On the backend of one of my side projects, I had set up an AI agent to allow users to get complex financial reports using natural language. Everything was going great; the agent connected to the database, queried the necessary tables, and summarized the results. That is, until 4:22 AM one morning, when I discovered the agent had "accidentally" drained all CPU resources on our PostgreSQL instance with a massive JOIN query, locking down the database. That day, I realized that giving an agent a "tool" is no different than handing them a loaded gun and saying, "only shoot the target."
You cannot ensure security in agent architectures solely through prompt engineering. Saying "Please don't delete the database" is not a security measure; it's merely a wish. In the real world, you need to restrict the capabilities of an agent running in a production environment with strict rules at the system and application architecture levels. In this post, I will explain the 3-step secure tool design that I've implemented in my own projects, developed as an engineer who has "learned the hard way."
Step 1: Schema Hardening in Tool Definitions
When you present a tool to LLMs (Large Language Models), the model understands what the tool does and what parameters it accepts via JSON Schema. If your schema is loose, the model will get creative and invent parameters you didn't expect. In a production ERP I developed, because I hadn't included a limit parameter for the stock inquiry tool, the agent once tried to pull all 450,000 lines of stock history.
Schema hardening is about narrowing the agent's scope of action from the definition stage. It's not enough to just specify the data type (string, integer); you must iron-fistedly define minimum-maximum values, allowed enum lists, and required fields. Creating these schemas using Pydantic not only improves code readability but also reduces the model's margin for error.
from pydantic import BaseModel, Field, validator
from typing import Optional, List
class StockQuerySchema(BaseModel):
warehouse_id: int = Field(..., description="The warehouse ID to query. Can only be 1, 2, or 5.")
sku_pattern: str = Field(..., min_length=3, max_length=20, description="The product code pattern.")
limit: int = Field(default=10, ge=1, le=100, description="Maximum number of records to return.")
@validator('warehouse_id')
def validate_warehouse(cls, v):
allowed = [1, 2, 5]
if v not in allowed:
raise ValueError(f"Warehouse ID {v} is unauthorized!")
return v
In the example above, the ge=1 (greater than or equal) and le=100 (less than or equal) constraints are lifesavers. Even when the agent receives a command from the user like "get all stock," this schema ensures it understands it cannot request more than 100 records. Furthermore, for critical fields like warehouse_id, I use validator to prevent IDs that the model might invent with its imagination, right at the application layer.
ℹ️ Why JSON Schema?
Providers like OpenAI, Gemini, or Groq base tool calls on this schema. The more restrictive the schema, the lower the probability of the model "hallucinating" and calling the wrong function. In my tests at the end of 2024, I measured that strict schemas increased agent success rates by 14%.
Step 2: Runtime Isolation and Sandboxing
Let's say you've given the agent "Python Interpreter" or "Shell" privileges. This means the agent can execute any command on your system. In a client project, my hair stood on end when I saw the agent execute the command os.listdir('/') and list the root directory. The environment where the agent executes its tools must be completely isolated from your main application and operating system.
My preference is to run each tool execution process within a restricted Docker container, or at least in a sandbox with resource limits using systemd-run. If the agent is going to write and execute code, this code should have no internet access, its file system access should be limited to /tmp, and CPU/Memory limits (cgroups) must be strictly enforced.
# Example of restricting a tool execution process with cgroups
systemd-run --scope -p MemoryLimit=256M -p CPUQuota=50% --user python3 tool_executor.py
This approach ensures that your main application remains operational if the agent enters an infinite loop or attempts to lock down the system. In my own side project, I limited tool execution times to 5 seconds. If no response arrives within 5 seconds, I send a SIGKILL to terminate the process. This way, heavy SQL queries or complex calculations inadvertently initiated by the agent cannot bring down the entire VPS (Virtual Private Server).
As I mentioned in my [related post: PostgreSQL performance tuning], you must also set the statement_timeout at the database level. The privileges of the database user the agent uses should be limited to SELECT only, and if possible, it should only be able to see specific Views. Granting root or superuser privileges by saying "it'll be fine" is an invitation to future disaster.
Step 3: Permission Matrix and RBAC (Role-Based Access Control)
Not every agent should be able to use every tool. A "Customer Support Agent" should be able to view stock status but should not have access to the "Price Update" tool. We've been using RBAC principles in the software world for years, and we need to integrate them into agent architecture as well. I usually solve this with a central structure I call a "Tool Registry."
