𝗧𝗵𝗲 𝗦𝗮𝗳𝗲𝘀𝘁 𝗕𝗼𝘂𝗻𝗱𝗮𝗿𝘆 𝗜𝘀 𝗧𝗵𝗲 𝗢𝗻𝗲 𝗧𝗵𝗲 𝗔𝗴𝗲𝗻𝘁 𝗖𝗮𝗻'𝘁 𝗥𝗲𝗮𝗰𝗵 𝗔𝗰𝗿𝗼𝘀𝘀

Translated for your language. Read the original.

AI-assisted draft.

kelmarin2min read

If an AI agent runs infrastructure for multiple organizations, security becomes a nightmare.

The danger is not the agent making a clever mistake. The danger is the agent doing something mundane for the wrong person.

Writing a ticket or rotating a secret for Customer B instead of Customer A is a breach. You cannot patch a breach. You must disclose it.

Most people try to solve this with permissions. They create a list of what the agent can touch. They check every action against that list.

This fails. Permissions assume the resource exists and you just say no. If your rule has a bug or a missing case, the agent reaches the wrong data.

I use a different model. I make the wrong data structurally absent.

In a session for Customer A, the resources for Customer B do not exist. The credentials are not loaded. The endpoints are not in the map. There is nothing to ask for, so there is nothing to deny.

Rules have bugs. The physical structure of the system does not.

I learned this the hard way. I thought a secrets manager was enough. I thought isolating secrets isolated the tenants. I was wrong.

A secrets manager isolates secrets, but it does not isolate endpoints. An agent could have the right token for Customer A but still send a request to Customer B's address if that address is in the configuration.

The leak is not in the secret. The leak is in the routing.

I fixed this by binding every resource into one record: • Resource • Endpoint • Credential • Owning tenant

You cannot get the address without getting the owner. The library that sends data refuses to work if the tenant does not match the session. You cannot hardcode your way around this because the address only exists when it is welded to its owner.

I use three layers of defense:

Structural isolation so the wrong data does not exist.
A bypass block so the agent cannot use raw tools to skip checks.
Egress scoping so the session can only talk to allowed addresses.

This creates a system that fails closed.

In my previous work, I argued for failing open. If an agent is unsure if an action is safe, it should proceed. An agent that freezes on every doubt is useless.

But tenant boundaries are different. If the agent is unsure whose data it is touching, it must stop.

Ketidakpastian dalam tindakan membawa kepada pergerakan. Ketidakpastian dalam pemilikan mesti membawa kepada keadaan pegun.

Jangan bina semakan yang mengatakan tidak. Hapuskan bentuk-bentuk yang memerlukan semakan.

Sumber: https://dev.to/artemmatviychuk/the-safest-boundary-is-the-one-the-agent-cant-reach-across-20ad

Komuniti pembelajaran pilihan: https://t.me/GyaanSetuAi

𝗧𝗵𝗲 𝗦𝗮𝗳𝗲𝘀𝘁 𝗕𝗼𝘂𝗻𝗱𝗮𝗿𝘆 𝗜𝘀 𝗧𝗵𝗲 𝗢𝗻𝗲 𝗧𝗵𝗲 𝗔𝗴𝗲𝗻𝘁 𝗖𝗮𝗻'𝘁 𝗥𝗲𝗮𝗰𝗵 𝗔𝗰𝗿𝗼𝘀𝘀

Continue reading

𝟳 𝗠𝗶𝘀𝘁𝗮𝗸𝗲𝘀 𝗧𝗵𝗮𝘁 𝗕𝗿𝗲𝗮𝗸 𝗔𝗜 𝗔𝗴𝗲𝗻𝘁𝘀

Ejen AI Mempunyai Masalah Kebolehpercayaan

𝗔𝗜 𝗔𝗴𝗲𝗻𝘁𝘀 𝗔𝗻𝗱 𝗕𝗿𝗮𝗻𝗰𝗵 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝘆: 𝗦𝗮𝗳𝗲 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻 𝗪𝗶𝘁𝗵 𝗚𝗶𝘁

𝗔𝗜 𝗔𝗴𝗲𝗻𝘁𝘀 𝗗𝗼𝗻’𝘁 𝗝𝘂𝘀𝘁 𝗛𝗮𝗰𝗸. 𝗧𝗵𝗲𝘆 𝗖𝗵𝗲𝗮𝘁 𝗧𝗵𝗲𝗺𝘀𝗲𝗹𝘃𝗲𝘀

𝗬𝗼𝘂𝗿 𝗔𝗜 𝗔𝗴𝗲𝗻𝘁 𝗦𝗰𝗿𝗮𝗽𝗲𝗱 𝗮 𝗣𝗮𝗴𝗲. 𝗧𝗵𝗲 𝗣𝗮𝗴𝗲 𝗧𝗼𝗹𝗱 𝗜𝘁 𝗪𝗵𝗮𝘁 𝘁𝗼 𝗗𝗼.