Lilly Tech Systems
Introduction: Why Agent Safety Matters
AI coding agents are transforming software development — but with the power to execute shell commands, modify files, and interact with cloud infrastructure comes serious risk. This lesson explains why agent safety is a critical discipline and what can go wrong when guardrails are missing.
The Rise of AI Coding Agents
AI coding agents have rapidly become essential developer tools. Unlike simple code completion, these agents can autonomously execute multi-step tasks including running shell commands, modifying infrastructure, and deploying code:
| Agent | Vendor | Key Capabilities | Execution Model |
|---|---|---|---|
| Claude Code | Anthropic | Read/write files, execute bash, git operations, multi-step coding | CLI with permission prompts |
| GitHub Copilot | GitHub/Microsoft | Code completion, agent mode for multi-file edits, terminal commands | IDE-integrated with approval |
| Codex CLI | OpenAI | Code generation, shell execution, file editing, test running | CLI with sandbox options |
| Cursor | Cursor Inc. | Full IDE agent with terminal access, multi-file editing | IDE with inline approval |
| Windsurf | Codeium | Cascade agent for multi-step coding, terminal execution | IDE-integrated |
| Aider | Open Source | Git-aware coding, shell commands, multi-file edits | CLI with git integration |
How Agents Interact with Infrastructure
Modern AI coding agents don't just write code — they execute it. When you ask an agent to "set up a Kubernetes deployment" or "clean up old AWS resources," the agent runs real commands with real consequences:
# Agent receives: "Clean up the unused EC2 instances" # Agent thinks: "I need to find and terminate unused instances" # Step 1: Agent lists instances aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" # Step 2: Agent identifies "unused" ones (but might get this wrong!) aws ec2 terminate-instances --instance-ids i-0abc123 i-0def456 i-0ghi789 # Step 3: Oops - i-0ghi789 was the production database server
Real-World Incidents
While many organizations keep AI agent incidents confidential, several patterns have emerged from community reports and public discussions:
A developer asked an AI agent to "fix the Terraform configuration and apply it." The agent noticed state drift, decided the cleanest fix was to destroy and recreate, and ran
terraform destroy on a production module containing the primary database. Recovery took 6 hours from backups.
An agent was asked to "clean up the test environment." It interpreted "test" broadly and ran
kubectl delete namespace on a namespace that contained both test and staging services shared with QA. All staging deployments were lost.
An agent trying to resolve merge conflicts ran
git push --force origin main, overwriting the commit history of the main branch. While recoverable via reflog, it disrupted the entire team's workflow for a day.
The Trust Boundary Problem
Traditional security assumes a clear boundary between trusted (human) and untrusted (external) actors. AI agents break this model because they operate inside the trust boundary:
Same Credentials
The agent uses the developer's AWS credentials, Kubernetes config, and git SSH keys. There's no separate identity for "agent actions" vs "human actions."
Same Permissions
If the developer can delete a production database, so can the agent. There's no permission distinction between human-initiated and agent-initiated commands.
Imperfect Judgment
Unlike humans, agents don't have intuition about blast radius. They may not understand that deleting "that old S3 bucket" means losing years of customer data.
Speed of Execution
An agent can execute 20 destructive commands in seconds — faster than any human could review them. By the time you notice, the damage is done.
┌─────────────────────────────────────────────────┐ │ TRUST BOUNDARY │ │ │ │ ┌──────────┐ ┌──────────┐ ┌────────────┐ │ │ │ Developer │ │ AI Agent │ │ CI/CD │ │ │ │ (Human) │ │ (LLM) │ │ Pipeline │ │ │ └─────┬─────┘ └─────┬────┘ └──────┬─────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────────────────────────────────────┐ │ │ │ Shared Credentials & Permissions │ │ │ │ AWS keys, kubeconfig, git SSH, DB creds │ │ │ └──────────────────────────────────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────────────────────────────────────┐ │ │ │ Production Infrastructure │ │ │ │ EC2, RDS, S3, K8s, Databases │ │ │ └──────────────────────────────────────────┘ │ └─────────────────────────────────────────────────┘ Problem: The AI Agent has the SAME access as the developer but WITHOUT the same judgment about consequences.
Why Traditional Security Isn't Enough
Existing security practices were designed for human-operated or automated (deterministic) systems. AI agents are neither — they're non-deterministic autonomous actors that make judgment calls:
| Security Approach | Works for Humans? | Works for CI/CD? | Works for AI Agents? |
|---|---|---|---|
| RBAC / IAM | Yes | Yes | Partially — agents need broad permissions to be useful |
| Audit logging | Yes (post-hoc) | Yes | Yes, but damage happens in seconds |
| Code review | Yes | Yes (PR-based) | No — agents execute commands directly |
| MFA | Yes | N/A | No — agents can't do MFA |
| Network segmentation | Yes | Yes | Partially — agents run on dev machines |
What This Course Covers
Over the next 7 lessons, you'll learn:
- Permission Models: How to configure agent permissions for least privilege
- Dry-Run Patterns: Enforcing preview-before-apply for all infrastructure changes
- Sandbox Environments: Isolating agent execution from production
- Guardrail Scripts: Building automated safety checks that intercept dangerous commands
- CI/CD Safety: Designing pipelines where agents propose but never directly apply
- Incident Response: What to do when things go wrong
- Best Practices: A complete safety checklist and maturity model