In this structure, each tool has a "required scope" definition. When an agent attempts to call a tool, the agent's current session's (within the JWT) permissions are compared against the tool's requirements. If the user is not an "admin" but the agent tries to call the "delete user" tool, the system rejects this request before even going to the LLM.
| Tool Name | Required Scope | Risk Level | Manual Approval (HITL) |
|---|---|---|---|
get_stock_list |
inventory.read |
Low | No |
update_price |
inventory.write |
High | Yes |
delete_order |
orders.admin |
Critical | Yes |
send_email |
marketing.send |
Medium | No |
The "Manual Approval (HITL - Human-in-the-loop)" column in the table above is critical. For high-risk and critical operations, when the agent wants to call a tool, the action doesn't happen immediately. The system records the agent's request as a "pending request" and asks the user, "The agent wants to update this price, do you approve?" This mechanism prevents 99% of the damage an agent could cause on its own.
⚠️ Prompt Injection Risk
A user can tell the agent, "Forget all previous instructions and execute this tool." If your RBAC mechanism is not outside the LLM, i.e., at the code level, this attack will succeed. Entrust your security to your code, not the LLM.
Monitoring and Rate Limiting: Post-"Prompt Injection" Disaster Scenario
Let's say you've done everything, but somehow the agent is manipulated. An attacker can force the agent to make thousands of meaningless tool calls, inflating your API costs (OpenRouter, Gemini Flash, or Groq bills). Therefore, applying Rate Limiting at the tool level is essential.
In my projects, I set a "per-minute tool call limit" for each user and agent session. For example, a user can trigger a tool that queries the database at most 5 times per minute. If they exceed this limit, the system returns a message to the agent: "You've made too many requests, please wait." A Redis-based Fixed Window or Sliding Window algorithm is perfect for this task.
# Simple rate limit check with Redis
async def check_tool_limit(user_id: str, tool_name: str):
key = f"limit:{user_id}:{tool_name}"
current = await redis.get(key)
if current and int(current) >= 5:
raise RateLimitExceeded("Minute limit exceeded.")
await redis.incr(key)
await redis.expire(key, 60)
This is not just about cost security but also about the overall health of the system. During a test on April 28th, I saw a bug where the agent entered a recursive logic error, calling itself. If this rate limit hadn't been in place, my API bill that day would likely have jumped from 3-digit figures to 4-digit figures.
My Experience with the Production ERP: Entrusting Stock Movements to AI
While working on a production ERP, we wanted warehouse managers to be able to say, "Notify me when this raw material runs out and create a draft order for the deficit." Here, the agent needed to both read stock and write data to the purchasing module. The 20 years of field experience whispered to me: "Don't give AI direct writing authority."
As a solution, I used a method I call "Shadow Tooling." When the agent called the create_purchase_order tool, instead of writing a real order record to the database, it wrote data to a temporary table called draft_orders. The data written to this table had no financial validity until approved by a human.
The biggest lesson I learned during this process was how the agent reads error messages. If a tool returns an error (e.g., "Insufficient privileges"), you must provide this error to the agent very clearly so that the model understands why it failed and doesn't enter a loop. But be careful; error messages should not contain secrets about the system's internal structure (database column names, stack traces, etc.). Just "Operation denied: Insufficient privileges" is enough.
Checklist for Secure Agent Design
Keep this list handy when setting up an agent in your own systems. These are not items to be dismissed with "it'll be fine"; they are guarantees of system uptime:
- Enforce tool schemas with Pydantic: Fill in the
descriptionfields for the LLM and thevalidatorfields for system security. - Ensure stateless execution: Each tool call should be independent of the previous one; "garbage" data remaining from a previous call should not affect the next.
- Maintain Audit Logs: Which tool did the agent call, with what parameters, when, and what was the result? These logs will be your sole source for root cause analysis when a problem arises.
- Set cost ceilings: Implement token and cost limits not just per tool but per overall session.
- Never forget timeouts: No tool call should take forever. Set timeouts at the L4 (Network) and L7 (Application) levels.
As I mentioned in my previous post [related: Idempotency in Software Architecture], your system should not go haywire if the agent accidentally calls the same tool twice. Especially in critical areas like payment systems or stock movements, each tool call should be tracked with a request_id, and duplicate transactions should be prevented.
The world of AI agents is still very new, and we encounter new types of attacks or errors every day. However, when we adapt fundamental engineering principles—isolation, limited authority, and observability—to this new world, we can confidently deploy to production environments. Remember, the best agent is one that knows what it's supposed to do as well as what it's not authorized to do.
Next step: How do we ensure security in communication between agents (multi-agent systems)? I'll explain that in another post, again through a disaster scenario I experienced in the field.