Series 3 of 4 · AI Evals · Level 1 · Topic 07

Two Axes of Checking

The Ground Truth
IN THIS NOTE YOU WILL LEARN
  • 01.The two independent decisions that organize every quality check: what does the checking (deterministic code vs AI judgment) and when it runs (before vs after the user sees the output).
  • 02.Why putting the wrong check on the wrong axis either destroys your user experience or lets dangerous outputs through.
  • 03.Why agentic systems need guardrails at every step that creates a side effect, not just at the final response boundary.

The Story

A European neobank's fraud AI flagged the right transfers at 7:14 AM. The money had left at 1:47 AM. €380,000 — gone, unrecoverable. The model scored the credential-stuffing burst at 94% confidence. The scoring was perfect. The architecture ran the check every six hours, in batch, after the fact.

A single synchronous rule — block any account attempting more than five outbound transfers in ten minutes — would have frozen the accounts mid-burst. The team had a quality check on the right type axis (AI judgment for pattern detection). They put it on the wrong timing axis (async, when it needed to be sync).

The post-incident review found what the engineers already knew: the batch architecture was chosen for cost and simplicity. Nobody asked the timing question. That is the gap this chapter closes.

The Core Idea

Quality checks in AI products are not one decision. They're two independent decisions that most teams collapse into one.

Decision 1 — Type: What does the checking? Some quality concerns have clear, codifiable rules. Is the response valid JSON? Does it contain a Social Security number pattern? These checks are deterministic — code that answers with 100% accuracy, in milliseconds, for free. Other quality concerns require judgment. Did the response follow the company's refund policy? Was the tone appropriate? These checks need an LLM-as-judge — semantically rich, expensive, and fallible.

Decision 2 — Timing: When does the checking happen? Some checks must block the response before the user sees it — synchronous guardrails. Others can run after the response is delivered — asynchronous evaluators analyzing sampled production traffic in the background.

Fig 1. Two Axes of Checking
THE DEFINITION

Two decisions for every quality check:
What checks, and when it runs.

Code vs AI judgment. Before the user sees it vs after. Get these wrong and you break UX or miss danger.
CODE + BEFORE

PII filters, format checks. Fast, cheap, certain.

AI + BEFORE

Tone check, policy compliance. Slower, but catches nuance.

CODE + AFTER

Log analysis, anomaly alerts. Zero latency cost.

AI + AFTER

Quality scoring, drift detection. Deep but sampled.

Airport security: metal detector before boarding, camera review after.
You wouldn't review the tape before letting someone through.

For agentic systems, the timing axis changes fundamentally. The dangerous thing often happens BEFORE the final response. An agent that cancels an order, runs a shell command, or leaks credentials through a tool call creates the damage mid-workflow. A single output guardrail at the end misses everything that happened in the middle.

The three-layer architecture mature teams deploy: Layer 1 — behavior shaping upstream (safe-completion training, Constitutional AI). Layer 2 — inline runtime controls (input guardrails, output guardrails, tool guardrails, human approvals). Layer 3 — async monitoring and evaluation on sampled production traces.

Where This Hits in Production

The latency vs compliance negotiation. Regulations like HIPAA and FINRA force certain checks into the synchronous path — you must prevent the violation, not just detect it afterward. The PM's job becomes negotiating: fast deterministic checks synchronously, nuanced AI checks asynchronously.

Multi-tenant systems need policy packs, not one global guardrail. The same user action can belong in different quadrants for different customers. Enterprise reality: not one global guardrail, but tenant-specific, environment-specific, workflow-specific policy configurations.

At 10M queries/day, judgment checks must be sampled. At enterprise scale, you run deterministic checks on 100% and semantic judges on filtered or sampled subsets.

Connecting the Dots

On the autonomy spectrum, the 2x2 matrix doesn't just get more complex as autonomy increases — it changes shape. At Levels 1-3, you check one output. At Levels 5-7, every step in the workflow potentially needs its own guardrail assignment. The 2x2 isn't one matrix. It's one matrix per step.

!

Common Mistake

Putting one output guardrail at the end of an agentic workflow and assuming it covers the system.

This feels architecturally elegant. One choke point. One place for policy logic. One dashboard.

What actually happens: the dangerous action occurs before the final response. If the agent cancels an order at step 3 or leaks credentials at step 7, the output guardrail at step 10 is too late.

Put validation and approvals next to the step that creates the side effect, not only at the final response boundary.

In Practice: The Enterprise 2x2

Here's what a well-configured checking architecture looks like for an enterprise support agent — expressed as a YAML policy the infrastructure enforces.

# Checking architecture: Enterprise Support Agent
sync:
  code:
    - json_schema_valid: block
    - contains_pii: redact_or_block
    - allowed_tool_names: block
  judgment:
    - policy_adherence_judge: block_if_violation
    - needs_human_approval:
        - cancel_order
        - refund_over_500

async:
  code:
    - pii_leak_rate: sample_100_percent
  judgment:
    - tone_appropriateness: sample_10_percent
    - factual_correctness: sample_5_percent
SYNCHRONOUS CONTROLS (real-time)
─────────────────────────────────────────
PII blocked:              47 today (0.3%)
Schema failures:          12 today (0.08%)
Policy judge blocks:       6 today (0.04%)
Human approvals requested: 3 today (0.02%)
p95 added latency:        420ms

ASYNCHRONOUS MONITORING (2-10% sample)
─────────────────────────────────────────
Tone appropriateness:     94% (stable)
Factual correctness:      88% (up from 83%)
Conversation resolution:  79% (down from 84%)
The 2x2 in Practice
The neobank had accurate AI scoring but no sync block. That's why the money left.
Code + Sync
PII regex filter
Blocks SSNs, credit cards before response. Runs in 30ms. 100% of traffic. $0 cost.
JSON schemaMax tokens
Perfect accuracy. Zero cost. Catches exact conditions only.
AI + Sync
Policy adherence judge
Blocks responses that violate refund policy. Runs in 150ms. Adds latency. Catches nuance.
Jailbreak probeHuman approval
Semantic richness. Higher cost. Fallible but catches subtlety.
Code + Async
Schema pass-rate tracking
Monitors 100% of responses. Logs trends. Zero user latency. Alerts on drift.
PII leak rateLatency tracking
Cheap. High coverage. Catches structural drift over time.
AI + Async
Tone drift detection (10% sample)
Catches subtle quality degradation hourly. No latency impact. Alerts on trend change.
Accuracy (5%)Resolution (2%)
Expensive. Sampled. Catches semantic drift code can't see.

Remember This

1. Every quality check sits in one quadrant of Type (code vs AI) × Timing (sync vs async). Wrong quadrant blocks real users or ships real violations. There is no neutral cell.

2. For agents, the guardrail belongs at the step that creates the side effect — not at the final response. An output check at step 10 cannot un-cancel the order at step 3.

3. The PM owns the quadrant assignment. It is a product decision priced in safety, latency, cost, and trust — not an engineering choice handed off after the spec.

References

1. EBA Fraud Monitoring Guidelines — European Banking Authority

2. Claude Code Auto Mode — Anthropic Engineering

3. Guardrails and Human Review — OpenAI Agents SDK

4. HIPAA Minimum Necessary Requirement — HHS.gov

Previous Topic Back to the Deep Dive