk. Guardrails reduce it; they do not abolish it.

Where the line sits

So here’s the honest position. An agent triaging your Signal queue, drafting first-pass summaries, flagging what looks strong for your review — that’s a fine use. The work is reversible, low-stakes, and a human sees everything before it goes anywhere. Let the agent move work to the gate.

An agent that drafts a claim and sends it, adjusts approved copy without review, or touches anything destined for a regulator without a person signing it off — that’s the wrong side of the line, guardrails or not. The technology is ready to propose. It is not ready, and may never be ready in our field, to decide unattended. Keep a named human accountable at every consequential step, by design and not as a courtesy.

Next: 16. Zapier: what you don’t hand to the robot — the closer, on where automation stops and your judgement begins.

Zapier for health communications is a practical series. New post every week.

— Ned