Day 4 · Lesson 3 — Agent Security & Evaluation
An agent must never be the final arbiter of access.
The confused deputy is back. You met it as a tool attack in Day 2; here it's the core identity problem (Pillar 5). The fixes are precise: give the agent its own identity, never the developer's ambient power, hyper-scoped and short-lived, and for the truly dangerous actions, make the human actually understand what they're approving.
From Day 2 L5: the confused deputy escalates because the deputy checks —
Its own permissions, never the user's. Day 4 gives the identity-layer fix: a dedicated agentic identity with hyper-scoped, expiring credentials.
Vibe prompts are vague ("fix the backend routing"), so agentic workflows are inherently broad. Handing such an agent a shared, long-lived service identity is an unmanageable insider threat. Fix: assign every agent a unique cryptographic identity (e.g. SPIFFE IDs).1
But identity alone isn't enough. The key distinction:
DELEGATED identity agent acts as the human, inheriting their ambient power ✗
AGENTIC identity agent has its OWN identity, tagged agentic, tightly bound ✓
→ permissions stay scoped + subject to granular audit
An agent must never be the final arbiter of access. A distinct, observable agentic identity is what makes that enforceable.
An agent executing a "vibe" must never inherit the developer's full admin privileges. Instead, Zero Ambient Authority via Just-In-Time downscoping:1 when the agent writes a new script, its sandbox gets fresh, hyper-restricted credentials scoped to exactly the data that script needs (not the parent's broad permissions), and they expire the moment the task ends. There are also file-tree allowlists (deny-by-default) that block secrets, build scripts, and production manifests.
The permissions matrix the paper names: Intent × User × Time. Access is a function of what's being done, by whom, and right now, rather than a standing grant.
For actions like modifying a production DB, moving money, or changing IAM, a simple approve/deny button fails, because vibe coders rubber-stamp code they don't understand (confirmation fatigue, the "It Works, Ship It" fallacy). Two boundaries replace the blind button:1
The Vibe Diff is the security-side cousin of Day 1's evals: both close the gap between "looks right" and "is right" before the irreversible action fires.
Everything here is I Identity: unique agentic IDs, agentic-vs-delegated distinction, and the audit trail that binds every action to an agent (and the human behind it). Zero ambient authority + JIT is V Validation (scoped, expiring access is a gate on what can be done). The Vibe Diff + hardware MFA are the human-in-the-loop R Runtime Control on sensitive sinks, the same "HITL on high-risk operations" mitigation from Day 2, now with a comprehension step so approval is meaningful.
Ladder read: shared service accounts with standing admin rights = L1's confused-deputy time-bomb. Per-agent identity + Intent×User×Time scoping + comprehension-gated approval = the L3 Controlled identity posture.
Never run agents under your own admin credentials. Give them a dedicated, scoped identity, and demand a plain-English "what will this actually do?" before authorising anything irreversible.
Standardise JIT downscoped tokens + file-tree deny-by-default. No agent should hold a credential a second longer, or a scope wider, than the task in front of it needs.
Mandate per-agent cryptographic identity (SPIFFE), ABAC on Intent×User×Time, and a Vibe-Diff + hardware-MFA gate on the sensitive-sink list. Bind every real-world action to an agent and a human.
Recall, don't re-read.
To resolve the confused deputy, an agent should authenticate with —
A distinct agentic identity keeps permissions scoped and auditable. Delegated (human) credentials grant dangerous ambient access; shared accounts are an unmanageable insider threat.
"Zero Ambient Authority" is enforced primarily through —
Just-in-time downscoping: fresh, task-scoped credentials that expire the moment the task ends, scoped by Intent × User × Time rather than a standing grant.
The "Vibe Diff" exists to make sure a human —
It translates generated code back into plain English so approval means comprehension, not a rubber stamp, defeating confirmation fatigue on high-stakes actions.
Find one agent that can take an irreversible action (write prod, move money, change access). Ask: whose identity does it use, how scoped is it, and does a human ever understand the action before it fires? If it borrows your admin rights and shows a one-click approve, that's the highest-risk gap in your stack.
Vibe Coding Agent Security and Evaluation (Day 4), "Identity, Trust & High-Stakes Actions" pp.18–19 (agentic vs delegated identity; zero ambient authority; JIT; elicitation, MFA, the Vibe Diff).
Up next → Day 4 · Lesson 4: Agentic SecOps. Red/Blue/Green teaming at machine speed, intent drift and trust decay, the Agent Trust Score, and the stateful circuit breaker that rolls a drifting agent back without corrupting your systems.
Related: Day 2 L5: confused deputy (tools) · ← Day 4 L2 · Course home