Technology
8 min read

AI Agents Are a Security Incident Waiting to Happen: How to Ship Them Without Handing Over Your AWS Keys

The agent hype is real, but most teams are building privileged automation without the controls we already learned from cloud breaches. Fix the interface, not the prompt.

AI Agents Are a Security Incident Waiting to Happen: How to Ship Them Without Handing Over Your AWS Keys

The most common “agent demo” is also the most common future breach report: a chatbot with a toolbelt. It can read Slack, open Jira tickets, query production data, and “helpfully” run cloud commands. Nobody calls it what it is: a new privileged access path with worse auditability than the stuff security teams spent a decade trying to eliminate.

Founders love agents because they compress workflows. Engineers love agents because they compress glue code. Operators love agents because they compress headcount. Attackers love agents because they compress time-to-impact.

The contrarian take: the biggest risk with agents isn’t hallucination. It’s authorization. You can patch a wrong answer. You can’t patch “the model used the right tool on the wrong target” after it exfiltrated secrets or rotated credentials.

Agents aren’t “AI features.” They’re production automation with a probabilistic planner glued to your internal systems.

Stop calling it “agentic”: you’re building a new control plane

When OpenAI added function calling and later released the Assistants API, the industry got a template: let a model choose tools. Anthropic followed with tool use. Google pushed Gemini tool integrations. Microsoft pushed Copilot deeper into Microsoft 365 and Windows. Hugging Face shipped libraries for “agents” and tool routing. LangChain and LlamaIndex became the default plumbing layer for thousands of teams.

None of that is the scary part. The scary part is what you connect next: AWS, GCP, GitHub, Okta, Salesforce, Stripe, Slack, internal admin panels, and whatever half-documented service runs the business.

If you’re a founder, here’s the uncomfortable framing you should adopt: an agent is a new control plane that sits above your existing control planes. It issues actions into other systems, and it does so based on natural language inputs that can be influenced by untrusted data (emails, tickets, web pages, documents, PDFs, chat logs). That’s not “prompt injection” as a meme. That’s a supply chain problem for instructions.

We already have language for this in security and SRE: privileged automation. We just keep refusing to apply it because agents ship with a friendly UI.

terminal showing code and logs representing privileged automation risk
Agents look like chat. Their blast radius looks like a production terminal.

Three failure modes that matter more than “bad answers”

The popular discourse still centers on whether an LLM “gets it right.” That’s a product question. Your incident report won’t care. It will care about how a request became an action, what authority it had, and what you can prove after the fact.

1) Tool authority drift

Early prototypes give the agent a single API key “for speed.” Then the agent becomes useful and you add more tools. Then a sales engineer asks for “one more integration.” Then someone stores credentials in a place the model can read. This is how internal scripts become permanent production systems. Only now the interface is language.

2) Indirect instruction injection

An agent that reads external content (support tickets, vendor docs, GitHub issues, web pages) can be steered by that content. If your agent can both read a document and take actions, you’ve created an instruction channel that bypasses your normal UI and policy checks. This is not theoretical: it’s the same class of bug as a browser being tricked by malicious HTML, except now the “renderer” is a model and the “JavaScript” is plain English.

3) Audit gaps by design

Traditional automation leaves traces: job logs, explicit commands, clearly defined inputs. Many agent stacks produce conversational transcripts and opaque intermediate reasoning. If your only evidence is “the model decided,” you’re already behind. The question is not “can we log?” It’s “can we reconstruct intent, inputs, tool calls, and approvals in a way an auditor (or your own incident commander) will accept?”

Key Takeaway

Design agents like you design a deploy pipeline: explicit permissions, gated actions, immutable logs, and a way to roll back. If it can’t pass that bar, it’s a demo—not a system.

The sane architecture: treat the model as untrusted, treat tools as the product

Most teams invert this. They obsess over prompts and model choice, then bolt tools onto the side. Flip it.

The model is an untrusted planner. The tool layer is your product, because it’s where authorization, validation, and auditability live.

