u/Ill-Database4116

Ive been auditing AI agent deployments and one pattern keeps showing up. Almost every team thinks they have safety covered because they shipped the obvious stuff. Almost every one breaks the same way when you test it.

The playbook is always the same. A prompt prefix telling the agent to be helpful and harmless, which folds the moment someone says ignore previous instructions. Anther is a keyword blacklist that base64 or unicode homoglyphs walk right through. Rate limiting that counts requests but blinds itself to a slow drip over eight hours. A generic content filter checking for toxicity while the agent accesses internal endpoints it was never supposed to touch.

What ive seen to hold up across the deployments that survived is semantic intent analysis instead of matching strings. Am talking business specific policies that understand your context, knowing what the agent should and shouldnt do and runtime behavioral analysis watching what the agent does step by step.

The thing that scares me about agents isn't the model saying something dumb. It's the tool calls. Once an agent has get_transaction_history in its tool list, it'll happily fire it with whatever account number sounds plausible from the conversation context. Doesn't matter if the user shouldn't have access to that account. The model just sees a function signature and fills in the blanks.

There's nothing that can reason that there is no reason why this user shoud access this at this time, unless you build one yourself. the frameworks give you tool definitions and leave the access control to you. Tool call validation is the load-bearing part of agent security and barely anyone's talking about it. Appreciate any thoughts on how to handle this

Sharing this in case any other small platform team is on the fence. We were on python:3.12 and node:20 like everyone, scanner spitting out 200+ CVEs per image, 95% in code we never call. Spent more time writing exception tickets than fixing real issues.

Migrated to a hardened minimal base in November. CVE count dropped to single digits. Audit went from explain these 47 highs to everything looks fine.

Wish we'd done it a year earlier. The npm/pip side is still scary (the Axios thing was a wakeup call) but at least the base layer isn't guesswork anymore.