You have an agent running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?
(I am uninterested in "Don't run an agent" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)
So far, what we've got is this:
LLM access can't happen via normal dev systems. You must use one of two specially designated classes of VM.
"External" VMs can talk to the world, MCPs, LLM services in general, but can't access anything internally.
"Internal" VMs can connect to the internal LLM services and the data sources which have been specifically allowed to them, but not to the outside in any way.
This is unsatisfactory but everything else currently available seems to be worse.
Matthew Garrett
-dsr- (not a dog)