Day 4 · Lesson 3 — Agent Security & Evaluation

Identity & High-Stakes Actions

An agent must never be the final arbiter of access.

The confused deputy is back. You met it as a tool attack in Day 2; here it's the core identity problem (Pillar 5). The fixes are precise: give the agent its own identity, never the developer's ambient power, hyper-scoped and short-lived, and for the truly dangerous actions, make the human actually understand what they're approving.

Recall first (spacing — from Day 2)

From Day 2 L5: the confused deputy escalates because the deputy checks —

  • Its own rights, not the user's
  • The network latency
  • The tool's display name

Its own permissions, never the user's. Day 4 gives the identity-layer fix: a dedicated agentic identity with hyper-scoped, expiring credentials.

Give the agent its own identity

Vibe prompts are vague ("fix the backend routing"), so agentic workflows are inherently broad. Handing such an agent a shared, long-lived service identity is an unmanageable insider threat. Fix: assign every agent a unique cryptographic identity (e.g. SPIFFE IDs).1

But identity alone isn't enough. The key distinction:

DELEGATED identity  agent acts as the human, inheriting their ambient power   ✗
AGENTIC identity    agent has its OWN identity, tagged agentic, tightly bound  ✓
                    → permissions stay scoped + subject to granular audit

An agent must never be the final arbiter of access. A distinct, observable agentic identity is what makes that enforceable.

Zero ambient authority + JIT downscoping

An agent executing a "vibe" must never inherit the developer's full admin privileges. Instead, Zero Ambient Authority via Just-In-Time downscoping:1 when the agent writes a new script, its sandbox gets fresh, hyper-restricted credentials scoped to exactly the data that script needs (not the parent's broad permissions), and they expire the moment the task ends. There are also file-tree allowlists (deny-by-default) that block secrets, build scripts, and production manifests.

The permissions matrix the paper names: Intent × User × Time. Access is a function of what's being done, by whom, and right now, rather than a standing grant.

High-stakes actions: make the human understand

For actions like modifying a production DB, moving money, or changing IAM, a simple approve/deny button fails, because vibe coders rubber-stamp code they don't understand (confirmation fatigue, the "It Works, Ship It" fallacy). Two boundaries replace the blind button:1

The Vibe Diff is the security-side cousin of Day 1's evals: both close the gap between "looks right" and "is right" before the irreversible action fires.

The governance layer, on identity

Governance overlay · Day 4 Lesson 3

This is VERDICT's Identity pillar, in full

Everything here is I Identity: unique agentic IDs, agentic-vs-delegated distinction, and the audit trail that binds every action to an agent (and the human behind it). Zero ambient authority + JIT is V Validation (scoped, expiring access is a gate on what can be done). The Vibe Diff + hardware MFA are the human-in-the-loop R Runtime Control on sensitive sinks, the same "HITL on high-risk operations" mitigation from Day 2, now with a comprehension step so approval is meaningful.

Ladder read: shared service accounts with standing admin rights = L1's confused-deputy time-bomb. Per-agent identity + Intent×User×Time scoping + comprehension-gated approval = the L3 Controlled identity posture.

Through your three lenses

Individual (IC)

Never run agents under your own admin credentials. Give them a dedicated, scoped identity, and demand a plain-English "what will this actually do?" before authorising anything irreversible.

Team

Standardise JIT downscoped tokens + file-tree deny-by-default. No agent should hold a credential a second longer, or a scope wider, than the task in front of it needs.

Organisation

Mandate per-agent cryptographic identity (SPIFFE), ABAC on Intent×User×Time, and a Vibe-Diff + hardware-MFA gate on the sensitive-sink list. Bind every real-world action to an agent and a human.

Check the reflex

Recall, don't re-read.

To resolve the confused deputy, an agent should authenticate with —

A distinct agentic identity keeps permissions scoped and auditable. Delegated (human) credentials grant dangerous ambient access; shared accounts are an unmanageable insider threat.

"Zero Ambient Authority" is enforced primarily through —

Just-in-time downscoping: fresh, task-scoped credentials that expire the moment the task ends, scoped by Intent × User × Time rather than a standing grant.

The "Vibe Diff" exists to make sure a human —

It translates generated code back into plain English so approval means comprehension, not a rubber stamp, defeating confirmation fatigue on high-stakes actions.

Carry this into the week

Find one agent that can take an irreversible action (write prod, move money, change access). Ask: whose identity does it use, how scoped is it, and does a human ever understand the action before it fires? If it borrows your admin rights and shows a one-click approve, that's the highest-risk gap in your stack.

Go deeper (primary source)

Vibe Coding Agent Security and Evaluation (Day 4), "Identity, Trust & High-Stakes Actions" pp.18–19 (agentic vs delegated identity; zero ambient authority; JIT; elicitation, MFA, the Vibe Diff).


Notes

  1. Kartakis et al., Vibe Coding Agent Security and Evaluation (Day 4), Pillar 5, pp.18–19.

Up next → Day 4 · Lesson 4: Agentic SecOps. Red/Blue/Green teaming at machine speed, intent drift and trust decay, the Agent Trust Score, and the stateful circuit breaker that rolls a drifting agent back without corrupting your systems.

Related: Day 2 L5: confused deputy (tools) · ← Day 4 L2 · Course home