Rationale
Model output looks trustworthy because it is fluent, but fluency is not provenance. Generated text, generated code, and generated tool calls can carry hallucinated facts, injected instructions from retrieved content, or subtly wrong logic — and they inherit none of the guarantees of the systems that consume them.
The practical rule: place the same validation boundary after a model that you would place after an anonymous user. Sanitize and constrain generated SQL, shell commands, and API parameters. Review generated code before it ships. Treat text a model read from the web as attacker-controlled when it flows into later prompts.
Teams that adopt this doctrine stop debating how much to “trust” a model — trust is not the operative concept. The pipeline is designed so that no single generation, however plausible, can cause an unreviewed irreversible effect.