Policy guardrails vs. prompt engineering: pick both, in that order
It's tempting to treat a well-worded system prompt as a safety mechanism. It isn't one. Prompts are guidance, not enforcement — a model can still be talked out of following them.
Real guardrails live outside the model, at the layer that actually executes actions. If an agent's write access to a table is revoked at the orchestration layer, no amount of clever prompting from a user gets around it.
That doesn't mean prompt engineering is useless. It's still the fastest way to shape behavior day-to-day. But it should sit on top of hard enforcement, not instead of it.
In practice, teams that separate these two layers ship faster: prompt changes can be iterated on constantly without ever needing a security review, because the actual boundaries haven't moved.