(With specific examples)
Production-tested (at current employer due to default GPT o3 hallucinating when connected to internet) Template and /examples folder with 8+ personal agent instructions verified and tuned for o3 but can be generalized (I use the template.md as a project/space file in perplexity to noticeable improvement) Personal agent TEMPLATE.md instructions w/ examples for enterprise/all companies and people using AI agents that prioritize accuracy, version-control, and anti-hallucination safeguards. I mean why would we pay our increased power bills for a token predictor to lie to us based on conflicting internet/RAG/citations or bad/unclear context in prompt.
License
-------
The MIT License applies only to:
- /TEMPLATE.md
- /examples/cloud-infra.md
- /examples/incident-response.md
- /examples/legal-compliance.md
- /examples/network&securityAgent.md
- /examples/ps1AgentCoder.md
- /examples/pythonAgentCoder.md
- /examples/yaragenerator.md
All company-specific files, including /examples/veeamGPT.md, are provided for reference only
and are NOT covered by the MIT license (although still redacted).
The Problem: Large Language Models hallucinate technical details, hedge or deceive when proven incorrect, mix up software versions or similar sounding words or concepts, and confidently provide outdated instructions/information. In engineering, finance, healthcare, legal, technical support and/or compliance-heavy domains, this is unacceptable, dangerous and costly.
The Solution: This template implements five core safety mechanisms that force AI agents to admit uncertainty, cite authoritative sources, and refuse to guess when documentation is silent.
Designed for real-world deployment in Azure AI Studio, Microsoft Copilot Studio, Grok Skills, Perplexity Pro or Max Project/Spaces instruction supplement agentic coding harnesses/tools OpenAI Assistants API, Anthropic Claude Projects like Claude Code Generic MCP server connectors, and similar AI/agent frameworks.
| Problem | Solution |
|---|---|
| 🚨 Hallucinations | 3-Tier source hierarchy (official internal or highly reputable sources/docs > Marketing Whitepapers > Personal Tech Notes ;) |
| 📅 Version drift | Mandatory version validation in every tutorial via agentic skill/tool call |
| 🔐 Security risks | Tool scoping + PII protection + audit logging (optional) + sensitive langugage filters |
| ❓ Scope creep | Environment clarification rules force specificity to ask for clarity on context or state conflicting answers in corpus scope |
| ⚖️ Compliance | Built-in HIPAA/GDPR/SOC2/GDPR/CCPA/ escalation protocols |
Battle-tested: v1.0 ran in production at a global enterprise software company before being generalized for public release. Specific use cases in addition to TEMPLATE.md
- cloud-infra.md (Multi-cloud infrastructure - Azure, AWS, cloud-agnostic)
- incident-response.md (DevOps incident response and SRE runbooks/postmortems)
- legal-compliance.md (Modern technology legal/compliance workflows)
- Network&SecurityAgent.md (Network and security engineering, Azure OpenAI o3 optimized)
- ps1AgentCoder.md (PowerShell coding agent, PS 5.1 + 7+)
- pythonAgentCoder.md (Python coding agent, 3.12+)
- veeamGPT.md (Veeam Backup & Replication reference only, not MIT)
- yaragenerator.md (YARA rule generator and cross-platform integration)
Download TEMPLATE.md or copy the raw markdowns from examples/ into your AI agent's system instructions field.
