AI Security
AI Security focuses on the risks and defensive patterns associated with deploying Large Language Models (LLMs) and autonomous agents in production environments. It bridges the gap between traditional cybersecurity and the unique nondeterminism of AI.
Core Defensive Patterns
1. Hybrid Governance
As documented in the Replit Security Study, AI-only security scans are insufficient due to:
- Nondeterminism: Syntax changes can lead to different security classifications.
- Dependency Blindness: LLMs lack real-time CVE feeds.
The solution is a Hybrid Architecture:
- Deterministic Layer: Use traditional SAST, DAST, and dependency scanners (e.g., Snyk, Trivy) as the baseline.
- Reasoning Layer: Use LLMs to audit business logic, intent, and complex data flows.
2. Decision-Time Guidance
Instead of front-loading an agent with hundreds of global rules, inject specific, situational constraints at the moment a critical decision is being made. This reduces context noise and improves adherence to security policies.
3. Governance-First Agentic DevOps
In the context of Agentic DevOps, security must be implemented at the infrastructure level:
- IAM Boundaries: Agents should operate with the principle of least privilege (PoLP).
- Read-Only Access: Defaulting to read-only for agents unless explicit write/execute permissions are required.
- Human-in-the-Loop (HITL): Mandatory approval for destructive actions.
4. MCP Token Security
When integrating MCP servers that require authentication (e.g., GitHub PAT, Figma OAuth), token management becomes a security concern:
- GitHub PAT: Must use fine-grained tokens with minimal required permissions. Over-provisioned tokens (e.g., full repo access when only PR read is needed) violate the principle of least privilege.
- Token Lifecycle: Tokens embedded in environment variables or CLI commands are visible in shell history. Rotate tokens regularly and delete them after video demonstrations or temporary setups.
- OAuth Flows: Figma and similar services use OAuth — ensure redirect URIs are validated and tokens are stored securely.
- MCP Permission Scoping: Scope MCP servers to specific subagents to limit which agent contexts have access to sensitive external systems.
See Claude + MCP Explained for the GitHub PAT setup walkthrough and the permission gotcha (PR write access must be explicitly granted).