请问HN:你们在生产环境中如何对AI代理工具调用进行权限管理?
我注意到越来越多的团队在发布能够调用真实工具(如数据库写入、部署、电子邮件、账单、内部API)的自主系统。我听到的大多数安全模式是提示规则 + 基本验证 + “对于风险较高的操作需要人工干预”。
我的问题是:在真实的生产环境中,你们的执行点是什么,代理无法绕过这一点?
也就是说,是什么实际保证工具调用不会在未通过政策的情况下执行?
我对一些具体问题感到好奇:
你们是在每个工具包装内部、在网关/代理处,还是通过集中式政策服务来执行权限控制?
当代理代表用户行动时,你们如何处理身份和授权?
你们是否将决策与执行日志分开记录(以便后续能够回答“为什么允许这样做?”)?
你们如何安全地推出执行(审计模式/影子模式 -> 执行)?
哪些故障模式对你们影响最大,比如政策错误、代理幻觉、提示注入或工具误用?
我很想听听大家在实际操作中是如何处理这些问题的(尤其是平台、安全和基础设施团队)。
查看原文
I’m seeing more teams ship agentic systems that can call real tools (DB writes, deploys, email, billing, internal APIs). Most of the safety patterns I hear are prompt rules + basic validation + “human-in-the-loop for risky stuff.”<p>My question: in a real production environment, what’s your enforcement point that the agent cannot bypass?
Like, what actually guarantees the tool call isn’t executed unless it passes policy?<p>Some specific things I’m curious about:<p>Are you enforcing permissions inside each tool wrapper, at a gateway/proxy, or via centralized policy service?<p>How do you handle identity + authorization when agents act on behalf of users?<p>Do you log decisions separately from execution logs (so you can answer “why was this allowed?” later)?<p>How do you roll out enforcement safely (audit-only/shadow mode -> enforcement)?<p>What failure modes hurt most like policy bugs, agent hallucinations, prompt injection, or tool misuse?<p>Would love to hear how people are doing this in practice (platform/security/infra teams especially)