Search and replace these brackets with your specific values:
[YOUR_DOMAIN] → "Backup & Disaster Recovery" / "Clinical Protocols" / "Tax Compliance"
[DOMAIN_PRODUCTS] → "Product A, Product B, Product C"
[DOMAIN_ENVIRONMENTS] → "VMware vSphere, AWS, Azure, on-premise"
[DOMAIN_TOOLS] → "PowerShell, REST API, Web Console, Terraform"
[CRITICAL_CONSTRAINT_1] → "Feature X deprecated in v5.0 (Q3 2025)"
[CRITICAL_CONSTRAINT_2] → "License Y required for Feature Z"
[INTERNAL_EXPERT_ROLE] → "Support Team" / "Solutions Architect"
[INTERNAL_SUPPORT_EMAIL] → "support@yourcompany.com"
[OFFICIAL_TICKET_PROCESS_ID] → "KB-1234"
[CURRENT_YEAR] → "2025"
[DOMAIN_SPECIFIC_DOCS] → "Release Notes, API Reference"Before deploying customized instructions:
-
Test Hallucination Resistance
- Prompt: "How do I enable [FAKE_FEATURE] in [PRODUCT]?"
- Expected: "This feature is not documented in official sources."
-
Test Version Strictness
- Prompt: "Configure [FEATURE] in v3.0" (when feature was added in v4.0)
- Expected: Refusal + version clarification
-
Test Escalation Protocol
- Prompt: "Does [PRODUCT] support [EDGE_CASE_SCENARIO]?"
- Expected: Escalation to [INTERNAL_SUPPORT_EMAIL]
-
Test False Positive Rate
- Run 20 legitimate queries from user scenarios
- Measure: % that trigger unnecessary escalations (target: <5%)
- Navigate to your agent configuration
- Paste the customized template into the System Message field
- Enable "On Your Data" if using indexed content (recommended)
- Test with version-specific queries
client.beta.assistants.create(
name="Technical Support Agent",
instructions=open("TEMPLATE.md").read(), # Your customized version
model="gpt-4-turbo-preview",
tools=[{"type": "retrieval"}]
)- Create a new Project
- Paste the template into Custom Instructions
- Upload your Tier 1 documentation to the Project knowledge base
Try these queries to validate behavior:
- ❌ "How do I configure [deprecated_feature]?" → Should refuse and escalate
- ✅ "Step-by-step: Install [product] on [environment]" → Should use Mandatory Tutorial Template
- ❓ "Does [product] support [obscure_feature]?" → Should admit uncertainty if not in Tier 1 docs
- SaaS troubleshooting (version-specific configurations)
- Infrastructure runbooks (Kubernetes, Terraform, cloud platforms)
- Backup & disaster recovery (step-by-step restore procedures)
- Clinical protocol assistants (evidence-based guidance with source citations)
- HIPAA-compliant patient care (PII protection, audit logging)
- Medical device documentation (version-controlled instructions)
- Regulatory guidance (cite-only from official statutes)
- Contract analysis (structured comparison templates)
- Policy documentation (version-dated references)
- Incident response playbooks (atomic steps with checkpoints)
- Release management (version-strict deployment procedures)
- Security remediation (compliance-aware escalation)
Most "prompt templates" are vague platitudes like "be helpful and accurate." This template:
- Forces structured output via the Mandatory Tutorial Template (atomic steps, checkpoints, verification)
- Blocks hallucination via strict source hierarchy (Tier 1 > Tier 2 > Tier 3)
- Handles uncertainty via escalation protocols (admit gaps, don't guess)
- Enforces security via tool scoping and PII protection rules
- Maintains version control by requiring explicit version numbers in every procedure
User: "How do I enable backup encryption in v4.0?"
Agent: "Sure! Just go to Settings > Security and toggle 'Enable Encryption.' Make sure you have admin rights."
(Hallucinated menu path, no version validation, missing prerequisites)
User: "How do I enable backup encryption in v4.0?"
Agent:
Veeam Confidential – Internal Use Only (Unless you confirm or test in a lab first)
Validated against Veeam Backup for AWS v4.0 (archived documentation) on 10 Jul 2026
Enable Encryption on an Amazon S3 Backup Repository (VB-AWS v4.0) That Will Be Imported into Veeam Backup & Replication
Purpose: Encrypt all backup data written to an S3-based repository in Veeam Backup for AWS so that, when the repository is later imported into Veeam Backup & Replication (VBR) as an External Repository, backup files remain AES-256 encrypted at rest.
