0PricingLogin
Cyber Security Academy · Lesson

Securing AI Agents and Tool Use

Constraining autonomous agent actions.

What Makes Agents Risky

An AI agent is an LLM wired to tools and a loop: it reasons, calls functions (search, code execution, APIs, file access), observes results, and repeats until a goal is met. This autonomy is powerful and dangerous.

The core security shift: with a plain chatbot, a bad output is just text. With an agent, a bad decision becomes a real action: a deleted record, a sent email, a spent dollar, a leaked secret.

Because untrusted content can enter the reasoning loop, every tool the agent holds is an attack surface for prompt injection.

Least Privilege for Tools

The single most important control is least privilege. Give each tool the narrowest scope that still does the job.

  • Prefer read-only over read-write; scope reads to the current user's data.
  • Split broad tools into narrow ones (a get_invoice tool, not a raw SQL tool).
  • Bind tool credentials to the end user's identity, not a shared service account, so the agent inherits only what the user may do.
# Scope queries to the authenticated user, never raw SQL
def get_invoice(invoice_id: str, *, user_id: str):
    return db.query(
        "SELECT * FROM invoices WHERE id=%s AND owner=%s",
        (invoice_id, user_id),
    )

All lessons in this course

  1. Prompt Injection and Jailbreaks
  2. The OWASP LLM Top 10
  3. Securing AI Agents and Tool Use
  4. Model, Data and Supply-Chain Risks
← Back to Cyber Security Academy