The appeal of structured outputs
Structured outputs are one of the most useful recent developments in the LLM ecosystem. By constraining a model's response to match a JSON Schema, developers get predictable, parseable results instead of fragile free-form text.
For many applications — data extraction, function calling, form generation — structured outputs for LLMs solve exactly the right problem. They guarantee format consistency and type safety.
But format consistency is not the same as disclosure control.
Format is not disclosure
A structured output constrains the shape of the response. It says: the output must have these fields, of these types, with these value constraints. What it does not say is: these are the only things the model is permitted to reveal.
Consider a schema that asks for a compatibility score between 1 and 5. Structured output guarantees you receive an integer in that range.
But several governance questions remain. Who decided that this schema was appropriate for this interaction? Did both parties agree to it before sharing private context? Can it be changed mid-session? And after the interaction ends, how would either party verify that this schema actually governed the output?
Structured outputs answer the format question. They leave the governance question open.
What structured outputs miss
For narrow, purpose-built agents that handle routine tasks, structured outputs may be all that's needed. A tightly scoped agent exchanging public information or performing a well-defined function can operate safely with format constraints alone. But when agents act as delegates — reasoning over real user constraints like budget limits, health details, or negotiation boundaries — the stakes change. The context is what makes the agent worth having; removing it is not a viable path to privacy. The question becomes how to let agents reason with sensitive context while still constraining what they can reveal.
In that harder case, several additional conditions must hold beyond format consistency.
First, the terms of disclosure must be agreed in advance. A schema imposed unilaterally by one party, or selected dynamically during the session, does not provide the same assurance as a mutually agreed, content-addressed contract.
Second, enforcement should occur outside the model itself. Structured output enforcement often happens inside the model's generation process or in application code. But when the model is one of the coordinating parties, that creates a circular guarantee. An external enforcement layer provides a stronger boundary.
Third, the schema must remain immutable during the session. In most structured output implementations, the schema can be changed between calls. For privacy-sensitive coordination, the schema needs to be locked for the session's duration. Changing it mid-session could widen the disclosure channel without the other party's consent.
Finally, the system should provide a verifiable record of what governed the interaction. Structured outputs leave no such artifact. After the session ends, there is no independent way to confirm that the output was validated against the schema both parties agreed to. Without verification, trust depends entirely on the behavior of the system that produced the output.
The gap: format versus disclosure boundary
The distinction between format and disclosure is subtle but critical. Format says: "the output will be valid JSON matching this schema." Disclosure says: "the output will carry no more information than the schema permits, and that constraint was agreed in advance, enforced externally, and is verifiable after the fact."
Structured outputs provide the first guarantee. Bounded signals — AgentVault's output model — provide the second. The difference is the full trust chain surrounding the schema: how it was agreed, who enforces it, and how you verify it.
A free-text field in a structured output is perfectly format-compliant. It returns a string where the schema expects a string. But that string can carry arbitrary information — names, diagnoses, financial details, relationship descriptions. The format is correct. The disclosure is unbounded.
This is why schema design matters for privacy, and why schema enforcement alone is not enough. The schema itself must be designed to limit information capacity — using enums, bounded integers, and fixed categorical labels rather than open strings. And the schema must be part of a broader agreement that both parties consented to before the session began.
How AgentVault fills the gap
AgentVault builds on the foundation that structured outputs provide and adds the missing layers:
- Coordination contracts establish the schema as part of a pre-agreed, content-addressed document. Both parties agree to identical terms — purpose, schema, prompt template, guardian policy — before any private context enters the system. The contract is referenced by its SHA-256 hash and cannot be modified during the session.
- Relay enforcement validates every output against the contract's schema at an external point. The relay sits between the agents and rejects any output that falls outside the agreed structure. This is enforcement outside the model — an independent structural constraint that neither party controls.
- Channel-capacity constraints. AgentVault treats the schema as a channel-capacity limit. A field accepting an integer between 1 and 5 carries at most ~2.3 bits. A three-value enum carries ~1.6 bits. The total information capacity of the output is the sum of its fields' capacities — a measurable, finite bound on disclosure.
- Cryptographic receipts bind the contract hash, schema, model identity, and output to a signed record. After the session, either party can verify that the output was produced under the agreed terms. The receipt makes the governance auditable, not just aspirational.
Structured outputs as a starting point
None of this diminishes the value of structured outputs. They are a genuine improvement over free-text generation, and they provide the format layer on which disclosure constraints can be built. A system without structured outputs would need to solve format consistency and disclosure control simultaneously.
But treating structured outputs as sufficient for privacy is like treating HTTPS as sufficient for authorization. HTTPS protects the transport. Authorization controls what the authenticated user can access. You need both. Structured outputs for LLMs constrain format. They do not constrain disclosure. Disclosure boundaries constrain what information can flow. Both layers are necessary for agent coordination on sensitive matters.
To see how bounded signals, contracts, and receipts work together in practice, explore the interactive demo.