Bamboo Flags
← Back to Blog

How to audit your stack before AI agents start touching it

Something changed this week. Gemini started booking Ubers and ordering food autonomously on Android. AI coding assistants now ship mobile apps that let you hand them access to your computer from your phone. MCP clients are embedding third-party tools directly into development environments.

AI agents are no longer reading your documents. They're taking actions in your systems.

If you're still evaluating AI tools, bookmark this and come back when you're ready to connect them. If you're already integrating, read it now.

The shift is happening fast. At some point this year, your business tools will end up on the other end of an autonomous task queue. Your CRM, payment processor, email, deployment pipeline. Most businesses haven't thought seriously about what that means yet.

The audit isn't complicated. You don't need a security team. You need a clear look at what you're connecting and what permissions you're granting.

The risk is already here

This week, The Register reported that a major AI platform's collaboration tools "left the door wide open to remote code execution." Separately, fake interview repositories were caught luring developers into running malware that stole credentials from their machines.

Both happened the same week agents started booking rides and accessing computers remotely. The attack surface expands as the capability does.

The exposure is different from traditional software. Agents can be manipulated through prompt injection. A malicious instruction buried in a document, customer email, or web page can redirect what the agent does next. An agent with write access to your CRM, plus a crafted customer email, is a different category of problem than a phishing link. Phishing requires a human to click. Prompt injection doesn't.

Four things to check before you connect anything

Go through these before you hook up any AI agent to your business systems.

Inventory every credential you're handing over. Write down every integration your AI tools have. Every API key, OAuth connection, service account. Tools like Doppler or 1Password Teams can track this automatically, but even without them, the first step is knowing what you have. If you can't list them from memory in five minutes, you don't have a clear picture.

Give agents only the access they actually need. A customer support agent doesn't need write access to your database. A scheduling assistant doesn't need to see payment records. In practice: create a dedicated API key for each agent with read-only or limited permissions. Don't use your master account key. Scope every connection to the minimum required.

Don't pilot AI tools on your live systems. Most businesses do this because that's where the real data is. That's the wrong order. If you don't have a staging environment, create a free sandbox account for the tool and test there before connecting your real data. A mistake on live data costs more than setting up a sandbox.

Decide up front what agents can do without asking you. Sending a draft email is different from deleting a record. Work out which actions need a human checkpoint and build that into the workflow design now, not after something goes wrong.

The upside is real

None of this is an argument against moving fast. AT&T reported cutting AI orchestration costs by 90% after overhauling how they route agent traffic. The exact baseline isn't public, but the directional result tracks with what other large operators are seeing.

Think about agent access the way you'd think about giving a new contractor a badge and a laptop. You wouldn't hand them your master admin password on day one. You'd give them what they need, watch how they work, and expand from there.

Same logic applies here.

What to actually do this week

Before your next AI integration, ask one question: if this agent makes a mistake or gets manipulated, what's the blast radius?

If you can't answer it, you're not ready to connect it. If you can answer it and the blast radius is contained, move fast.

I've distilled the four steps above into a one-page checklist you can hand to your ops team. Drop your email below and I'll send it over.

The businesses that get this right won't be the most cautious ones. They'll be the ones who built the access model correctly from the start.