Story

To make AI agents more efficient, we need to build feedback loops with real systems: deployments, logs, configs, environments, dashboards.

But this is where things break down.

Most modern apps don’t have fine-grained permissions.

Concrete example: Vercel. If I want an agent to read logs or inspect env vars, I have to give it a token that also allows it to modify or delete things. There’s no clean read-only or capability-scoped access.

And this isn’t just Vercel. I see the same pattern across cloud dashboards, CI/CD systems, and SaaS APIs that were designed around trusted humans, not autonomous agents.

So the real question:

How are people actually restricting AI agents in production today?

Are you building proxy layers that enforce policy? Wrapping APIs with allowlists? Or just accepting the risk?

It feels like we’re trying to connect autonomous systems to infrastructure that was never designed for them.

Curious how others are handling this in real setups, not theory.