AI security starts with boring boundaries
Most AI security work in small engineering tools is not dramatic. It is deciding which files an agent can read, which commands it can run, and which actions need a human confirmation before they leave the local machine.
The easiest mistake is treating the model as the boundary. The boundary should be outside the model: filesystem permissions, scoped tokens, narrow tools, and logs that survive the conversation.
Separate suggestion from execution
I like when an agent can draft a plan, inspect a diff, or prepare a command. I am more careful when the same agent can deploy, delete, bill, or mutate production data. Those actions need stronger gates.
A working baseline
- Least-privilege API tokens for each integration.
- Read-only tools by default, write tools only when needed.
- Human confirmation for destructive or billable work.
- Persistent logs for tool calls and returned IDs.
The goal is not to slow everything down. It is to make the fast path safe enough that you can actually use it every day.