Google’s free agent handbook has a guardrails gap

When builders borrow safety code from a Google engineer, the dangerous question is not whether the notebook runs. It is whether anyone has tested the guardrails hard enough to trust them when an AI agent starts taking actions outside a demo.

That is the unresolved tension in Antonio Gulli’s free agent handbook. Gulli, a senior director and distinguished engineer in Google’s CTO Office, has published a 424-page guide to agentic design patterns, meaning reusable blueprints for AI systems that can plan, call tools, remember context, and hand work between model-driven steps. Chapter 18 covers “Guardrails/Safety Patterns,” but the chapter does not show that Google’s own products use the code, that Google’s safety teams reviewed it, or that the patterns survived adversarial testing.

That gap matters because the book looks, at first glance, like an unusually generous transfer of production knowledge from inside Google to everyone else building agents. It is more precise to call it one credible engineer’s public pattern library. Useful, yes. Vetted Google safety standard, no.

The book itself is substantial. The GitHub repository says it includes the full PDF and Jupyter notebooks, the interactive coding documents developers use to run examples step by step. It covers 21 chapters across 424 pages, moving from basic prompt chaining and routing to memory management, Model Context Protocol, multi-agent collaboration, and guardrails. Springer Nature lists the book as published Oct. 30, 2025, and the PDF carries a foreword from Marco Argenti, Goldman Sachs’ chief information officer.

The timing helps explain why the guide is getting passed around. The agent tooling market is drowning in wrappers, orchestration frameworks, protocol fights, and paid courses promising to make sense of it all. Gulli’s book does something simpler and more threatening to that market: it names the patterns in plain sequence and gives readers runnable examples. The repository says each chapter includes a Jupyter notebook, and it says all author royalties go to Save the Children. A secondary write-up at PPC Land reported that the book reached No. 1 New Release in Probability & Statistics on Amazon, which is a funny category for the agent economy to discover itself in, but also a signal that builders want a shared vocabulary.

The economics are the quiet pressure point. LangChain, AutoGen, CrewAI, and smaller framework vendors have benefited from the idea that agent orchestration is too messy to learn as a set of general patterns. A free, framework-agnostic handbook does not kill those businesses. It does compress part of their tutorial moat. If prompt chaining, reflection, tool use, and multi-agent handoffs become common vocabulary, vendors have to compete less on explaining the abstraction and more on running it reliably in production.

Safety is where that abstraction stops being enough. A guardrail is a constraint meant to keep an AI system from accepting bad input, producing unsafe output, taking the wrong tool action, or continuing when a human should intervene. Chapter 18 lays out patterns such as input validation, output filtering, human oversight, and graceful degradation. The code demonstrates architecture. It does not demonstrate that the architecture holds against prompt injection, malicious tool calls, data exfiltration attempts, or the boring production failures that make safety systems look sturdy right up until they meet users.

The attribution line is also thinner than the packaging implies. A Medium review said the patterns are based on work showcased at Google I/O 2025, and a System Design Newsletter summary highlights chapters on Model Context Protocol and agent-to-agent protocols, the emerging standards for connecting agents to tools and to each other. The book also drew a Hacker News discussion, which is useful evidence of developer attention, not production validation. But the guardrails chapter itself does not tie its implementation to Search, Cloud, DeepMind, Gemini, or any named Google product. The distinction is not pedantry. Google’s name gives the book gravity, but Google’s name does not validate every notebook.

That leaves the piece useful in a narrower, more honest way. Gulli has given builders a clean map of agent design patterns at a moment when the field badly needs fewer magic words and more shared nouns. The next test is whether someone treats Chapter 18 like infrastructure instead of educational code: run it against hostile inputs, compare it with the guardrails shipping in commercial frameworks, and show which parts actually fail. Until then, the handbook is a vocabulary layer with a safety-shaped hole in the middle.