If your safety and auditing live in the system prompt, they hold only as long as the model cooperates — which is exactly when you can’t count on it. Hermes places enforcement in lifecycle hooks that fire at fixed points (pre/post tool call, gateway dispatch, approval) and can block, rewrite, or pass through any operation, plus filesystem-installed scripts for host side-effects — both designed so policy, auditing, and side-effects execute independently of model cooperation. This generalizes Safety enforcement belongs in tool design, not system prompts from the tool API out to the whole loop, and it’s a concrete expression of how Intelligence location — code vs prompts — determines system fragility and flexibility: deterministic code carries the guarantees while the model carries the judgment, the same division that lets Production agents route routine cases through decision trees, reserving humans for complexity.