Your AI agent is one tool call away from doing something you didn’t authorize. Here’s the fix.

The attack doesn’t come from your users. It comes from your agent’s environment, the emails it reads, the webpages it visits, the documents it retrieves, the database rows it queries. Every piece of external content your agent processes is a potential instruction source. And your agent has no way to tell the difference between data it was sent to process and commands it should follow. This is not theoretical. It is happening in production systems right now. Once you give an agent tools, email access, browser access, API calls, memory writes, the stakes change completely.