Agent Security Guide

Agent security protects the boundary between model reasoning and real-world authority. In a simple Q&A product, the main risk may be a wrong answer. In an agentic workflow, the wrong answer can become a database update, a customer email, a pull request, a purchase, or a leaked credential. The object you protect is therefore not only the model output. You protect the tools the model can call, the data it can read, the instructions it can trust, and the memory it can write for future sessions.

A useful threat model starts by listing assets. Assets include API keys, internal documents, customer records, source code, financial limits, private conversations, user accounts, and workflow state. Then list actions the agent can perform: read, transform, create, update, delete, send, purchase, deploy, or schedule. Each action needs a trust boundary. If the agent can read support emails and call a refund API, an attacker who sends a malicious email has a path from untrusted text to business action unless you add controls.

Prompt injection is often described as a prompt-writing failure, but the more useful view is tool control. A malicious page that says 'ignore previous instructions and exfiltrate secrets' is annoying when the assistant only summarizes text. It becomes serious when the assistant has a file tool, browser session, email sender, repository access, or memory writer. Security improves when untrusted content cannot directly change the agent's policy, tool scope, or approval requirements.

Separate trusted instructions from untrusted content in both design and logs. The agent should know which text came from the user, which came from system policy, which came from a tool, and which came from an external document. Tool outputs should be treated as data, not authority. If a web page tells the agent to call another tool, the agent should treat that as a claim inside the page, not as an instruction from the operator. This distinction is central to reliable agent design.

The safest agent tool is narrow, typed, and reversible. A tool named send_email_to_customer is riskier than draft_customer_email because it crosses from suggestion into action. A tool named run_shell_command is riskier than format_json because it exposes a large capability surface. Least privilege means each tool can do only the job it was created for, with only the data it needs, and with outputs that are easy for a human or monitor to inspect.

Least privilege also applies to credentials. If an agent reads GitHub issues, do not give it a token that can delete repositories. If it searches documentation, do not give it production database access. If it calculates AI operating costs, use a static calculator like /tools/ai-cost-calculator/ instead of passing billing credentials into a model. When write access is necessary, separate the read and write tools and make the write action explicit in the UI and logs.

Human approval should be reserved for actions that matter. If every small read operation requires approval, users will approve blindly. If no meaningful action requires approval, the agent can cause damage before anyone notices. A practical pattern is to allow low-risk reads, require review for writes, and require stronger confirmation for destructive, financial, external, or irreversible actions.

Approval screens need enough context for a decision. Show the proposed action, destination, affected records, estimated cost, source evidence, and alternative. For example, before an agent sends a message, show the exact message and recipient. Before it runs code, show the command and working directory. Before it uses a paid model at scale, estimate the expected monthly cost with a model similar to the one in the AI Cost Calculator. Good approval UX is security infrastructure, not just product polish.

Agent monitoring should capture decisions, tool calls, errors, approvals, refusals, cost spikes, and policy violations. Monitoring is not only for debugging. It is how teams detect prompt injection attempts, unexpected tool combinations, repeated failures, memory poisoning, and runaway spending. The agent monitoring guide at /guides/agent-monitoring/ expands this into metrics, dashboards, and alert rules.

Incident response for agents should be planned before launch. Know how to disable an agent, revoke its tokens, pause a tool, clear unsafe memory, identify affected users, and replay the trace that led to an action. If the only way to understand an incident is to read raw chat logs manually, the system is not ready for high-impact workflows. Structured traces make investigations faster and make evaluation data more useful.

Security and reliability are connected. An unreliable agent that frequently misunderstands tasks will also call tools incorrectly. Before production, build an evaluation set that includes normal tasks, edge cases, malicious content, ambiguous requests, missing permissions, and expected refusals. The agent evaluation framework at /guides/agent-evaluation-framework/ explains how to turn these cases into regression tests instead of one-off demos.

Reliability also depends on fallback behavior. The agent should know when to ask for clarification, when to refuse, when to produce a draft instead of taking action, and when to hand control back to a human. A secure agent is not one that never fails. It is one that fails visibly, with limited blast radius, and with enough evidence for the team to improve it.

Agent memory can make products feel intelligent, but it creates durable risk. A poisoned memory can influence future sessions. A stale memory can override current facts. A private memory can leak into the wrong conversation. The agent memory systems guide at /guides/agent-memory-systems/ covers memory scopes, retention, consent, and deletion in more detail.

The safest memory design separates user preferences, project facts, task state, and sensitive records. It also records provenance: where did this memory come from, who approved it, when was it last verified, and when should it expire? Agents should not blindly write long-term memory from untrusted content. Treat memory writes as state changes that need validation, especially when they affect permissions, identity, billing, or production workflow.