Hook Architecture: 4-Layer Enforcement
Policy documents are aspirational. Hooks are structural. One describes what should happen. The other makes it happen. Here's the 4-layer hook architecture that enforces AI governance without depending on the AI remembering the rules.
Policy documents are aspirational. Hooks are structural. One describes what should happen. The other makes it happen.
I’ve watched organizations spend months writing AI governance policies. Beautiful documents. Detailed procedures. Clear escalation paths. Then the AI ignores all of it because nobody built enforcement into the runtime. The policy exists on a wiki page. The AI exists in a context window. They never meet.
The Enforcement Gap
AI agents don’t follow rules by default. They follow statistical patterns from training data. You can put rules in the system prompt, and the model will mostly follow them. Until the context window fills up and the rules get compressed. Until the task is complex enough that the model prioritizes completion over constraints.
“Mostly follows the rules” is fine for writing emails. It’s not fine for systems that deploy code, modify databases, or make financial decisions. The solution: stop depending on the AI to remember rules. Build an enforcement layer that intercepts every action and applies rules structurally. The hooks remember. The AI runs into walls when it tries to violate them.
Layer 1: Preventive Hooks (UserPromptSubmit)
Preventive hooks fire before the AI processes a task. They intercept the input and apply pre-processing rules before the model ever sees the request.
These hooks handle input validation, task classification, and context injection. Is this task classified? Is the right context loaded? Does this task require a specific workflow phase before execution can begin?
The most valuable preventive hook in my system is the trivial/non-trivial classifier. Every incoming task gets classified before the AI touches it. Non-trivial tasks get the full 5-phase workflow. Trivial tasks get a fast path. The model doesn’t decide whether to follow process. The hook decides for it.
Another preventive hook injects context from prior sessions. The AI’s fresh context window knows nothing about yesterday’s decisions or last week’s constraints. The hook queries the memory system and injects relevant context. The AI starts with the right information, not because it remembered, but because the hook loaded it.
Preventive hooks are the cheapest layer. Catching a problem before processing costs nothing compared to catching it after 2,000 tokens of output that needs discarding.
Layer 2: Detective Hooks (PreToolUse / PostToolUse)
Detective hooks fire during execution. PreToolUse hooks intercept before the AI calls a tool. PostToolUse hooks intercept after a tool returns its result.
PreToolUse is where you enforce authorization. Before the AI executes a file write: Does the task have permission? Is the target path allowed? Is this production? If any check fails, the tool call gets blocked with an explanation.
I have a PreToolUse hook that checks every shell command against a deny list. rm -rf, DROP TABLE, git push --force — blocked unconditionally unless explicitly approved. The AI might have a perfectly good reason. The hook doesn’t care about reasons. It cares about patterns.
PostToolUse hooks inspect results. Did a database query return sensitive data? Did a file read expose credentials? PostToolUse hooks redact or flag problems before the model processes the result.
The detective layer creates a chokepoint. Every interaction between the AI and the outside world passes through these hooks. The AI operates inside a monitored perimeter.
Layer 3: Corrective Hooks
Corrective hooks fire when something goes wrong. They’re the feedback mechanism that routes failures back to the appropriate handler.
When a detective hook blocks a tool call, the corrective hook determines what happens next based on the task’s risk classification.
For L1 and L2 tasks (low and moderate risk), the AI retries with guidance. “File write blocked: target outside allowed directory. Allowed: /src, /tests, /docs.” Specific, actionable feedback.
For L3 and L4 tasks (high and critical risk), the corrective hook escalates to a human. No automatic retry. The task pauses, context gets packaged into a review request, and a human decides. The AI doesn’t get to try a different approach to a high-risk operation on its own.
Corrective hooks also unwind cascading failures. When one tool call fails and subsequent calls depend on its result, the hook reports the full failure path instead of letting the AI continue with missing data.
This is where most governance frameworks fall apart. They define what should happen but not what happens after a violation. The answer can’t be “log it and continue.” It must be “stop, correct, or escalate.”
Layer 4: Retention Hooks (PreCompact)
This is the layer nobody talks about, and it’s the one that makes everything else work long-term.
AI context windows are finite. When a conversation gets long enough, the context gets compacted — older content gets summarized or dropped to make room for new content. When this happens, everything in the context is at risk: task state, constraint definitions, workflow phase tracking, even the rules themselves.
Retention hooks fire before context compaction and extract critical state that must survive the compression. Phase tracking (which workflow phases have completed). Constraint state (which rules are active, which approvals have been granted). Task context (what was decided earlier in this session and why). Violation history (what the AI tried to do that got blocked).
This state gets stored outside the context window in a persistence layer. After compaction, a preventive hook reinjects the critical state. The AI continues with full governance awareness.
Without retention hooks, every context compaction is a governance reset. The AI forgets it’s in Phase 3 and starts generating without a plan. Forgets a file path was blocked and tries again. Forgets that council review is required.
I discovered this by watching an agent follow process perfectly for 45 minutes, then suddenly ignore every constraint. The context had compacted. The rules were gone. The agent wasn’t being defiant — it literally didn’t know the rules existed anymore. Retention hooks exist because of that day.
State Management Across Hooks
The four layers don’t operate in isolation. They share state through a governance context object that tracks everything: current workflow phase, active constraints, granted permissions, blocked attempts, escalation status.
Preventive hook classifies a task? Written to the context. Detective hook blocks a call? Recorded. Corrective hook escalates? Tracked. Retention hook fires? It knows exactly which pieces are critical because they’re explicitly marked.
This shared state turns four independent layers into a coherent system. The corrective hook knows this is the third blocked access attempt, changing the escalation decision. The preventive hook knows a prior task was escalated, changing risk classification for subsequent tasks.
Violation Tracking and Escalation
Every hook violation gets logged with timestamp, task context, violation type, and resolution. This creates an audit trail that answers questions like: What did the AI try to do? Why was it blocked? What happened after the block?
Violation patterns drive escalation. A single blocked file write is a correction. Three blocked file writes to the same path in the same session is a pattern that suggests the task definition is wrong or the permissions need review. The escalation system recognizes these patterns and raises the alert level.
The violation log also feeds back into preventive hooks. If a specific task type repeatedly triggers detective-layer blocks, the preventive hook can be updated to catch the problem earlier — before the AI spends tokens generating output that will be blocked.
Enforcement Without Dependence
The entire hook architecture exists to solve one problem: governance that doesn’t depend on the AI choosing to follow the rules.
The AI doesn’t need to know the rules or remember them. The hooks enforce rules structurally, at the runtime level, in a layer the AI cannot bypass.
Policy documents tell you what should happen. Hooks make it happen. If your AI governance exists only in documents, it doesn’t exist at all.
I build AI enforcement architectures — 4-layer hook systems that make governance structural, not aspirational. If your AI agents are operating without runtime enforcement, let me show you what controlled execution looks like.
Book a call: https://cal.com/davidyoussef