Agent Security Model: Agents As Software Loops, With Permissioning As The Key Risk
Sources: 1 • Confidence: Medium • Updated: 2026-03-14 12:25
Key takeaways
- Agent information retrieval can progress from asking the model, to web search, to privileged access to private APIs and databases where higher-value information resides.
- A single trusted data-access provider could offer unified programmatic access to multiple private data sources, analogous to an “OpenRouter for data providers.”
- Combining physical danger with cyber disruption (such as traffic lights failing) can sow paranoia and chaos among civilians during conflict.
- Tracy Alloway argues that cyber warfare should include direct kinetic attacks on data centers, such as using drones to physically destroy them.
- Iran’s cyber capabilities have been underestimated by military and intelligence communities, in a pattern Suiche compares to earlier underestimation of North Korea’s hacking capabilities.
Sections
Agent Security Model: Agents As Software Loops, With Permissioning As The Key Risk
- Agent information retrieval can progress from asking the model, to web search, to privileged access to private APIs and databases where higher-value information resides.
- If AI agents use non-human-readable encodings to communicate, it remains a reverse-engineering problem because agents must still share a discoverable protocol or encoding format.
- Current agentic deployments often grant overly broad permissions upfront, increasing the likelihood of data leaks or destructive actions.
- An AI agent is typically a software service that loops over model calls and invokes external tools rather than a fundamentally new security category.
- CLI and terminal workflows are becoming a natural interface for both humans and agents, reducing reliance on complex web UIs and tooling overhead.
- Developers are moving away from installing MCP-style components and toward using “skills” as the preferred integration approach for agents.
Ai Changes Software Economics: Security Spend Tension And Data-As-Moat Proposals
- A single trusted data-access provider could offer unified programmatic access to multiple private data sources, analogous to an “OpenRouter for data providers.”
- Providing sharp negative feedback to a coding model can improve output quality by acting as a stronger negative reward signal than polite or neutral wording.
- If software becomes cheap to create, proprietary data becomes a more durable source of value and could be monetized by charging AI agents for access via unified, trusted data marketplaces.
- AI is already being used for vulnerability and bug discovery, and model providers are publishing security-oriented tools and examples (including smart contract bug finding and code assessment).
- As AI reduces the cost of building software toward near-zero, organizations will struggle to justify security auditing costs that can exceed development cost.
- SaaS businesses will face increasing disruption as AI enables rapid custom software creation by non-specialists, making many software products easier to replicate.
Cyber-In-Kinetic-Conflict: Intelligence, Disruption, And Influence
- Combining physical danger with cyber disruption (such as traffic lights failing) can sow paranoia and chaos among civilians during conflict.
- When a conflict turns kinetic, cyber operations tend to become primarily intelligence-gathering and pre-attack disruption rather than decisive critical-infrastructure takedowns.
- In military contexts, much cyber activity is pre-war intelligence gathering and espionage rather than immediate critical-infrastructure disruption during active conflict.
- Israel has reportedly hacked Tehran’s traffic light systems during the conflict.
- An Israeli operation reportedly hijacked an Iranian app to send messages to users, aiming mainly to create confusion rather than destruction.
- Iran reportedly reduced internet access for many users during the conflict, while social media was heavily flooded with AI-generated misinformation content.
Compute As Critical Infrastructure: Cloud Concentration And Kinetic Vulnerability
- Tracy Alloway argues that cyber warfare should include direct kinetic attacks on data centers, such as using drones to physically destroy them.
- Recent drone strikes against Amazon data centers reportedly caused major service instability, including multiple availability zones down and at least one zone still recovering days later.
- Suiche states that Iran has demonstrated highly precise drone attack capability that can cause substantial damage.
- Cloud centralization increases dependence on a small number of providers and makes critical services easier targets when physical attacks become feasible.
- A low-cost drone strike (about $20,000) can create disruption comparable to or greater than multi-million-dollar zero-day cyber exploits by physically impacting cloud infrastructure.
- Amazon’s incident communications reportedly described “objects” striking data centers for about 36 hours before explicitly acknowledging drone strikes.
State Cyber Capability Production: Leaks, Insiders, Outsourcing
- Iran’s cyber capabilities have been underestimated by military and intelligence communities, in a pattern Suiche compares to earlier underestimation of North Korea’s hacking capabilities.
- Government offensive cyber capabilities are repeatedly compromised via leaks and insider risks, including a case where a contractor sold zero-day exploits to a Russian broker.
- Governments increasingly outsource parts of cyber capability development and tooling because they cannot build as many capabilities fully in-house.
Watchlist
- Prompt logging and retention by AI companies could create long-term personal or organizational exposure if prompts are later used for profiling or scoring.
- Suiche is watching for the emergence of additional digitally obtained material related to the Epstein files tied to Iran-related cyber activity.
- Combining physical danger with cyber disruption (such as traffic lights failing) can sow paranoia and chaos among civilians during conflict.
Unknowns
- What specific evidence confirms (or refutes) the reported hacking of Tehran’s traffic light systems, and what operational effects were observed (duration, geographic scope, safety impact)?
- What are the verifiable details of the reported drone strikes on Amazon data centers (where, which regions/AZs, root cause, and duration of service degradation)?
- How common are agent-related incidents attributable to over-permissioning (credential misuse, unintended deletion, exfiltration), and what controls are being adopted to mitigate them?
- Is there measurable adoption movement from MCP-style integrations toward “skills,” and what are the security and governance properties of the new integration primitive?
- Do enterprises actually experience a widening gap where security auditing costs exceed AI-assisted development costs, and how does that affect vulnerability rates?