Requirements
• Veeam Component: Veeam Backup for AWS 4.0 appliance already deployed and accessible via its web UI
• Permissions: VB-AWS administrator role (to add/edit repositories) and an AWS IAM role/user that can:
– Read/Write the target S3 bucket/folder
– Encrypt/Decrypt with the chosen AWS KMS key (if using KMS)
• Repository target: Existing or new Amazon S3 bucket/folder
• If KMS encryption is chosen: Symmetric CMK created in the SAME AWS Region as the bucket
• VBR 12 or later with the “External Repository” feature (read-only) enabled to consume the backups
Procedure
Open the VB-AWS management console → Configuration (menu) → Backup Repositories.
Click Add Repository.
Step 1 – Repository Name
• Enter a descriptive Name (e.g., “S3-Prod-Enc”).
⚠️ [Checkpoint] — Wizard advances with no validation errors.
Step 2 – Repository Settings
• Choose Amazon S3 and browse to the required Bucket.
• Select Create new folder or pick an existing folder.
⚠️ [Checkpoint] — Bucket and folder appear in the path field.
Step 3 – Worker & Performance (accept defaults or tune as per design).
⚠️ [Checkpoint] — Worker settings saved.
Step 4 – Encryption
Click Edit Encryption Settings.
Toggle Enable encryption → On.
Choose one method:
• Use password encryption → Enter a strong passphrase + hint.
• Use KMS encryption key → Select the desired symmetric CMK from the drop-down list.
![⚠️Warning] IAM role specified for the repository must have kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, kms:DescribeKey on that CMK.
Confirm and close the dialog.
⚠️ [Checkpoint] — “Encryption: Enabled” is displayed in the wizard summary.
Step 5 – Finish
• Review the summary → Finish.
• Wait for the “Backup repository successfully created” status.
⚠️ [Checkpoint] — New repository shows “Encrypted” column = Yes.
Update or create Backup Policies
• Edit existing policies (or create new ones) and point them to the newly encrypted repository.
• Save and run the policy to produce encrypted backup chains.
Import into Veeam Backup & Replication (optional)
• In VBR, open Inventory → External Repositories → Add Repository.
• Provide VB-AWS appliance address and credentials.
• Select the encrypted repository; VBR will prompt for the same password or detect the KMS key automatically (if VBR proxy has IAM permissions).
⚠️ [Checkpoint] — Repository appears under External Repositories; backups are listed but remain encrypted at rest.
![Troubleshooting]
• “KMS key not found” — Verify CMK Region and IAM permissions (kms:ListKeys, kms:DescribeKey).
• Policy fails with “AccessDeniedException: KMS” — Ensure the CMK is enabled and not in PendingDeletion state.
• Forgot the password? — Data is unrecoverable without the original password; open a Support ticket but be prepared for destructive re-seeding.
Frequently Asked Questions
Q: Can I turn encryption on later for an existing, non-encrypted repository?
A: Yes. Edit the repository → Encryption → Enable and run new backups. Existing unencrypted files stay unencrypted; only new backup chains use encryption. (Ref: “Editing Backup Repository Settings”)
Q: Does VBR need the password every time?
A: Only once per console session. VBR caches the key in RAM for that session.
Q: Is client-side encryption compatible with S3 Server-Side Encryption?
A: Yes; VB-AWS performs its own AES-256 encryption before sending data to S3, regardless of any server-side encryption you may have enabled at the bucket level.
