Work AI agents have changed an important boundary: we are no longer talking only about systems that answer with text. Tools like Codex can read a project, propose changes, execute commands, review code, use connected tools, and work inside a real development environment.

That is useful precisely because it brings AI closer to the place where decisions are made and actions are executed. But it also changes the risk. An agent with access to repositories, terminal, browser, CRM, email, automations, or internal documentation is not an abstract assistant. It is an operational layer that can act using our session, our permissions, and our professional identity.

If that layer is misconfigured, compromised, or receives malicious instructions from an untrusted source, the problem is not only that it “makes a mistake.” The problem is that it can produce real actions attributed to a person, a team, or a company. In the worst case, it could enable fraud, impersonation, data leakage, mass sends, system manipulation, or coordinated campaigns that appear legitimate because they come from authorized accounts and tools.

This article complements the guide to privacy and security in sales AI agents, business rules in AI agents, and the analysis of what a sales AI agent should not automate. The focus here is the work environment: development, operations, marketing, sales, documentation, and any process where an agent can use tools on behalf of a person.

In Summary

Controlling AI agents like Codex does not mean slowing down productivity. It means clearly separating what they can read, what they can modify, which tools they can use, when they need human approval, and what is recorded for audit. The real risk is not that the model “wants to do harm,” but combining identity, permissions, data, tools, and scale without sufficient limits.

The practical rule is simple: if an agent can act on your behalf, it must operate with minimum permissions, a scoped environment, controlled network, secrets out of reach, human review for sensitive actions, and complete traceability.

Why a Work Agent Is Not a Chat

A chat responds. A connected agent acts.

That difference changes the security architecture. In a professional environment, an agent can have access to very different layers:

  • Code repositories.
  • Terminal and local scripts.
  • Project files.
  • Package managers.
  • Review and pull request tools.
  • Browser or internal applications.
  • CRM, email, calendars, or documentation.
  • Pipelines, deployments, or credentials if the environment exposes them.
  • Automations that repeat actions at large scale.

Each of these layers expands the risk surface. An isolated failure may be reversible. A failure with tools, permissions, and repeat capacity can become an incident.

That is why these agents should not be evaluated as if they were only a conversational interface. They must be evaluated as operational users with a combination of context, autonomy, and tools.

The Central Risk: Delegated Identity

When a person uses an AI agent inside their environment, many actions can be associated with that person: file changes, executed commands, sent messages, created tickets, opened branches, PR comments, CRM tasks, or actions in connected tools.

If someone compromises that session, abuses an integration, or gets the agent to act on untrusted instructions, the first traceability may point to the legitimate user. The organization may see “this account did it,” even if the person was the victim of an abuse chain.

That is the delicate point: the agent can become an interface of delegated identity. It does not only have intelligence; it has access.

Delegated identity between a person, an AI agent, and internal tools with access and approval layers.
Delegated identity turns the permissions of a legitimate account into a surface that must be scoped, reviewed, and audited.
SurfaceRisk without controlMinimum control
RepositoryUnauthorized changes, introduction of errors, or modifications that are hard to review.Separate branches, human review, tests, and scoped write permissions.
TerminalExecution of commands with unexpected effects.Sandbox, command allowlist, approval for sensitive actions, and logs.
Local filesReading secrets, contracts, personal data, or internal material.Deny-read for .env, keys, credentials, and sensitive folders.
NetworkData exfiltration or calls to unapproved destinations.Network disabled by default or strict domain allowlist.
CRM or emailExternal sends, commercial changes, or campaigns attributed to the company.Granular tools, drafts, volume limits, and human approval.
AutomationsMassive repetition of an incorrect action.Quotas, rate limits, circuit breakers, and flow review.
ProductionDeployments, configuration changes, or access to real data.Environment separation, temporary permissions, and explicit approval.
LogsInability to know what happened.Logging of prompts, commands, tool calls, user, time, and result.

The right question is not “do we trust AI?” The right question is “what could happen if this identity and these permissions are misused?”

Mass Campaigns: When Scale Multiplies the Damage

Automation turns one action into a repeatable pattern. That is valuable when the pattern is legitimate: reviewing tickets, preparing briefings, updating documentation, creating tasks, or generating drafts.

