theloop.computer Writing. A log of findings from engineering, coding, and AI, by Constantinos Koutsakis. 19 July 2026 · 13 min Isolation, not form: the reference monitor comes to agentic code review This is a writeup of a negative result and the older idea it lands on. I built a completion gate for a fleet of LLM agents, meant to guarantee that the reviews a change requires actually happened before it merges. I believed it worked. It didn't, because any record an agent can write, that agent can forge, whatever the record's format and whichever platform produced it. The principle that explains why is not new. It is the reference monitor, introduced in Anderson's 1972 study and formalized in the criteria that followed: a control counts only if it is tamper-proof, always invoked, and small enough to verify. What is new is the domain and three observations in it. Platform lifecycle hooks are cooperative telemetry, not controls. The hook difference I hit between Claude Code and Codex has no security authority at all. And the state that actually bites in production is "installed but not enforced," where a repository looks guarded while nothing gates a merge. I also correct a framing I got wrong at first: the property you need is privilege isolation, not physical location, and even a perfect gate attests that a control ran, not that its judgment was right.