I've been building AI agents for about two years.
Last week something happened that changed how I think about agent security.
I had a coding agent that could read GitHub issues and run shell commands.
Then it hit me...
The moment the model outputs a tool call, we just... execute it.
No checkpoint.
No "are we sure?"
Just:
LLM → JSON → shell
That feels insane in hindsight.
In web apps we'd never execute user input without validation.
But with agents, we're basically doing the equivalent.
I started trying to break my own agents.
Not jailbreak the model.
The execution layer.
The interesting thing is that the model isn't really the problem.
If it decides to call:
run_shell("rm -rf ...")
the framework just says "okay."
That's the scary part.
So I stopped thinking about prompt injection and started thinking about execution boundaries.
I've spent the last week hacking together a runtime layer that sits between the agent and its tools.
Right now it can:
block specific tool calls
sandbox shell commands
log every decision
Still a lot to build.
I'm curious...
If you're running agents in production today, where do you actually enforce security?
Inside each tool?
Middleware?
Or are you just trusting the system prompt?
Really appreciate all the discussion here.
A few people asked what I meant by a runtime layer. I ended up building a small prototype for my own agents to experiment with this idea. Right now it handles policy checks before tool execution, runs shell commands in a network-isolated Docker container, and records audit logs.
If anyone wants to poke holes in the architecture or tell me what I'm missing, I'd genuinely appreciate the feedback:
https://relay-security-lemon.vercel.app/