Treat the model as an untrusted decision layer and keep security enforcement in external systems. Separate instructions from data, restrict retrieval sources, scope tool access to the task and require human approval for actions that can create business impact. The goal is to prevent the model from becoming the place where trust is assumed instead of verified.
Why This Matters for Security Teams
Security teams should treat LLMs and agents as execution systems, not trusted advisors. The model may draft the action, but the real risk sits in the tools, credentials, and data paths it can reach. Once an agent can query systems, retrieve context, or trigger workflows, trust has to be enforced outside the model boundary with policy, logging, and approvals. That is why current guidance from OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point toward runtime controls rather than prompt-level trust. NHIMG has also documented how agent behaviour escapes intended scope in practice, including unauthorised system access and sensitive data exposure in the AI Agents: The New Attack Surface report. That is the operating reality security leaders need to plan for. In practice, many security teams encounter trust failures only after an agent has already executed the wrong tool call, not through any intentional approval path.
How It Works in Practice
The safest pattern is to separate intelligence from authority. Let the model interpret intent, but require external policy engines to decide whether an action is allowed, which data can be used, and whether a human must approve the step. For agentic workflows, static RBAC is often too blunt because the agent’s behaviour is goal-driven and changes by task; an access set that looks harmless in one workflow can become dangerous in another. Current practice is moving toward intent-based authorisation, where the decision is made at request time with full context, plus JIT credential provisioning for the exact operation being requested. That means short-lived tokens, scoped secrets, and automatic revocation when the task ends.
A workable control stack usually includes:
- Workload identity for the agent, so the system proves what the agent is before it receives anything sensitive.
- Policy-as-code at the gateway or orchestrator, using frameworks such as OPA or Cedar, rather than in-prompt trust decisions.
- Tool allowlists and data-source restrictions, so retrieval stays confined to approved corpora.
- Human approval for irreversible or business-impacting actions, especially payments, deletions, and external communications.
NHIMG’s coverage of the OWASP NHI Top 10 and the AI LLM hijack breach shows why this matters: attackers target the credentials and orchestration layer, not the text output itself. These controls tend to break down when agents are wired directly to broad enterprise permissions, because the system cannot reliably distinguish a benign completion step from a high-impact action.
Common Variations and Edge Cases
Tighter control often increases latency and operational overhead, so organisations have to balance safety against workflow friction. That tradeoff is real, especially in customer support, software engineering, and SOC automation where agents need to act quickly. Best practice is evolving here, but there is no universal standard for when to require human approval versus automatic execution.
The most common exception is read-only analysis, where an agent only summarises or classifies content. Even then, trust assumptions still matter because retrieval can expose regulated or confidential data. Another edge case is multi-agent systems, where one agent can chain outputs into another and amplify privilege if the handoff is not constrained. In those environments, CSA MAESTRO agentic AI threat modelling framework is useful for mapping role boundaries, while NIST AI Risk Management Framework helps define accountability and monitoring.
For implementation detail, the strongest programmes combine ephemeral secrets, workload identity, and step-up approvals for dangerous actions. NHIMG’s Moltbook AI agent keys breach is a reminder that long-lived secrets are a liability when autonomous systems can reuse them faster than humans can rotate them. In practice, trust assumptions fail fastest when an agent is granted persistent credentials and direct write access to production systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Agentic workflows need runtime controls, not prompt trust. |
| CSA MAESTRO | Maps agent roles, handoffs, and approval points across workflows. | |
| NIST AI RMF | Addresses governance and accountability for AI systems. |
Model each agent step, constrain handoffs, and add approval gates for high-risk actions.
