
Key facts.
- The Amazon Q injection drove the agent to run AWS CLI commands against the user's own cloud account, using the agent's access as the attack path (The Register).
- An agent is a classic confused deputy: it acts with its own authority on instructions it should not trust.
- The agent's connected tools and credentials define the attacker's reach once the agent is compromised.
Why is the agent such a useful proxy?
Because it sits inside your trust boundary with real privileges. An external attacker cannot reach your internal API, but your agent can, and an injection lets the attacker borrow that reach without ever holding the credentials. The agent makes the call, the system sees an authorized request, and the attacker gets the result. Defending this means assuming the agent can be turned and limiting what its credentials can do: scope the tools, separate sensitive systems, and gate the actions that would let a compromised agent pivot into your infrastructure.

Trusted deputy vs. constrained deputy
| Trusted deputy | Constrained deputy |
|---|---|
| Full credentials, broad reach | Scoped credentials, limited reach |
| Compromise pivots into infra | Compromise hits a hard boundary |
| Authorized requests unquestioned | Sensitive requests gated |
VibeModel's Pattern Intelligence Layer recognizes when a compromised agent starts making requests that match an attack pattern, a pivot toward internal systems it does not normally touch, and stops it. You scope the agent's credentials and segment your systems; we catch the moment the deputy is being aimed at your infrastructure. Assume the agent can be turned, and bound what it can do when it is.
Frequently asked questions
Does a more capable model reduce the risk of an agent being turned against our internal systems?
An agent with your credentials is a confused deputy aimed at your systems, as Amazon Q showed, and a more capable model holds the same reach: LLMs surface memorized PII. (The Register)
Is this different from a stolen credential?
Yes. No credential is stolen; the agent uses its own legitimately. That is what makes the request look authorized and the attack hard to spot.
How do I limit the pivot?
Scope the agent's credentials tightly, segment sensitive systems, and gate cross-system actions. The smaller the reach, the smaller the breach.

