Once an agent can act — delete files, run shell commands, call external APIs, spend money — its mistakes (or a malicious prompt) become real-world consequences. The defense is least privilege plus approval gates plus isolation: give it only what it needs, require confirmation for anything irreversible, and run it where it can't do lasting harm.
