Build security into your agent from day one, not after the incident

Teams that wire in permission scoping, injection defenses, and audit trails while the agent is being built ship faster and cheaper than teams that retrofit them after the first breach.

B

Balagei G Nagarajan

4 MIN READ


An agent under construction with security controls being welded into its frame rather than painted on afterward
Change them after launch and you are rebuilding the thing while it serves traffic.
— from “Build security into your agent from day one, not after the incident”

Key facts.

  • Classic SDLC research finds a defect costs roughly 30x to 100x more to fix after release than at the design or requirements stage. The curve is steep and it points one way. source
  • OWASP's Top 10 for LLM Applications 2025 ranks Prompt Injection as LLM01, the number one risk, and Excessive Agency as LLM06. Both are squarely agent problems. source
  • The OWASP Gen AI Security Project also published a dedicated Agentic AI threat list in 2025, covering memory poisoning, tool misuse, and privilege compromise that single-prompt models never faced. source
  • Indirect prompt injection hides instructions inside content the agent reads (a document, a web page, a ticket), and current models cannot reliably tell ingested data from a command. source

Why is retrofitting security so expensive for agents specifically?

Security is a design decision, not a patch; the model is no control, since attacks broke 12 defenses past 90% on a frontier system. (source)

Traditional software has a stable attack surface. An agent's surface moves. Every new tool you connect, every document it can read, every memory it writes becomes a new way in. When you add security late, you are not patching one component. You are re-deciding which tools the agent may call, what data each tool returns, how a tool result is trusted, and what gets logged. Those decisions reach into the agent's planning loop, its prompts, its tool schemas, and its data flow. Change them after launch and you are rebuilding the thing while it serves traffic.

Built in from the start, the same controls are cheap. Permission scoping is a config choice when you wire the first tool. A trace is a logging call you add once. Treating untrusted text as untrusted is a rule you set before the agent ever reads a customer email. None of that slows you down at design time. All of it is brutal to add at incident time.

Waterfall chart showing the relative cost to fix a security defect rising from 1x at design to 30-100x post-release

What does "built in" actually look like?

Three concrete patterns separate the agents that pass a security review from the ones that get sent back. Scope every tool to the least privilege it needs, so one injection cannot reach the whole system. Treat all ingested content as data that may be hostile, never as instructions to obey. And capture a reconstructable trace of every decision and tool call, so when something does go wrong you can see what the agent did and why.

ControlBuilt in at designRetrofitted after launch
Permission scopingConfig on first tool wire-upRe-audit every tool the agent can already reach
Injection handlingUntrusted-by-default rule set onceRework prompts and data flow under live traffic
Audit traceOne logging layer, always onReconstruct history you never recorded

This is where the Pattern Intelligence Layer earns its place. Reliability and security at the pattern level mean the controls live around the agent's behavior, not inside a single model you hope behaves. Scope, untrusted-input handling, and tracing become properties of the pattern, enforced the same way on every run, independent of which model you swap in next quarter. That is what survives a model upgrade, and it is what an incident review actually wants to see.

Frequently asked questions

Can't we just pick a more secure model?
No model is the control. Adaptive attacks broke a dozen published defenses against frontier agents. Security has to live in the pattern around the model, not be outsourced to the model.

We are pre-launch. When should security work start?
Now. The cheapest time to scope permissions, define untrusted inputs, and add tracing is while you are wiring the first tool. Every week you wait moves the same work up the cost curve.

Isn't this just slowing down the build?
The opposite. Built-in controls are config and one logging layer. Retrofitted controls are a rebuild under production load. Building in is the faster path to a shippable agent.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.