3. Permissions by design: tie tools to tasks, not models
A common anti-pattern is to give the model long-lasting credibility and hopefully keep it humble. SAIF and NIST argue the opposite: credentials and scopes should be tied to tools and tasks, rotated regularly, and auditable. Agents then request narrow-scope capabilities through those devices.
In practice, it looks like this: “The finance-ops-agent can read, but not write, certain ledgers without CFO approval.”
CEO’s question: Can we revoke a specific ability from an agent without re-architecting the entire system?
Control data and behavior
These stages constrain gate input, output and behavior.
4. Input, Memory and RAG: Treat external material as hostile until proven otherwise
Most agent incidents start with secret data: a poisoned web page, PDF, email, or repository that smuggles adversarial instructions into the system. OWASP’s prompt-injection cheat sheet and OpenAI’s own guidance both insist on strictly separating system instructions from user content and treating unvetted recovery sources as untrusted.
Operationally, before anything enters retrieval or long-term memory, gate: new sources are reviewed, tagged, and onboarded; Persistent memory is disabled when untrusted references exist; There is provenance associated with each piece.
CEO’s question: Can we count all the external content sources our agents learn from, and who approved them?
5. Output handling and rendering: Nothing gets executed “just because the model said so”
In the Anthropic case, AI-generated exploit code and credential dumps flowed directly into the action. Any output that could cause side effects requires a validator between the agent and the real world. OWASP’s Insecure Output Handling category is obvious at this point, as are browser security best practices around basic limitations.
