Agents gained power. Their trust, not.
This week, two pieces of research showed the same thing from different angles: AI agents now have real access —terminal, repos, persistent memory— but their trust model didn't scale with that power. This isn't a new AI problem. It's an old systems problem, and the discipline that solves it is one we already know: least privilege, sandboxing, auditing.
The thesis
An agent built to be helpful and compliant isn't skeptical by default. In a critical system, the lack of skepticism is the vulnerability. You don't give a new process access to sensitive data "to see what happens": you give it the minimum, sandbox it, and audit it. With AI agents, half the industry skipped that step.
Signals of the week
The power is already real
DesktopCommanderMCP gives an LLM terminal control, filesystem access, and diff editing via MCP. Capability isn't in question; MCP has settled in as the standard interface for extending agents. Source: GitHub.
Trust breaks by injection
GitLost: researchers tricked GitHub's agent with prompt injection into leaking private repos. It's not a classic bug, it's design: an agent with access to sensitive data and no serious sandboxing is an attack surface. Source: Noma Security.
…and by hallucination
HalluSquatting: attackers pre-register the packages and domains that LLMs hallucinate. The very property that makes them useful (always answering) turns them into a vector. The rule never changed: verify, don't trust. Source: Ars Technica.
My read
The pattern isn't "AI is insecure". It's that we gave power to something before figuring out how to trust it, and that order is backwards. Trust isn't assumed: it's earned with limits, sandboxing, and auditing. The next edge isn't making agents more capable — it's making them auditable, and that part we already know how to do.
Useful? Forward it to someone it'd serve.
Subscribe— Jorel