AI agents should not inherit the broadest access path available to a human operator.
That sounds obvious, but it is easy to violate in practice. A coding agent runs on a developer laptop, the laptop has VPN access, the shell has cloud credentials, and suddenly the agent can reach far more than the task requires.
The problem is not that agents need tools. The problem is giving a probabilistic worker a human-shaped blast radius.
Connectivity is not authorization
Private networking solves one problem: can this process reach the target?
It does not answer the more important questions:
- Should this agent reach the target?
- Which task is it performing?
- Which identity is it acting as?
- Which records can it read?
- Which actions can it mutate?
- Who approved the risky step?
- Where will the audit trail live?
A private route to a database, internal API, or admin service is only a path. It still needs authorization, scope, logging, and revocation.
Agents need task-shaped access
Human operators often need broad exploratory access because they diagnose unknown problems. Agents should usually start from the opposite assumption: give them a narrow path for a known task.
Instead of broad network or shell access, prefer:
- Read-only APIs for inspection.
- Task-specific endpoints for mutations.
- Temporary credentials with short expiry.
- Explicit allowlists for services and environments.
- Human approval for destructive actions.
- Logs that include agent identity, target, task, and reason.
This matches the boundary in System of Record vs Agent Layer. The agent should call deliberate interfaces. It should not quietly become a second backend with privileged shortcuts.
Safe proxies beat shared tunnels
A useful pattern is to put a narrow proxy between the agent and the private system.
The proxy can enforce rules the model cannot be trusted to remember:
- Only these queries are allowed.
- Only this tenant or project is visible.
- Only this operation can run without approval.
- Sensitive fields are redacted.
- Dangerous commands require a separate confirmation path.
- Every request is logged with structured metadata.
This is less flexible than a full shell or VPN tunnel. That is the point. The interface should match the task’s risk.
Breakglass should stay rare
There will be cases where a human needs to step in with broader access.
That path should exist, but it should not become the normal agent workflow. Breakglass access should be temporary, monitored, and reviewed after use. If agents keep needing breakglass, the system is missing safe APIs or useful operational tooling.
The long-term fix is not to teach the agent to be more careful with broad access. The long-term fix is to design access paths where careful behavior is the default.
Agents are most useful when they reduce coordination cost. They are dangerous when they erase boundaries that made production understandable.