• 8 min read Most agents today run generated code with full access to your secrets. • As more agents adopt coding agent patterns, where they read filesystems, run shell commands, and generate code, they’re becoming multi-component systems that each need a different level of trust. • While most teams run all of these components in a single security context, because that’s how the default tooling works, we recommend thinking about these security boundaries differently. • Below we walk through: The actors in agentic systems Where security boundaries should go between them An architecture for running agent and generated code in separate contexts Link to headingAll agents are starting to look like coding agents More agents are adopting the coding agent architecture. • These agents read and write to a filesystem. • They run bash, Python, or similar programs to explore their environment.

Article Summaries:

  • Security Boundaries in Agentic Architectures

The article highlights growing risks as more AI agents adopt a “coding agent” model-reading files, running shell commands, and generating executable code. Without clear security boundaries, prompt injections can lead agents to write malicious scripts that exfiltrate credentials or compromise infrastructure. The authors identify four distinct actors in an agentic system-agent, agent secrets, harness, and infrastructure-and argue that each should operate at a different trust level. They recommend an architecture that isolates the agent’s runtime from the generated code’s execution context, limiting the agent’s access to sensitive secrets and reducing attack surface.

Sources: