There’s a quiet design mistake buried in most AI agent deployments: capability and scope share a key.

SF Scott Farrell June 22, 2026 scott@leverageai.com.au LinkedIn

There's a quiet design mistake buried in most AI agent deployments: capability and scope share a key.

The agent is "the refund agent," so it can refund. The agent is logged in, so it can see customers. One identity, two jobs. Which means the moment something goes sideways — a prompt injection, a bad tool call, a confused chain — the agent's role becomes a license to roam the database.

Splitting it changes the physics:

– What the role can do (refund up to $500, send from approved templates, escalate) lives on the agent.
– What this task can touch (this customer, this case, this session) is minted per task and dies with it.

Neither side can cover for the other. A compromised role can't reach data it wasn't handed. A leaked task token can't perform actions the role doesn't have. The worst case stops being "agent went rogue across the business" and becomes "one task did the wrong thing inside its own sandbox."

This is why so many pilots stall at security review. Reviewers are being asked to trust a non-deterministic system that writes its own code at runtime. They're right to refuse. The fix isn't more trust — it's an architecture where trust isn't the control surface.

If you can't draw, on one page, where capability ends and scope begins for each of your agents, you don't have AI security. You have hope with a logo on it.

Where does that line sit in your stack today?

Learn more: https://leverageai.com.au/wp-content/media/ebooks/SiloOS.html

Originally posted on LinkedIn


Discover more from Leverage AI for your business

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 Leverage AI, Scott Farrell. All rights reserved. This content is made available on a limited, revocable, read-only basis only. No licence or right is granted to copy, reproduce, republish, scrape, store, adapt, summarise, index, embed, or use this content to create derivative works, work product, deliverables, methodologies, training materials, prompts, templates, software, services, research, or commercial outputs, whether by humans or machines, without prior written permission. This restriction includes internal business use, client work, consulting, advisory, implementation, and any use in or for artificial intelligence, machine learning, data extraction, retrieval, evaluation, fine-tuning, or knowledge-base construction.