Secure the system around the agent, not just the prompt.
Modern agents are useful because they can act. The security boundary has to cover the runtime: tools, credentials, local state, approvals, logs, and network reachability.
Shell commands
Treat as privileged runtime reach.
Workspace files
Treat as privileged runtime reach.
Browser sessions
Treat as privileged runtime reach.
MCP servers
Treat as privileged runtime reach.
SaaS APIs
Treat as privileged runtime reach.
Agent memory
Treat as privileged runtime reach.
Baseline
Three controls to put in place first.
Sandbox the runtime
Put shell, filesystem, browser, and network access inside a constrained profile before agents touch real work.
Scope credentials
Keep provider keys, SaaS tokens, and local secrets out of broad environment dumps and inject only what a session needs.
Inspect before action
Scan prompts, retrieved content, tool arguments, logs, memory writes, and outbound messages at execution boundaries.