The Agent Stack - Part 7: Execution Surfaces, Identity, and Approval Boundaries

· Source: The Agent Stack · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

This article distinguishes between a model's exposed capabilities (tools) and the actual environment where actions are executed (execution surfaces), emphasizing that capability exposure does not equate to execution authority. It details how different execution surfaces—such as browsers, code runners, shells, APIs, databases, filesystems, and physical devices—each carry distinct blast radii and risks. The discussion highlights the critical role of an "identity envelope" for every side-effecting action, encompassing user and service identities, scopes, and credentials. Furthermore, it differentiates between policy, enforcement, approval, sandboxing, and guardrails as distinct controls necessary for secure agent systems. The author stresses that approval should occur close to the irreversible side effect, not at the task's outset, and introduces the invariant that untrusted content must never silently increase an agent's authority.

Key takeaway

For AI Architects and AI Security Engineers designing agent systems, you must explicitly separate tool capabilities from execution authority. Implement robust identity envelopes, granular policy enforcement, and sandboxing for each execution surface. Crucially, place human approval boundaries directly before irreversible side effects to prevent silent authority leaks and mitigate risks from prompt injection or erroneous actions, ensuring system trustworthiness and auditability.

Key insights

Distinguish model capabilities from execution authority to manage agent system risks effectively.

Principles

Method

Implement an "identity envelope" for every side-effecting action, detailing user/service identity, scopes, and credentials. Position approval boundaries near irreversible actions and contain execution via sandboxing.

In practice

Topics

Best for: AI Engineer, AI Architect, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Agent Stack.