The Safest Boundary Is the One the Agent Can't Reach Across

Second in a series on building an autonomous AI organism that operates real multi-tenant infrastructure under a constitutional safety model. The first part was about two gates — a conscience and a council. This one is about the wall behind them.

My agent runs infrastructure for more than one organization. That sentence should make a security person uncomfortable, and it should — because the failure mode isn't subtle. The nightmare isn't the agent doing something clever and wrong. It's the agent doing something mundane and right — writing a ticket, rotating a secret, posting a status — to the wrong tenant.

Customer A's data ending up in Customer B's system isn't a bug you patch. It's a breach you disclose.

So the first question I had to answer wasn't "how do I make the agent capable across tenants." It was: how do I make crossing a tenant boundary not a thing the agent can do wrong, because it's not a thing it can do at all.

Permission is the weak version. Absence is the strong one.