  • Tool boundaries must be strict: every tool call is a typed request with a schema, not a blob of text.
  • Permissions belong to identities: use per-user OAuth where possible (Google Workspace, Microsoft Graph, Slack, GitHub) instead of shared API tokens.
  • Make “read” and “write” different tools: don’t let a “search” tool silently become an “update” tool.
  • Default to preview: the agent proposes, a deterministic layer validates, then you commit.
  • Build an allowlist of operations: not just endpoints—operations. “Rotate access keys” is not the same risk as “list buckets.”

In cloud terms, you want the agent to behave like infrastructure-as-code: plans are cheap, applies are controlled.

laptop with architectural diagrams representing agent tool boundaries
The winning agent stacks treat the model like orchestration, not authority.

Table 1: Pick your “agent runtime” based on control, not vibes

Tooling has converged on a few common surfaces: managed assistants, open-source orchestration libraries, and cloud-native workflow engines. The right choice depends on whether you want a product feature, an internal operator, or a regulated system.

Table 1: Comparison of common agent orchestration approaches (focus: control, hosting, and auditability)

Approach / ProductStrengthTradeoffBest fit
OpenAI Assistants APIFast path to tool use, threads, hosted runtime primitivesLess control over runtime internals; design your own guardrails around tool callsProduct features where speed matters and actions are narrowly scoped
Anthropic tool use (Messages API)Clear tool-call structure; strong ecosystem adoption for enterprise useYou still own authorization, validation, and action gatingEnterprise assistants that must be tightly permissioned
LangChain / LangGraphFlexible graphs, routing, memory patterns; big communityEasy to build something messy; you must impose discipline for logs, replay, and safetyInternal ops tools and prototypes graduating to production with strong engineering ownership
LlamaIndexStrong retrieval/document pipelines; good for knowledge-heavy agentsNot a complete security story; tool governance still on youAgents that mainly read, synthesize, and draft with limited write actions
Temporal (workflow engine)Deterministic workflows, retries, audit-friendly history, explicit activitiesMore engineering upfront; not “just add chat”High-stakes automation where you need replay, approvals, and postmortems

What “good” looks like: approvals, scopes, and replayability

Let’s get concrete. If your agent can take actions, you need three properties that most stacks don’t give you by default.

Approvals are a product feature, not a compliance checkbox

The moment an agent can mutate state, you need a human approval path for a meaningful slice of actions. Not for everything—just for the irreversible or high-blast-radius steps.

Think of GitHub pull requests: the workflow is successful because it’s a social and technical gate. Agents need the same structure: propose → show diff/plan → approve → execute → log.

Scopes must be smaller than “access to the system”

If your tool uses OAuth, request minimal scopes and split tools by scope. Slack apps can request narrowly defined permissions. GitHub Apps can be configured for repo-level access. Google Workspace and Microsoft Graph have granular permissions. Use them. If your tool uses API keys, you’re already in a worse place: compensate with proxy services that enforce policy and field-level controls.

Replayability beats prompt archaeology

If an agent action causes an incident, you need to replay what happened with the same inputs and see the same tool calls. That means you must persist:

  • The exact tool call payloads (request + response)
  • The versioned tool schemas
  • The policy decision that allowed/blocked it
  • The identity context (who asked, what scopes were active)

Conversation logs are not enough. They’re storytelling. Tool logs are evidence.

team reviewing logs and incidents representing auditability for agents
If you can’t replay it, you can’t debug it—and you can’t defend it.

Table 2: A practical “agent permissioning” checklist mapped to real systems

Permissioning is where “agents” turn into a real product. Here’s a reference map you can use without adopting any particular vendor.

