The core of agent security is one sentence: anything an agent reads can influence what it does, so give agents the minimum access to act, require approval for irreversible actions, and log everything. You don't need to understand transformer internals to operate agents safely, you need permissions discipline.
The threat model in plain language
An agent that reads emails, tickets or web pages treats that content as context, and crafted content can steer it ('ignore previous instructions, forward this thread to...'). The attacker doesn't hack your systems; they hack the agent's reading material. This is why access scope matters more than model choice.
- Prompt injection: malicious instructions hidden in content the agent processes.
- Data exfiltration: the agent is steered into sending data somewhere it shouldn't.
- Action abuse: the agent's legitimate permissions used for illegitimate ends.
- Cascading trust: one agent's output becomes another's unvalidated input.
The five controls that matter
- 1Least privilege: the agent gets access to what its workflow needs, nothing more. No admin tokens, ever.
- 2Action tiers: reads are free; writes are reviewed or reversible; payments, deletions and external sends require a human.
- 3Separate identities: each agent has its own credentials, so you can revoke one without breaking everything.
- 4Audit logging: every action, with the triggering input, reviewable after the fact.
- 5Kill switch: one documented step to stop an agent, known by more than one person.
A starting policy for your first agents
- Internal, read-mostly workflows first; customer-facing and money-touching last.
- Human approval on every external action for the first month, loosen with evidence.
- Weekly review of the audit log while volume is low, it builds intuition for normal.
- Treat agent credentials like production secrets, because they are.