It is also dangerous when the pattern is misdirected. An account with access to email, CRM, social networks, repositories, forms, or ads tools can cause a lot of damage if a compromised agent executes actions in bulk. There is no need to imagine an especially sophisticated system: it is enough to combine broad permissions, low review, lack of volume limits, and an identity that already has internal trust.

The risk is not only in “hacking the model.” It can come from more ordinary places:

  • An open session on an unprotected computer.
  • A token or credential exposed to the agent environment.
  • A connected tool with permissions that are too broad.
  • An external document with malicious instructions.
  • A workflow that executes what the agent returns without validation.
  • An approval policy that is too lax.
  • An environment where repetitive actions are not reviewed until it is already too late.

That is why work agents need scale controls. A low-risk internal action can be automatic. An external, repeated, irreversible, or reputationally sensitive action must have volume limits, approval, observability, and stop capability.

The Prompt Is Not Enough

A good prompt helps orient the agent. An AGENTS.md file helps set repository expectations: verification commands, style rules, project limits, deployment paths, or decisions that require care.

But an instruction does not replace a technical control.

If the agent has write access to the whole system, open network, available secrets, generic tools, and authorization to act without approval, the prompt is carrying responsibilities that should belong to the architecture.

The important limits must live in several layers:

  1. Environment permissions: what it can read and write.
  2. Sandbox: where it can execute commands.
  3. Network: whether it can connect outside and to which domains.
  4. Tools: which specific actions are available.
  5. Approvals: when it must stop and ask for review.
  6. Secrets: which credentials remain out of reach.
  7. Traceability: what is recorded to reconstruct decisions.
  8. Human policy: who reviews changes, exceptions, and incidents.

Instructions are a useful layer. Permissions are the real limit.

Specific Controls for Codex and Development Agents

In the case of Codex, the official documentation describes several relevant pieces for safer operation: sandboxing, approval policies, network control, permission profiles, AGENTS.md, managed configuration, and records for enterprise governance.

The defensive pattern should be this:

Layered controls for a development AI agent: instructions, sandbox, permissions, network, tools, approval, and audit.
A reliable work agent combines project instructions, sandbox, minimum permissions, controlled network, scoped tools, human approval, and records.
LayerHow to apply it
AGENTS.mdDocument repo rules, valid commands, project scope, deployment restrictions, and review criteria.
Read-only modeUse it for exploration, diagnosis, planning, or review without changes.
Scoped workspaceAllow writing only in the necessary work directory, not across the whole system.
Deny-readBlock .env, SSH keys, tokens, credentials, data exports, and personal folders.
Controlled networkKeep network off or limit it to necessary domains.
ApprovalsRequire confirmation for network, sensitive commands, writes outside the workspace, deployments, or destructive actions.
Granular toolsPrefer specific actions over generic “do anything” tools.
Branches and PRsSeparate agent work into reviewable branches with tests and a clear diff.
LogsPreserve enough activity for audit, debugging, and investigation.
Managed configurationIn teams, apply allowed profiles and restrictions from a central policy.

The goal is not to turn every task into bureaucracy. The goal is for autonomy to depend on risk.

Autonomy Matrix

Not all actions require the same level of control. It is useful to separate five levels.

Visual autonomy matrix for AI agents with zones for observation, proposal, draft, limited execution, and high-impact blocking.
Autonomy should grow only when risk decreases: observing and proposing do not have the same impact as executing external actions or touching production.
LevelWhat the agent can doExamplesRecommended control
1. ObserveRead non-sensitive information.Review repo structure, public documentation, non-secret code files.Read-only and basic logs.
2. ProposeSuggest changes without applying them.Refactor plan, diagnosis, security checklist.Human review before editing.
3. PrepareCreate drafts or changes in an isolated branch.Patch, draft PR, internal email, meeting summary.Tests, reviewable diff, and approval before publishing.
4. Execute low riskPerform reversible and scoped actions.Format code, update docs, create an internal task.Minimum permissions, simple rollback, and record.
5. Execute high impactTouch production, send campaigns, modify sensitive data, or act externally.Deployments, mass emails, contractual changes, data deletion.Not autonomous by default; requires explicit approval and additional controls.

This matrix avoids a common trap: treating a documentation fix the same as a deployment, a campaign, or an action on personal data.

What Should Remain Out of Reach

A work agent should not have permanent or automatic access to everything a person can touch.

By default, it is advisable to keep out of reach:

  • .env files and local secrets.
  • SSH keys, API tokens, and deployment credentials.
  • Personal, financial, legal, or health data that is not necessary.
  • Backups and full database exports.
  • Mass sending tools without limits.
  • Production except in very controlled flows.
  • Cloud consoles with broad permissions.
  • Workflows that execute external actions without validation.
  • Private histories or documents that are not linked to the task.

The agent should receive enough context to work, not indiscriminate access to the entire environment.

Signs That the Environment Is Poorly Governed

There are practical signs that should trigger a review:

  • The agent can read secrets without needing to.
  • The same account is used for development, production, and automation.
  • There is no difference between reading, writing, and external actions.
  • The agent can access an open network without traceability.
  • Connected tools do not have specific scopes.
  • Nobody reviews high-impact commands, diffs, or tool calls.
  • There is no central action log.
  • Campaigns or workflows do not have volume limits.
  • There is no clear procedure to revoke permissions.
  • The organization does not know which agents are active or who uses them.

When several of these signs appear, the problem is not the model. It is operational governance.

How to Respond to an Incident

If an AI agent is suspected of having acted incorrectly or been compromised, the response must be practical and fast.

  1. Revoke linked sessions, tokens, and credentials.
  2. Stop related automations and scheduled tasks.
  3. Isolate the environment where the agent operated.
  4. Review logs of commands, tool calls, touched files, sent messages, and network destinations.
  5. Identify changes in repositories, CRM, email, documentation, and production.
  6. Revert incorrect actions when possible.
  7. Rotate secrets that may have been exposed.
  8. Review permissions before reactivating the flow.
  9. Document cause, scope, impact, and added controls.

The response should not depend on remembering what happened in a conversation. It must be reconstructable from verifiable records.

How Nicolás Torres Would Approach It

For Nicolás Torres, control of AI agents starts before connecting them to tools. The initial question is not “what can the agent automate,” but “which identity, data, and permissions will it inherit.”

The approach would be:

  1. Map the environment: repositories, tools, data, credentials, external actions, and owners.
  2. Classify risks: low, medium, or high according to impact, reversibility, sensitivity, and scale.
  3. Define minimum permissions: reading, writing, network, and tools only where they provide value.
  4. Separate identities: human users, service accounts, and automations should not be mixed without criteria.
  5. Design approvals: every external, irreversible, or sensitive action must have human review.
  6. Record activity: commands, changes, tool calls, decisions, user, and result.
  7. Test abuse scenarios: not to teach attacks, but to check that the limits work.
  8. Review periodically: permissions, logs, exceptions, campaigns, integrations, and active access.

A well-governed AI agent can increase productivity without turning the work environment into a black box. Trust should not come from assuming that the agent “will behave well.” It should come from technical limits, human review, and enough traceability to know what happened, who authorized each action, and how to stop the flow if something deviates.

The power of these agents is real. That is exactly why they must be treated as a serious part of the company’s operating system.

Frequently Asked Questions

Why do AI agents like Codex need to be controlled?
Because they can work on repositories, files, terminals, external tools, and organization data. If they have too many permissions, an error or compromise can become real actions carried out with our identity.
What risk appears if an AI agent is compromised?
It can enable unauthorized changes, data leakage, external sends, system manipulation, mass campaigns, or actions that appear to have been performed by a legitimate person or company.
Is writing good prompt instructions enough?
No. Instructions help, but critical limits must be in permissions, sandboxing, human approval, scoped tools, logs, review, and access policies.
What permissions should a work AI agent have?
Only those needed for the specific task: read or write access limited to the workspace, network disabled or allowlisted, secrets out of reach, specific tools, and approval for sensitive actions.
How is misuse of an AI agent detected?
With activity records, traceability of commands and tools, change review, alerts on unusual actions, separation of identities, and the ability to revoke access quickly.

Back to Archive