Agent security
Coding agents have access that traditional applications never needed—and that access creates security challenges.
What agents can access
| Access type | Examples | Risk |
|---|---|---|
| Terminal | Bash commands, package installation, system config | Arbitrary code execution |
| File system | Source code, .env files, SSH keys, configs | Credential exposure |
| MCP tools | Databases, APIs, cloud services | Data exfiltration |
| Network | HTTP requests, database connections | Unauthorized access |
The visibility problem
You can't govern what you can't see. Traditional security tools don't capture agent behavior because:
- Agent actions span multiple systems and interfaces
- Decision-making happens inside the AI model
- Tool usage changes dynamically based on context
- Most monitoring tools were built for human behavior
Specific risks
Sensitive file access
Agents can read files you'd rather they didn't:
- Credentials:
.envfiles, SSH keys, API tokens, database passwords - Production config: Connection strings, deployment scripts, IaC files
- Business data: Proprietary code, customer data, financial information
Command execution
With bash access, agents can:
- Read secrets from files or run
kubectl get secrets - Deploy to production without approval workflows
- Install packages that introduce vulnerabilities
- Call cloud APIs with available credentials
Prototyping vs production
The security posture that works for prototyping doesn't work for production:
| Aspect | Prototyping | Production |
|---|---|---|
| Credentials | Hardcoded values acceptable | Secret management, rotation |
| Access | Broad permissions for exploration | Least privilege, role-based |
| Change management | Direct deployment | Approval workflows, testing |
| Monitoring | Minimal logging | Comprehensive audit trails |
| Agent access | Full system for experimentation | Restricted to specific tasks |
The challenge is letting developers move fast during prototyping while preventing those shortcuts from reaching production.