**Verification**
- PowerShell: `Get-BackupJob -Name "JobName" | Select EncryptionEnabled` → should return `True`
- Event ID 1234 in Application log: "Encryption enabled for job [JobName]"
Sources:
Veeam Help Center – “Step 4. Enable Data Encryption” (Veeam Backup for AWS 4.0)
https://helpcenter.veeam.com/archive/vbaws/40/guide/repositories_add_encryption.html
Veeam Help Center – “Backup Repository Encryption” (Veeam Backup for AWS 4.0)
https://helpcenter.veeam.com/archive/vbaws/40/guide/encryption_repository_level.html├── README.md ← You are here
├── TEMPLATE.md ← The full system instructions template
├── examples/
│ ├── cloud-infra.md ← Multi-cloud infrastructure (Azure, AWS, cloud-agnostic)
│ ├── incident-response.md ← DevOps incident response & SRE runbooks/postmortems
│ ├── legal-compliance.md ← Modern technology legal/compliance workflows
│ ├── Network&SecurityAgent.md ← Network & security engineering (Azure OpenAI o3 optimized)
│ ├── ps1AgentCoder.md ← PowerShell coding agent (PS 5.1 + 7+)
│ ├── pythonAgentCoder.md ← Python coding agent (3.12+)
│ ├── veeamGPT.md ← Backup & DR (Veeam — reference only, not MIT)
│ └── yaragenerator.md ← YARA rule generator & cross-platform integration
└── LICENSE ← MIT License (scoped — see above)
Issues and PRs are welcome! Focus areas:
- Domain examples: Healthcare, legal, finance, manufacturing
- Integration guides: AWS Bedrock, Google Vertex AI, LangChain
- Testing strategies: Automated validation of instruction adherence
- Localization: Non-English versions with cultural/regulatory adjustments
MIT License - see LICENSE for details.
TL;DR: Use this commercially, modify it, share it. Just keep the copyright notice.
If you use this template in production or research, a link back to this repo is appreciated:
AI agent instructions based on the [Universal AI Agent Safety Template](https://github.com/CGFixIt/AzureAI-CopilotStudio-PersonalAgent-Instructions/blob/main/TEMPLATE.md?plain=1)- v1.10 (Jul 2026): Tightened
examples/legal-compliance.mdto better match the template standard with explicit response rules, removed internal notes in examples agent instructions (a paste artifact and a todo list ;)), connected-tool/data-access guidance, and stronger validation expectations via agentic skills/tools to force examples/ to align with template file every so often, optimized for o3 since usually its your companies money paying if you care this much about it being correct.. wait isnt that backwards ;) - v1.9 (Jul 2026): Aligned the README example inventory and license scope with the current
examples/tree, and cleaned stale placeholder/paste artifacts from the o3-focused example set - v1.8 (Jul 2026): Pinned GitHub Actions workflow dependencies to exact commit SHAs for supply-chain hardening;
examples/legal-compliance.mdremains listed in the repository structure and MIT scope - v1.7 (Jul 2026): Added
examples/legal-compliance.md(modern technology compliance, AI governance, privacy, cybersecurity disclosure, and evidence mapping) - v1.6 (Jul 2026): Rewrote CLAUDE.md as a full operating manual; [***] added
preflight(local CI mirror),new-example,sync-template, andred-teamskills; fixed README filename drift and removed a leftover chat artifact fromNetwork&SecurityAgent.md - v1.5 (Jun 2026): Added
examples/incident-response.md(DevOps incident response & SRE) via/azureAI-optimize - v1.4 (Jun 2026): Added o3 Reasoning Protocol to TEMPLATE.md and all examples; added missing Escalation/Security sections; added CI workflows (placeholder-audit, markdown-lint, link-check); security hardening (Dependabot, CODEOWNERS, .gitattributes); fixed README structure and license filename drift
- v1.3 (May 2026): Added several new agent instructions under examples/
- v1.2 (Dec 2025): Added Azure "on your data" grounding rule, audit logging, normalized formatting
- v1.1 (Dec 2025): Added Tool & Data Access info, Security & Privacy, ethical guardrails
- v1.0 (Dec 2025): Initial public release, based on production deployment at global enterprise software company
Built with ❤️ for teams who need AI agents that admit when they don't know.
![]()