The most common “agent demo” is also the most common future breach report: a chatbot with a toolbelt. It can read Slack, open Jira tickets, query production data, and “helpfully” run cloud commands. Nobody calls it what it is: a new privileged access path with worse auditability than the stuff security teams spent a decade trying to eliminate.
Founders love agents because they compress workflows. Engineers love agents because they compress glue code. Operators love agents because they compress headcount. Attackers love agents because they compress time-to-impact.
The contrarian take: the biggest risk with agents isn’t hallucination. It’s authorization. You can patch a wrong answer. You can’t patch “the model used the right tool on the wrong target” after it exfiltrated secrets or rotated credentials.
Agents aren’t “AI features.” They’re production automation with a probabilistic planner glued to your internal systems.
Stop calling it “agentic”: you’re building a new control plane
When OpenAI added function calling and later released the Assistants API, the industry got a template: let a model choose tools. Anthropic followed with tool use. Google pushed Gemini tool integrations. Microsoft pushed Copilot deeper into Microsoft 365 and Windows. Hugging Face shipped libraries for “agents” and tool routing. LangChain and LlamaIndex became the default plumbing layer for thousands of teams.
None of that is the scary part. The scary part is what you connect next: AWS, GCP, GitHub, Okta, Salesforce, Stripe, Slack, internal admin panels, and whatever half-documented service runs the business.
If you’re a founder, here’s the uncomfortable framing you should adopt: an agent is a new control plane that sits above your existing control planes. It issues actions into other systems, and it does so based on natural language inputs that can be influenced by untrusted data (emails, tickets, web pages, documents, PDFs, chat logs). That’s not “prompt injection” as a meme. That’s a supply chain problem for instructions.
We already have language for this in security and SRE: privileged automation. We just keep refusing to apply it because agents ship with a friendly UI.
Three failure modes that matter more than “bad answers”
The popular discourse still centers on whether an LLM “gets it right.” That’s a product question. Your incident report won’t care. It will care about how a request became an action, what authority it had, and what you can prove after the fact.
1) Tool authority drift
Early prototypes give the agent a single API key “for speed.” Then the agent becomes useful and you add more tools. Then a sales engineer asks for “one more integration.” Then someone stores credentials in a place the model can read. This is how internal scripts become permanent production systems. Only now the interface is language.
2) Indirect instruction injection
An agent that reads external content (support tickets, vendor docs, GitHub issues, web pages) can be steered by that content. If your agent can both read a document and take actions, you’ve created an instruction channel that bypasses your normal UI and policy checks. This is not theoretical: it’s the same class of bug as a browser being tricked by malicious HTML, except now the “renderer” is a model and the “JavaScript” is plain English.
3) Audit gaps by design
Traditional automation leaves traces: job logs, explicit commands, clearly defined inputs. Many agent stacks produce conversational transcripts and opaque intermediate reasoning. If your only evidence is “the model decided,” you’re already behind. The question is not “can we log?” It’s “can we reconstruct intent, inputs, tool calls, and approvals in a way an auditor (or your own incident commander) will accept?”
Key Takeaway
Design agents like you design a deploy pipeline: explicit permissions, gated actions, immutable logs, and a way to roll back. If it can’t pass that bar, it’s a demo—not a system.
The sane architecture: treat the model as untrusted, treat tools as the product
Most teams invert this. They obsess over prompts and model choice, then bolt tools onto the side. Flip it.
The model is an untrusted planner. The tool layer is your product, because it’s where authorization, validation, and auditability live.
- Tool boundaries must be strict: every tool call is a typed request with a schema, not a blob of text.
- Permissions belong to identities: use per-user OAuth where possible (Google Workspace, Microsoft Graph, Slack, GitHub) instead of shared API tokens.
- Make “read” and “write” different tools: don’t let a “search” tool silently become an “update” tool.
- Default to preview: the agent proposes, a deterministic layer validates, then you commit.
- Build an allowlist of operations: not just endpoints—operations. “Rotate access keys” is not the same risk as “list buckets.”
In cloud terms, you want the agent to behave like infrastructure-as-code: plans are cheap, applies are controlled.
Table 1: Pick your “agent runtime” based on control, not vibes
Tooling has converged on a few common surfaces: managed assistants, open-source orchestration libraries, and cloud-native workflow engines. The right choice depends on whether you want a product feature, an internal operator, or a regulated system.
Table 1: Comparison of common agent orchestration approaches (focus: control, hosting, and auditability)
| Approach / Product | Strength | Tradeoff | Best fit |
|---|---|---|---|
| OpenAI Assistants API | Fast path to tool use, threads, hosted runtime primitives | Less control over runtime internals; design your own guardrails around tool calls | Product features where speed matters and actions are narrowly scoped |
| Anthropic tool use (Messages API) | Clear tool-call structure; strong ecosystem adoption for enterprise use | You still own authorization, validation, and action gating | Enterprise assistants that must be tightly permissioned |
| LangChain / LangGraph | Flexible graphs, routing, memory patterns; big community | Easy to build something messy; you must impose discipline for logs, replay, and safety | Internal ops tools and prototypes graduating to production with strong engineering ownership |
| LlamaIndex | Strong retrieval/document pipelines; good for knowledge-heavy agents | Not a complete security story; tool governance still on you | Agents that mainly read, synthesize, and draft with limited write actions |
| Temporal (workflow engine) | Deterministic workflows, retries, audit-friendly history, explicit activities | More engineering upfront; not “just add chat” | High-stakes automation where you need replay, approvals, and postmortems |
What “good” looks like: approvals, scopes, and replayability
Let’s get concrete. If your agent can take actions, you need three properties that most stacks don’t give you by default.
