Skip to main content

AI Agent Security

AI Agent Security is the set of controls that keep assistants safe when they not only read knowledge but also take actions. Chat-only bots mainly risk bad answers. Agents that call APIs risk unauthorized data access, SSRF, secret leakage, and unaudited writes.

Short definition (citation-ready)

AI agent security is the practice of constraining retrieval and tool use with isolation boundaries, least-privilege credentials, network egress controls, identity propagation, and auditable execution — so assistants cannot become privileged backdoors.

Threat model (practical)

RiskExampleMitigations
Cross-tenant leakageOrg A retrieves Org B docsTenant isolation, workspace indexes
Cross-workspace leakageCustomer widget reads HR PDFsSeparate workspaces; channel binding
Over-privileged toolsPublic chat triggers refund APILeast privilege; separate tools; RBAC
SSRFTool URL points at cloud metadataAllowlists, scheme/host checks
Secret exposureAPI keys in browser or promptsEncrypted server-side secrets
Confused deputyTool runs as admin, not end userIdentity forwarding (identify())
Unaudited actionsNobody knows what the bot changedExecution + audit logs

Control layers

How Qefro approaches agent security

AreaQefro capability
Tenant isolationOrganization boundary on api.qefro.com
Workspace isolationPer-workspace knowledge and tools
Employee accessOwner / Admin / Member + Teams
ToolsBusiness Tools with encrypted credentials
ActionsLogged Business Actions, SSRF-aware egress
Customer identityWidget identify() → tool headers
DocsSecurity overview, Tenant isolation, Secrets, Audit logs

Concept siblings: Business Actions, Multi-tenant AI Architecture.

Hardening workflow

Secure an assistant that can act

  1. Split audiencesCustomer vs employee workspaces; never one mega-index.
  2. Start read-onlyGET tools before POST/PATCH/DELETE.
  3. Encrypt and rotate secretsStore in Admin Console; rotate on staffing changes.
  4. Forward identityUse identify() so your API authorizes the end user.
  5. Review logs weeklyUnexpected tool calls are incidents, not curiosities.

Best practices

  • Treat the model as untrusted input to your tool layer — validate arguments server-side.
  • Prefer idempotent writes and human approval for irreversible actions.
  • Do not paste production secrets into prompts, tickets, or browser JS.
  • Run a red-team script of prompt-injection attempts against tool-enabled workspaces.

FAQ

Is RAG security different from agent security?
RAG security focuses on retrieval boundaries and data classification. Agent security adds tool authz, egress, identity, and action audit.
Does Qefro prevent all prompt injection?
No vendor can honestly claim that. Qefro reduces blast radius with isolation, least-privilege tools, SSRF controls, and logs.
Where should security review start?
Start with tenant/workspace isolation, then tool scopes, then identity forwarding, then logging — in that order.