The Agentic Trap: Why Your AI Assistant Needs a Leash
How do I build an agent that can actually do work without accidentally leaking customer data or deleting my database?

Engineering security for autonomous agents: How to give them power without giving away the keys to the kingdom.
A mental framework for scoping agent permissions and a checklist for deploying agents safely.
The Problem
We are currently in a race to build 'autonomous agents'—systems that can read emails, query databases, and execute code on our behalf. The appeal is obvious: efficiency. But from an engineering perspective, we are effectively handing a high-speed, literal-minded intern the keys to our production database and asking them not to break anything.
The tension is clear: to be useful, an agent needs access. To be secure, an agent needs restriction. Most teams are treating this as a binary choice, choosing between 'locked-down/useless' and 'fully-autonomous/dangerous.'
What I Noticed
In my work with automation pipelines, I’ve seen a recurring pattern: developers focus on the capability of the agent (e.g., 'Can it write this SQL query?') and ignore the authorization of the agent (e.g., 'Should it be allowed to drop a table?').
Prompt injection, once a niche research topic, has evolved into a real-world vector for 'Tool Injection.' If an agent is designed to parse incoming support tickets and it encounters a malicious prompt, it might not just leak data—it might trigger an API call to your CRM to export your entire client list. The agent isn't 'broken'; it’s just doing exactly what it was authorized to do.
Where AI Fits
AI is not the security threat; the connectivity is. The NIST AI Risk Management Framework emphasizes that AI systems require a specific type of governance. We need to stop viewing agents as software applications and start viewing them as privileged identity accounts.
My Working Approach
I don’t trust an agent to behave. I trust the sandbox it lives in. My approach to agentic security follows three core principles:
- The Principle of Least Privilege (PoLP): If an agent only needs to read from a database, it gets a read-only connection string. Never give an agent a 'root' or 'admin' API key.
- Blast Radius Limitation: If an agent is triggered by an external input (like an email or webhook), its tools should be restricted to a specific partition or a staging environment.
- Human-in-the-Loop (HITL) Gateways: For any action that modifies state (sending an email, updating a record, deleting a file), the agent must generate a 'proposal' that a human reviews before execution.
Practical Example: The 'Review Gate'
When I build agents that interact with business systems, I implement a two-step function call:
- Step 1: The agent identifies the action it wants to take (e.g.,
update_customer_status). - Step 2: Instead of executing, the agent hits an internal API endpoint that creates a 'Pending Approval' task in our project management tool.
This keeps the agent's logic active but forces a manual gate on the execution. It adds a few seconds of friction, but it prevents 100% of 'oops, the AI deleted the production database' scenarios.
What I Would Avoid
- Avoid 'Full Scope' API Keys: Never use your personal OAuth token or master API key for an agent. Create a service account specifically for the agent with access limited to only the required endpoints.
- Avoid Implicit Trust: Don't assume the LLM will 'understand' that it shouldn't access sensitive data. It doesn't have common sense; it has weights and probabilities. If you don't explicitly block an endpoint, the agent will eventually call it.
Try This Next
Audit your existing agents today. Go to your API provider dashboard and list every tool your agent has access to. For each tool, ask: 'If this agent were compromised, what is the worst thing it could do with this specific permission?'
If the answer is 'destroy my business,' scope that permission down immediately. Security for agents isn't about stopping them from working; it's about defining the guardrails within which they can safely run.

Keep reading
Follow the thread
Beyond the Model: Hardening Your AI Workflow
Do I need a PhD to secure my neural network implementation?
Read this noteSame lane, different angle
The Architecture of Autonomy: Why Your Workflows Are Brittle
How do I stop fixing my bots every time a process changes?
The Cognitive Debt of AI: Why I'm Restricting My Kids' Access to 'Smart' Assistants
But there is a dangerous crossover when we apply this engineering mindset to child development.