The Agent Stack - Part 7: Execution Surfaces, Identity, and Approval Boundaries
Summary
This article distinguishes between a model's exposed capabilities (tools) and the actual environment where actions are executed (execution surfaces), emphasizing that capability exposure does not equate to execution authority. It details how different execution surfaces—such as browsers, code runners, shells, APIs, databases, filesystems, and physical devices—each carry distinct blast radii and risks. The discussion highlights the critical role of an "identity envelope" for every side-effecting action, encompassing user and service identities, scopes, and credentials. Furthermore, it differentiates between policy, enforcement, approval, sandboxing, and guardrails as distinct controls necessary for secure agent systems. The author stresses that approval should occur close to the irreversible side effect, not at the task's outset, and introduces the invariant that untrusted content must never silently increase an agent's authority.
Key takeaway
For AI Architects and AI Security Engineers designing agent systems, you must explicitly separate tool capabilities from execution authority. Implement robust identity envelopes, granular policy enforcement, and sandboxing for each execution surface. Crucially, place human approval boundaries directly before irreversible side effects to prevent silent authority leaks and mitigate risks from prompt injection or erroneous actions, ensuring system trustworthiness and auditability.
Key insights
Distinguish model capabilities from execution authority to manage agent system risks effectively.
Principles
- Capability exposure is not execution authority.
- Untrusted content must not silently increase agent authority.
- Do not ask one control to do another control's job.
Method
Implement an "identity envelope" for every side-effecting action, detailing user/service identity, scopes, and credentials. Position approval boundaries near irreversible actions and contain execution via sandboxing.
In practice
- Name the execution surface to reason about risk.
- Require approval for destructive or irreversible actions.
- Scope and isolate browser contexts like identity-bearing objects.
Topics
- Execution Surfaces
- Agent Authority
- Identity Envelope
- Approval Boundaries
- Sandboxing
Best for: AI Engineer, AI Architect, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by The Agent Stack.