4 min read
Back to all posts

The Agentic Trap: Why Your AI Assistant Needs a Leash

How do I build an agent that can actually do work without accidentally leaking customer data or deleting my database?

For Software builders and technical operators.
applied-aiautomationworkflowsecurity
A minimalist digital tether connected to an abstract AI node, symbolizing controlled autonomy.
A minimalist digital tether connected to an abstract AI node, symbolizing controlled autonomy.
Reader Lens

Engineering security for autonomous agents: How to give them power without giving away the keys to the kingdom.

A mental framework for scoping agent permissions and a checklist for deploying agents safely.

The Problem

We are currently in a race to build 'autonomous agents'—systems that can read emails, query databases, and execute code on our behalf. The appeal is obvious: efficiency. But from an engineering perspective, we are effectively handing a high-speed, literal-minded intern the keys to our production database and asking them not to break anything.

The tension is clear: to be useful, an agent needs access. To be secure, an agent needs restriction. Most teams are treating this as a binary choice, choosing between 'locked-down/useless' and 'fully-autonomous/dangerous.'

What I Noticed

In my work with automation pipelines, I’ve seen a recurring pattern: developers focus on the capability of the agent (e.g., 'Can it write this SQL query?') and ignore the authorization of the agent (e.g., 'Should it be allowed to drop a table?').

Prompt injection, once a niche research topic, has evolved into a real-world vector for 'Tool Injection.' If an agent is designed to parse incoming support tickets and it encounters a malicious prompt, it might not just leak data—it might trigger an API call to your CRM to export your entire client list. The agent isn't 'broken'; it’s just doing exactly what it was authorized to do.

Where AI Fits

AI is not the security threat; the connectivity is. The NIST AI Risk Management Framework emphasizes that AI systems require a specific type of governance. We need to stop viewing agents as software applications and start viewing them as privileged identity accounts.

My Working Approach

I don’t trust an agent to behave. I trust the sandbox it lives in. My approach to agentic security follows three core principles:

  1. The Principle of Least Privilege (PoLP): If an agent only needs to read from a database, it gets a read-only connection string. Never give an agent a 'root' or 'admin' API key.
  2. Blast Radius Limitation: If an agent is triggered by an external input (like an email or webhook), its tools should be restricted to a specific partition or a staging environment.
  3. Human-in-the-Loop (HITL) Gateways: For any action that modifies state (sending an email, updating a record, deleting a file), the agent must generate a 'proposal' that a human reviews before execution.

Practical Example: The 'Review Gate'

When I build agents that interact with business systems, I implement a two-step function call:

  • Step 1: The agent identifies the action it wants to take (e.g., update_customer_status).
  • Step 2: Instead of executing, the agent hits an internal API endpoint that creates a 'Pending Approval' task in our project management tool.

This keeps the agent's logic active but forces a manual gate on the execution. It adds a few seconds of friction, but it prevents 100% of 'oops, the AI deleted the production database' scenarios.

What I Would Avoid

  • Avoid 'Full Scope' API Keys: Never use your personal OAuth token or master API key for an agent. Create a service account specifically for the agent with access limited to only the required endpoints.
  • Avoid Implicit Trust: Don't assume the LLM will 'understand' that it shouldn't access sensitive data. It doesn't have common sense; it has weights and probabilities. If you don't explicitly block an endpoint, the agent will eventually call it.

Try This Next

Audit your existing agents today. Go to your API provider dashboard and list every tool your agent has access to. For each tool, ask: 'If this agent were compromised, what is the worst thing it could do with this specific permission?'

If the answer is 'destroy my business,' scope that permission down immediately. Security for agents isn't about stopping them from working; it's about defining the guardrails within which they can safely run.

Diagram showing the flow of data from an AI agent through a sandbox layer to internal APIs, with a manual human approval gate.
A minimalist digital tether connected to an abstract AI node, symbolizing controlled autonomy.
Source and trust note

Built from 2 source references and filtered through practical implementation judgment.

Keep reading

Follow the thread

Browse all notes