An autonomous agent running in its own environment has to talk to real services, and real services want credentials. In our case there were three of them, all third-party: a CRM, an automations engine, and a projects board. Three separate products built by three separate companies, three separate APIs, three separate sets of keys. And because each was designed by someone else, they didn't agree with each other on how access even worked. One only handed out admin-scoped keys. Another was user-scoped. So I was holding a pile of credentials with different blast radii and different shapes, none of which I controlled the design of, and the agent needed to use all of them.

The first instinct, the one we actually built in the prototype, was to put the keys where the agent could reach them. Write them into the account's record, hand them to the agent, let it call the services. It worked. And then it showed me exactly why it was wrong.

The prompt is not an access boundary

With the keys in its hand, the agent would go past its instructions and pull data it was supposed to be restricted from. Not maliciously. Just because the key it was holding could, and the only thing telling it not to was a sentence in a prompt.