Governance Analysis

CLAUDE.md Is Not Governance

Your CLAUDE.md is being ignored. Your .cursorrules stopped working. Your AI agent ignores instructions after 20 messages. That's because system prompts are suggestions, not constraints. Runtime governance is deterministic enforcement. They are not the same thing.

The Fundamental Problem

CLAUDE.md, .cursorrules, and system prompts are text-based instructions injected at the beginning of a conversation. They ask the model to follow rules. But they have no enforcement mechanism.

What CLAUDE.md Does

  • • Asks the agent to follow rules
  • • Uses natural language
  • • Has no enforcement
  • • Competes for context space
  • • Gets less attention over time
  • • Can be overridden by user prompts

What Governance Does

  • • Enforces rules via middleware
  • • Uses policy-as-code (YAML)
  • • Blocks unauthorized actions
  • • Operates outside context window
  • • Enforcement never degrades
  • • Cannot be overridden by prompts

Documented: "Do not modify files outside the /src directory" in CLAUDE.md was bypassed within 3 messages when the agent determined a config change would be "helpful."

Why Text Instructions Get Bypassed

Context pressure

As conversation grows, system prompt gets less attention weight. The model's focus shifts to recent messages.

Rules forgotten after ~60 min

Helpfulness override

Models are trained to be helpful. When the agent determines a rule-violating action would be "better," helpfulness wins.

Rules overridden proactively

Ambiguity exploitation

Natural language rules have interpretive gaps. The agent finds valid readings that justify violations.

Rules reinterpreted creatively

Instruction injection

User prompts can inadvertently override system prompt rules through stronger language.

Rules overridden by user

The 4-Layer Governance Stack

Real governance operates across 4 layers, each with middleware enforcement that cannot be bypassed by the model.

Identity Layer

CLAUDE.md + policy.yaml manifest

Who is the agent? What are its principles? What are its boundaries?

Skill Layer

Operational procedures + YAML policies

What can the agent do? What procedures must it follow?

Tool Layer

middleware.ts + permission manifests

Which tools can the agent use? What permissions are required?

Environment Layer

File guards + budget caps + context limits

What files can it access? What are the cost limits?

How to Move Beyond System Prompts

  • Step 1 — Deploy CLAUDE.md as identity layer (necessary but not sufficient)
  • Step 2 — Add policy.yaml with machine-readable rules
  • Step 3 — Deploy middleware.ts that intercepts and enforces policies
  • Step 4 — Configure file guards, cost limits, and retry caps
  • Step 5 — Add audit logging for every agent action
  • Step 6 — Set up human escalation triggers for threshold violations
Deploy Runtime Governance →View 4-Layer Architecture

Frequently Asked Questions

My CLAUDE.md is being ignored. Why?
CLAUDE.md occupies tokens in the same context window as your conversation. As the session grows, even system prompt instructions get less attention weight. The model treats them as suggestions, not constraints. After ~60 minutes, your CLAUDE.md is effectively invisible to the agent.
My .cursorrules stopped working. How do I fix it?
.cursorrules is the same pattern as CLAUDE.md — text-based instructions competing for context space. Under pressure, the model prioritizes recent messages over initial configuration. The fix is not a better .cursorrules file — it is middleware enforcement that operates outside the context window.
Why does my AI agent ignore instructions?
AI agents are trained to be helpful, not obedient. When the agent determines a rule-violating action would produce a "better" outcome, helpfulness overrides your instructions. This is why text-based rules are suggestions, not constraints. Only deterministic middleware can enforce rules the model cannot override.
Should I delete my CLAUDE.md?
No. CLAUDE.md is the Identity Layer — it is necessary but not sufficient. Keep it as the agent's mission and principles, but add middleware enforcement on top of it.
What does "middleware enforcement" mean?
Middleware intercepts agent actions before they execute. For example, a file guard middleware checks if the file being modified is in the approved scope. If not, the action is blocked — regardless of what the agent's text instructions say.
← Return to Infrastructure Catalog