Docker published a practical guide last week on securing AI agents, and one sentence in it should be printed on a sticker for every engineering team adopting coding agents:
Permission prompts are not a security strategy.
That is not the whole guide, obviously. Docker talks about isolation, tool access, identity, credentials, runtime monitoring, MCP provenance, and multi-agent trust boundaries. Good. Those are the grown-up topics.
But the permission prompt line is the one that stuck with me, because it names a habit I keep seeing in agent products and internal demos.
This feels safe because a human is technically in the loop. It also feels familiar because developers already approve things all day: browser permissions, OAuth scopes, package installs, CI reruns, deploy buttons, cloud console warnings, and the occasional horrifying Terraform plan.
