Security and Safety

Permission models apply the principle of least privilege to agents: each agent receives only the access it needs to complete its assigned task, nothing more. This topic appears after the autonomy spectrum in the learning sequence because you cannot design meaningful permissions until you know what level of autonomy you are granting.

The principle of least privilege dictates that agents receive only the minimum permissions needed to complete their assigned task, nothing more. This principle is foundational for agentic systems because agents are inherently unpredictable: a well-designed agent can still be manipulated through prompt injection, make reasoning errors, or hit unexpected edge cases that lead to unintended actions.

Prompt injection is the primary attack vector against language model-based systems, where malicious input manipulates the model into ignoring its system instructions and executing unintended actions instead. Direct prompt injection embeds malicious instructions in user input, while indirect prompt injection hides instructions in data the agent retrieves, such as a malicious comment in a code file or a manipulated web page an agent processes during a tool call.