zlacker

[parent] [thread] 2 comments
1. coding+(OP)[view] [source] 2026-01-14 21:59:05
You need to secure the account an LLM-based app runs under, just like you would any user, AI or not. When you hire real people, do you grant them full privileges on all systems and just ask them not to touch things they shouldn't? No, you secure their accounts to the specific privileges they need, and no more. Do the same with AI.
replies(1): >>icedch+ds
2. icedch+ds[view] [source] 2026-01-15 00:15:43
>>coding+(OP)
You'd be surprised. I've worked at multiple startups where employees were given prod access with zero oversight on day one: AWS, sudo access, database passwords, everything. The one startup that didn't do that never launched. Occasionally there were accidents: wrong branch deployed, bulk updates to DNS taking down most of the site, etc.
replies(1): >>coding+7v
◧◩
3. coding+7v[view] [source] [discussion] 2026-01-15 00:34:33
>>icedch+ds
Sure, so draw a different line - not all devs have access to withdraw cash from the corporate accounts, or to open the email of the CEO and board, etc. There are always lines of privilege drawn. The point isn't to quibble over where they are drawn, it is to point out that you need to do the same for LLMs. Don't trust them to behave. Enforce limits on their privileges.
[go to top]