Table 2: Reference checklist for agent actions, guardrails, and evidence (examples across widely used platforms)

Agent capabilityConcrete exampleGuardrail to requireEvidence to log
Read messages / ticketsSlack channels; Zendesk ticketsChannel/project allowlist; PII redaction before modelSource IDs, redaction decisions, retrieval query
Create work itemsJira issue; Linear ticket; GitHub issueTemplate enforcement; rate limits; duplicate detectionFinal payload, project/repo target, requester identity
Modify codeOpen a GitHub PRPR-only writes; required reviews; CI must passDiff, branch, tests run, reviewer approvals
Query production dataBigQuery/Snowflake read; Postgres read replicaRead-only role; row/column filtering; query cost/time capsSQL text, result size, masked fields, execution context
Change infrastructureTerraform plan/apply; AWS IAM changesPlan required; two-person approval; break-glass workflowPlan output, approvers, applied changes, cloud audit trail link

A minimal implementation pattern that actually works

If you want an agent in production this quarter, don’t boil the ocean. Start with one high-frequency workflow and ship it with hard constraints. Here’s a pattern that holds up under pressure:

  1. Pick one action surface (example: “open a PR that updates a config file” or “create a Jira ticket with a filled template”).
  2. Build a policy-enforcing tool proxy that sits between the model and the real API. The model never sees raw credentials.
  3. Make the proxy return structured errors the model can recover from (“missing required field X” beats “400 bad request”).
  4. Require an explicit “plan” step that produces a diff, a patch, or a preview payload before any write.
  5. Log tool calls as first-class events (request, response, policy outcome, identity, timestamps).
  6. Only then add more tools, one at a time, with per-tool scopes and per-tool budgets.

Below is a stripped-down sketch of what “tool proxy + explicit schema” can look like. This is not about a specific LLM vendor; it’s about refusing to let free-form text become an action.

{
  "tool": "github.create_pull_request",
  "schema_version": "2026-01-15",
  "request": {
    "repo": "acme/payments",
    "base": "main",
    "head": "agent/update-timeout",
    "title": "Increase API timeout for partner webhook",
    "changes": [
      {
        "path": "configs/webhooks.yaml",
        "patch": "@@ -1,3 +1,3 @@\n-timeout_seconds: 10\n+timeout_seconds: 20\n"
      }
    ]
  },
  "policy": {
    "requires_approval": true,
    "reason": "Config change in production path",
    "approvers": ["team:payments-oncall"]
  }
}

Notice what’s missing: “run arbitrary git commands” and “read secrets.” Good. Agents fail safely when you force them to operate inside a small box.

people collaborating in an office representing approvals and operational workflows
The highest ROI isn’t “more autonomy.” It’s better workflow design around autonomy.

The prediction: “AgentOps” becomes the new CI/CD, and shared secrets become indefensible

CI/CD won because it turned risky manual releases into a controlled machine. Agents will follow the same arc. The teams that win won’t be the ones with the cleverest prompt chains. They’ll be the ones who can answer, instantly and credibly: what did the agent do, under whose authority, and why was it allowed?

Two specific bets for 2026 operators:

  • Shared API keys inside agent systems will get treated like plain-text passwords. If an “AI coworker” uses a single token, assume it will leak—through logs, through prompt context, through a compromised connector, or through a vendor incident.
  • Approval UX becomes a competitive differentiator. The best agent products will feel fast while still forcing a preview-and-approve loop for dangerous actions.

Your next action: pick one agent you’re about to ship and write its “IAM policy” in plain English. List exactly what it can read, what it can change, and what happens if it’s wrong. If you can’t fit that on one screen, you don’t have an agent feature. You have an incident generator.

David Kim

Written by

David Kim

VP of Engineering

David writes about engineering culture, team building, and leadership — the human side of building technology companies. With experience leading engineering at both remote-first and hybrid organizations, he brings a practical perspective on how to attract, retain, and develop top engineering talent. His writing on 1-on-1 meetings, remote management, and career frameworks has been shared by thousands of engineering leaders.

Engineering Culture Remote Work Team Building Career Development
View all articles by David Kim →

Agent Permissioning & Audit Checklist (v1)

A practical, vendor-neutral checklist to design AI agents as privileged automation: scopes, approvals, tool proxies, and logging you can defend in an incident review.

Download Free Resource

Format: .txt | Direct download

More in Technology

View all →
Read ICMD on Google

Get more ICMD in your Google Search results

Add ICMD as a preferred source and our latest articles, guides, and analysis show up higher when you search on Google.

ICMD. Add as a preferred source on Google