AI Agent Security
AI Agent Security is the set of controls that keep assistants safe when they not only read knowledge but also take actions. Chat-only bots mainly risk bad answers. Agents that call APIs risk unauthorized data access, SSRF, secret leakage, and unaudited writes.
Short definition (citation-ready)
AI agent security is the practice of constraining retrieval and tool use with isolation boundaries, least-privilege credentials, network egress controls, identity propagation, and auditable execution — so assistants cannot become privileged backdoors.
Threat model (practical)
| Risk | Example | Mitigations |
|---|---|---|
| Cross-tenant leakage | Org A retrieves Org B docs | Tenant isolation, workspace indexes |
| Cross-workspace leakage | Customer widget reads HR PDFs | Separate workspaces; channel binding |
| Over-privileged tools | Public chat triggers refund API | Least privilege; separate tools; RBAC |
| SSRF | Tool URL points at cloud metadata | Allowlists, scheme/host checks |
| Secret exposure | API keys in browser or prompts | Encrypted server-side secrets |
| Confused deputy | Tool runs as admin, not end user | Identity forwarding (identify()) |
| Unaudited actions | Nobody knows what the bot changed | Execution + audit logs |
Control layers
How Qefro approaches agent security
| Area | Qefro capability |
|---|---|
| Tenant isolation | Organization boundary on api.qefro.com |
| Workspace isolation | Per-workspace knowledge and tools |
| Employee access | Owner / Admin / Member + Teams |
| Tools | Business Tools with encrypted credentials |
| Actions | Logged Business Actions, SSRF-aware egress |
| Customer identity | Widget identify() → tool headers |
| Docs | Security overview, Tenant isolation, Secrets, Audit logs |
Concept siblings: Business Actions, Multi-tenant AI Architecture.
Hardening workflow
Secure an assistant that can act
- Split audiences — Customer vs employee workspaces; never one mega-index.
- Start read-only — GET tools before POST/PATCH/DELETE.
- Encrypt and rotate secrets — Store in Admin Console; rotate on staffing changes.
- Forward identity — Use identify() so your API authorizes the end user.
- Review logs weekly — Unexpected tool calls are incidents, not curiosities.
Best practices
- Treat the model as untrusted input to your tool layer — validate arguments server-side.
- Prefer idempotent writes and human approval for irreversible actions.
- Do not paste production secrets into prompts, tickets, or browser JS.
- Run a red-team script of prompt-injection attempts against tool-enabled workspaces.
FAQ
Is RAG security different from agent security?
RAG security focuses on retrieval boundaries and data classification. Agent security adds tool authz, egress, identity, and action audit.
Does Qefro prevent all prompt injection?
No vendor can honestly claim that. Qefro reduces blast radius with isolation, least-privilege tools, SSRF controls, and logs.
Where should security review start?
Start with tenant/workspace isolation, then tool scopes, then identity forwarding, then logging — in that order.