Aman Bansal

We're speed-running 30 years of security mistakes

· ai-security, agents, opinion

Telnet. MySQL root with no password. Public-by-default S3 buckets. We spent twenty years killing insecure defaults.

AI agent frameworks brought them all back — and two other hard-won lessons besides.

Three security lessons mapped to their agent-era regressions: secure-by-default became full tool access out of the box; zero trust became transitive agent trust; defense in depth became a single guardrail model.

Regression one: insecure defaults

Security-by-default was one of the hardest-won lessons in our field. It took breaches, public embarrassment, and a lot of vendor arm-twisting to get to “encrypted by default,” “deny by default,” “least privilege out of the box.”

Now look at how the average agent gets built. Full tool access by default. Every scope granted, because narrowing them is friction. Broad API tokens, because scoping is fiddly. No isolation between the agent’s dev reach and its prod reach. The safe path is extra work, so nobody takes it.

We know exactly how this movie ends, because we’ve watched it. Insecure defaults don’t stay in the lab; they become the production baseline. Defaults are destiny. Whatever the framework makes easy is what ships.

Regression two: flat trust

Every security team says “never trust, always verify.” Then they let one agent implicitly trust whatever the last agent told it.

Zero trust took a decade to win the argument for humans and services: no implicit trust, verify every request, re-check on every hop, assume breach. It’s now basic hygiene. Watch what happens with agents and it’s the pre-zero-trust world all over again. Agent A calls Agent B. B trusts whatever A passed it. B calls C. Trust flows down the chain, verified at exactly zero hops — and an instruction that entered as untrusted data three agents ago is now executing as a trusted command.

That’s not zero trust. That’s the flat network of 2005, rebuilt out of language models. The irony is sharp: we adopted zero trust precisely because transitive trust kept turning small footholds into full breaches. Agents reintroduce transitive trust as a headline feature and call it delegation.

Regression three: the single guardrail

Defense in depth was gospel for thirty years: assume any one layer fails, and make sure another catches it. A single point of failure was something you flagged in a design review, not something you shipped.

A lot of AI security today is the opposite instinct. One classifier in front of the model to catch bad inputs. One filter behind it to catch bad outputs. And an enormous amount of trust that those hold. EchoLeak walked straight through Microsoft’s dedicated injection classifier — not because the classifier was bad, but because a single probabilistic gate in front of a probabilistic system was never going to be enough on its own.

The interesting question was never “how good is the guardrail.” It’s “what catches the attack when the guardrail misses?” If the answer is “nothing,” that’s the gap worth staring at.

Speed-running works both ways

Here’s the upside hiding in all this déjà vu. If we’re speed-running the mistakes, we can speed-run the fixes too — because unlike the first time around, we already know the endings.

It took two decades to establish secure defaults, a decade to sell zero trust, a generation to internalize defense in depth. None of that discovery cost has to be paid again. The principles are proven; the arguments are settled; the only work left is engineering. Frameworks that ship deny-by-default tool scopes, agent-to-agent verification, and layered controls won’t be fighting for mindshare against skeptics — they’ll be meeting demand that already exists.

Last time, the safe path took twenty years because we were learning it. This time we’re just building it. That should take a lot less.

← Back to blog