What is Agent Blast Radius?
Updated
The scope of damage an AI agent can cause if it executes adversarial / mistaken operations. Reduced via scope-locked credentials + compile-time scope guards.
Full explanation
AI agents executing operations (DB queries, shell commands, API calls) have a blast radius proportional to their granted scope. SaaStr-Lemkin-Replit + PocketOS-Cursor incidents demonstrated: agents with prod credentials = days/months of data loss. Securie's agent-scope crate enforces compile-time scope guards (OffensiveRoe newtype pattern).
Example
Cursor agent with prod-DB credentials = full DROP TABLE blast radius. Same agent with read-only dev credentials = bounded.
FAQ
How do I bound blast radius?
Scope-lock at credential issuance + agent-scope compile-time guards + Plan-Mode-equivalent must fail-closed.