Many agent demos look simple: give the model tools, put a GitHub/Gmail/Slack token in an environment variable, and let the agent call APIs.
That works for demos. It gets uncomfortable in products.
The hard questions are not only "can the agent call the API?" They are:
Which user's account is this action using?
Which scopes were granted?






