Agent security as architecture

An artificial intelligence agent is a language model wired to tools, files and accounts, and the security fight is moving from prompts to the walls around those tools. Anthropic and NVIDIA now describe agent safety as a system design problem, not a wording problem. (anthropic.com, blogs.nvidia.com) The basic risk is simple: the same model that reads a malicious webpage or document may also hold access to shell commands, source code, network connections or application programming interface tokens. The Open Worldwide Application Security Project says prompt injection can lead to unauthorized actions, privilege escalation and data exfiltration when agents are connected to tools. (owasp.org, owasp.org) Anthropic’s October 20, 2025 engineering post on Claude Code said its sandboxing uses two operating-system boundaries: filesystem isolation and network isolation. Anthropic said internal use cut permission prompts by 84% and warned that without both boundaries a compromised agent could leak files such as Secure Shell keys or escape to the network. (anthropic.com) Anthropic pushed the separation further on April 9, 2026, when it described Managed Agents as three components: a session, a harness and a sandbox. The company said the session is an append-only log, the harness routes tool calls to infrastructure, and the sandbox is the execution environment where code runs and files are edited. (anthropic.com) NVIDIA is making a parallel case in infrastructure terms. Its OpenShell runtime, announced March 16, 2026 and detailed again on March 23, 2026, sits between an agent and the underlying systems, applies policy out of process, and runs each agent in its own sandbox. (developer.nvidia.com, blogs.nvidia.com) NVIDIA said OpenShell separates agent behavior, policy definition and policy enforcement so the model cannot rewrite the rules that constrain it. The company compared the setup to a browser-tab model, with isolated sessions, controlled resources and runtime permission checks before actions occur. (blogs.nvidia.com) That design maps to a three-zone pattern now showing up across agent systems. One zone reasons over language, a second mediates tool calls and records what happened, and a third performs credentialed execution inside a narrower box. (anthropic.com, developer.nvidia.com) The credential question sits at the center of that split. The Open Worldwide Application Security Project’s guidance for agents and the Model Context Protocol says developers should use per-tool credentials, narrow permissions, separate trust levels and avoid shared tokens because a tool server often acts with its own broad privileges. (owasp.org, owasp.org) NVIDIA is also extending the argument below the application layer. In a March 23, 2026 post on confidential artificial intelligence factories, it said zero-trust deployments should rely on hardware-backed Trusted Execution Environments and cryptographic attestation so data and models can run without trusting the host operating system or administrators. (developer.nvidia.com) The result is a narrower definition of agent security than “write a better system prompt.” The emerging pattern is to keep reasoning, policy and privileged execution in different places, limit credentials to short reach, and preserve append-only records when the agent acts. (anthropic.com, owasp.org)