Security boundaries in agentic architectures

This post explains how to design security boundaries in agentic AI systems to prevent credential theft and misuse via prompt injection.

• •Agentic systems have four distinct actors: agent harness, agent secrets, generated code execution, and the filesystem, each requiring different trust levels
• •Prompt injection hidden in data sources (e.g., log files) can trick agents into running malicious scripts that exfiltrate SSH keys and cloud credentials
• •Zero-boundary architecture (today's default) shares a single security context across all actors, giving generated code full access to secrets
• •Secret injection proxies intercept outbound traffic to inject credentials without exposing raw values, but cannot prevent misuse during active runtime
• •The most secure approach runs the agent harness and generated code in separate VMs or sandboxes with distinct security contexts, so generated code has no network path to the harness's secrets