An agent is a confused deputy with API keys

Attackers do not need access to your connected systems. They have your agent, and your agent has the keys.

B

Balagei G Nagarajan

3 MIN READ


An attacker directing an agent to make authorized requests against internal systems on their behalf

Key facts.

  • The Amazon Q injection drove the agent to run AWS CLI commands against the user's own cloud account, using the agent's access as the attack path (The Register).
  • An agent is a classic confused deputy: it acts with its own authority on instructions it should not trust.
  • The agent's connected tools and credentials define the attacker's reach once the agent is compromised.
Assume the agent can be turned, and bound what it can do when it is.
— from "An agent is a confused deputy with API keys"

Why is the agent such a useful proxy?

Because it sits inside your trust boundary with real privileges. An external attacker cannot reach your internal API, but your agent can, and an injection lets the attacker borrow that reach without ever holding the credentials. The agent makes the call, the system sees an authorized request, and the attacker gets the result. Defending this means assuming the agent can be turned and limiting what its credentials can do: scope the tools, separate sensitive systems, and gate the actions that would let a compromised agent pivot into your infrastructure.

Flow diagram showing an external attacker reaching internal systems only through the compromised agent

Trusted deputy vs. constrained deputy

Trusted deputyConstrained deputy
Full credentials, broad reachScoped credentials, limited reach
Compromise pivots into infraCompromise hits a hard boundary
Authorized requests unquestionedSensitive requests gated

VibeModel's Pattern Intelligence Layer recognizes when a compromised agent starts making requests that match an attack pattern, a pivot toward internal systems it does not normally touch, and stops it. You scope the agent's credentials and segment your systems; we catch the moment the deputy is being aimed at your infrastructure. Assume the agent can be turned, and bound what it can do when it is.

Frequently asked questions

Does a more capable model reduce the risk of an agent being turned against our internal systems?
An agent with your credentials is a confused deputy aimed at your systems, as Amazon Q showed, and a more capable model holds the same reach: LLMs surface memorized PII. (The Register)

Is this different from a stolen credential?
Yes. No credential is stolen; the agent uses its own legitimately. That is what makes the request look authorized and the attack hard to spot.

How do I limit the pivot?
Scope the agent's credentials tightly, segment sensitive systems, and gate cross-system actions. The smaller the reach, the smaller the breach.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.