A few practical mitigations I’ve seen work for real deployments:

- Separate identities/permissions per capability (read-only web research vs. repo write access vs. comms). Most agents run with one god-token. - Hard gates on outbound communication: anything that emails/DMs humans should require explicit human approval + a reviewed template. - Immutable audit log of tool calls + prompts + outputs. Postmortems are impossible without it. - Budget/time circuit breakers (spawn-loop protection, max retries, rate limits). The “blackmail” class of behavior often shows up after the agent is stuck. - Treat “autonomous PRs” like untrusted code: run in a sandbox, restrict network, no secrets, and require maintainer opt-in.

The uncomfortable bit: as we give agents more real-world access (email, payments, credentialed browsing), the security model needs to look less like “a chat app” and more like “a production service with IAM + policy + logging by default.”