This is exactly the problem. The blast radius question is real. One pattern I've been exploring is a deterministic governor that sits between the agent loop and the tools. Before any tool executes, it checks: is this a repeat? Is this tool quarantined because it's been failing? Is this a side effect that already fired? Have we exceeded the cost budget? The decision is pure computation, no LLM calls, just counters and signatures. It won't solve the permissions problem, but it limits how much damage an agent can do once it has access.
No comments yet.