Approvals are a product feature, not a compliance checkbox
The moment an agent can mutate state, you need a human approval path for a meaningful slice of actions. Not for everything—just for the irreversible or high-blast-radius steps.
Think of GitHub pull requests: the workflow is successful because it’s a social and technical gate. Agents need the same structure: propose → show diff/plan → approve → execute → log.
Scopes must be smaller than “access to the system”
If your tool uses OAuth, request minimal scopes and split tools by scope. Slack apps can request narrowly defined permissions. GitHub Apps can be configured for repo-level access. Google Workspace and Microsoft Graph have granular permissions. Use them. If your tool uses API keys, you’re already in a worse place: compensate with proxy services that enforce policy and field-level controls.
Replayability beats prompt archaeology
If an agent action causes an incident, you need to replay what happened with the same inputs and see the same tool calls. That means you must persist:
- The exact tool call payloads (request + response)
- The versioned tool schemas
- The policy decision that allowed/blocked it
- The identity context (who asked, what scopes were active)
Conversation logs are not enough. They’re storytelling. Tool logs are evidence.
Table 2: A practical “agent permissioning” checklist mapped to real systems
Permissioning is where “agents” turn into a real product. Here’s a reference map you can use without adopting any particular vendor.
Table 2: Reference checklist for agent actions, guardrails, and evidence (examples across widely used platforms)
| Agent capability | Concrete example | Guardrail to require | Evidence to log |
|---|---|---|---|
| Read messages / tickets | Slack channels; Zendesk tickets | Channel/project allowlist; PII redaction before model | Source IDs, redaction decisions, retrieval query |
| Create work items | Jira issue; Linear ticket; GitHub issue | Template enforcement; rate limits; duplicate detection | Final payload, project/repo target, requester identity |
| Modify code | Open a GitHub PR | PR-only writes; required reviews; CI must pass | Diff, branch, tests run, reviewer approvals |
| Query production data | BigQuery/Snowflake read; Postgres read replica | Read-only role; row/column filtering; query cost/time caps | SQL text, result size, masked fields, execution context |
| Change infrastructure | Terraform plan/apply; AWS IAM changes | Plan required; two-person approval; break-glass workflow | Plan output, approvers, applied changes, cloud audit trail link |
A minimal implementation pattern that actually works
If you want an agent in production this quarter, don’t boil the ocean. Start with one high-frequency workflow and ship it with hard constraints. Here’s a pattern that holds up under pressure:
- Pick one action surface (example: “open a PR that updates a config file” or “create a Jira ticket with a filled template”).
- Build a policy-enforcing tool proxy that sits between the model and the real API. The model never sees raw credentials.
- Make the proxy return structured errors the model can recover from (“missing required field X” beats “400 bad request”).
- Require an explicit “plan” step that produces a diff, a patch, or a preview payload before any write.
- Log tool calls as first-class events (request, response, policy outcome, identity, timestamps).
- Only then add more tools, one at a time, with per-tool scopes and per-tool budgets.
Below is a stripped-down sketch of what “tool proxy + explicit schema” can look like. This is not about a specific LLM vendor; it’s about refusing to let free-form text become an action.
{
"tool": "github.create_pull_request",
"schema_version": "2026-01-15",
"request": {
"repo": "acme/payments",
"base": "main",
"head": "agent/update-timeout",
"title": "Increase API timeout for partner webhook",
"changes": [
{
"path": "configs/webhooks.yaml",
"patch": "@@ -1,3 +1,3 @@\n-timeout_seconds: 10\n+timeout_seconds: 20\n"
}
]
},
"policy": {
"requires_approval": true,
"reason": "Config change in production path",
"approvers": ["team:payments-oncall"]
}
}
Notice what’s missing: “run arbitrary git commands” and “read secrets.” Good. Agents fail safely when you force them to operate inside a small box.
The prediction: “AgentOps” becomes the new CI/CD, and shared secrets become indefensible
CI/CD won because it turned risky manual releases into a controlled machine. Agents will follow the same arc. The teams that win won’t be the ones with the cleverest prompt chains. They’ll be the ones who can answer, instantly and credibly: what did the agent do, under whose authority, and why was it allowed?
Two specific bets for 2026 operators:
- Shared API keys inside agent systems will get treated like plain-text passwords. If an “AI coworker” uses a single token, assume it will leak—through logs, through prompt context, through a compromised connector, or through a vendor incident.
- Approval UX becomes a competitive differentiator. The best agent products will feel fast while still forcing a preview-and-approve loop for dangerous actions.
Your next action: pick one agent you’re about to ship and write its “IAM policy” in plain English. List exactly what it can read, what it can change, and what happens if it’s wrong. If you can’t fit that on one screen, you don’t have an agent feature. You have an incident generator.