3. Permissions by design: Bind tools to tasks, not to models
A common anti-pattern is to give the model a long-lived credential and hope prompts keep it polite. SAIF and NIST argue the opposite: credentials and scopes should be bound to tools and tasks, rotated regularly, and auditable. Agents then request narrowly scoped capabilities through those tools.
In practice, that looks like: “finance-ops-agent may read, but not write, certain ledgers without CFO approval.”
The CEO question: Can we revoke a specific capability from an agent without re-architecting the whole system?
Control data and behavior
These steps gate inputs, outputs, and constrain behavior.
4. Inputs, memory, and RAG: Treat external content as hostile until proven otherwise
Most agent incidents start with sneaky data: a poisoned web page, PDF, email, or repository that smuggles adversarial instructions into the system. OWASP’s prompt-injection cheat sheet and OpenAI’s own guidance both insist on strict separation of system instructions from user content and on treating unvetted retrieval sources as untrusted.
Operationally, gate before anything enters retrieval or long-term memory: new sources are reviewed, tagged, and onboarded; persistent memory is disabled when untrusted context is present; provenance is attached to each chunk.
The CEO question: Can we enumerate every external content source our agents learn from, and who approved them?
5. Output handling and rendering: Nothing executes “just because the model said so”
In the Anthropic case, AI-generated exploit code and credential dumps flowed straight into action. Any output that can cause a side effect needs a validator between the agent and the real world. OWASP’s insecure output handling category is explicit on this point, as are browser security best practices around origin boundaries.
