[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-how-to-secure-ai-assistants-end-to-end-en":3,"article-related-how-to-secure-ai-assistants-end-to-end-en":31,"series-ai-agent-c25cb6d2-274f-439c-8569-ce92f9533e5c":83},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":23,"views":27,"created_at":28,"published_at":29,"topic_cluster_id":30},"c25cb6d2-274f-439c-8569-ce92f9533e5c","how-to-secure-ai-assistants-end-to-end-en","How to Secure AI Assistants End to End","\u003Cp data-speakable=\"summary\">Set up data-layer controls, encryption, and audit logs to reduce AI assistant security risk.\u003C\u002Fp>\u003Cp>This guide is for developers, platform engineers, and security teams shipping AI assistants that can read files, call tools, or touch internal systems. After you follow the steps, you will have a practical security baseline for AI assistants: scoped access, encrypted data paths, auditable actions, and a review process for risky prompts and tool calls.\u003C\u002Fp>\u003Cp>It focuses on the failure mode highlighted by recent reporting from \u003Ca href=\"https:\u002F\u002Fwww.techrepublic.com\u002Farticle\u002Fnews-ai-agent-data-layer-security-may-2026-2\u002F\">TechRepublic\u003C\u002Fa> and the need to govern AI systems before an assistant causes a security incident without ever “going rogue.”\u003C\u002Fp>\u003Ch2>Before you start\u003C\u002Fh2>\u003Cul>\u003Cli>Node 20+ or Python 3.11+ for your app and security checks.\u003C\u002Fli>\u003Cli>An AI provider account and API key for the assistant you are deploying.\u003C\u002Fli>\u003Cli>A secrets manager such as AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager.\u003C\u002Fli>\u003Cli>A database or object store with encryption at rest enabled.\u003C\u002Fli>\u003Cli>Centralized logging, such as Datadog, Splunk, OpenTelemetry, or CloudWatch.\u003C\u002Fli>\u003Cli>Basic IAM or RBAC access to create service accounts, roles, and policies.\u003C\u002Fli>\u003Cli>GitHub repo access for your application and infrastructure code, plus the vendor docs for your model or agent framework, such as the \u003Ca href=\"https:\u002F\u002Fplatform.openai.com\u002Fdocs\">OpenAI docs\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fopenai\u002Fopenai-agents-python\">OpenAI Agents SDK\u003C\u002Fa> if you use that stack.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Step 1: Map assistant permissions to one service account\u003C\u002Fh2>\u003Cp>Your first goal is to make the assistant operate through a single, constrained identity instead of inheriting broad human access. That gives you one place to define what the \u003Ca href=\"\u002Ftag\u002Fagent\">agent\u003C\u002Fa> can read, write, and invoke.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779983283626-3sqk.png\" alt=\"How to Secure AI Assistants End to End\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>Create a dedicated service account or role for the assistant, then explicitly allow only the APIs, databases, folders, and queues it needs. If the assistant can search tickets, it should not also be able to delete records or export full datasets unless those actions are separately approved.\u003C\u002Fp>\u003Cpre>\u003Ccode># Example IAM-style policy pattern for an assistant role\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\"s3:GetObject\", \"s3:ListBucket\"],\n      \"Resource\": [\"arn:aws:s3:::support-kb\u002F*\"]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\"dynamodb:Query\"],\n      \"Resource\": [\"arn:aws:dynamodb:us-east-1:123456789012:table\u002Ffaq-index\"]\n    }\n  ]\n}\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>You should see the assistant authenticate as its own identity in your logs, and denied actions should fail with an authorization error rather than succeeding through inherited privileges.\u003C\u002Fp>\u003Ch2>Step 2: Classify and isolate sensitive data paths\u003C\u002Fh2>\u003Cp>The next goal is to prevent the assistant from treating all data as equally safe. Separate public, internal, confidential, and regulated data so the agent only reaches the minimum category required for each task.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779983283255-4kmu.png\" alt=\"How to Secure AI Assistants End to End\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>Tag records and files with sensitivity labels, then route them through different storage buckets, indexes, or retrieval filters. For retrieval-augmented generation, add a policy layer before search so the assistant cannot pull customer secrets, tokens, or private source code into a prompt unless the user and task are authorized.\u003C\u002Fp>\u003Cp>In practice, this means applying row-level security, document ACLs, and content filters before the model sees any text. If you use embeddings, keep the vector index aligned with the same access rules as the source data, not looser rules.\u003C\u002Fp>\u003Cp>You should see the assistant returning only the documents a user is allowed to access, and redacted or blocked content should never appear in prompt traces or response logs.\u003C\u002Fp>\u003Ch2>Step 3: Encrypt secrets and assistant data in transit and at rest\u003C\u002Fh2>\u003Cp>Your goal here is to make intercepted traffic or stolen storage less useful to an attacker. Encryption does not replace access control, but it reduces the blast radius if a \u003Ca href=\"\u002Ftag\u002Ftoken\">token\u003C\u002Fa>, bucket, or database is exposed.\u003C\u002Fp>\u003Cp>Store \u003Ca href=\"\u002Ftag\u002Fapi\">API\u003C\u002Fa> keys, database credentials, and signing secrets in a secrets manager, not in environment files or source code. Use TLS for every hop between the client, orchestrator, model endpoint, retrieval service, and data store, and enable encryption at rest on every persistent system that holds prompts, outputs, embeddings, or audit trails.\u003C\u002Fp>\u003Cp>If you need to persist conversation history, encrypt it with a managed key and limit retention to the shortest period your product needs. Rotate keys on a schedule and after any suspected compromise.\u003C\u002Fp>\u003Cp>You should see secrets missing from code search, TLS enabled in network traces, and encrypted storage settings active in your cloud console or infrastructure plan.\u003C\u002Fp>\u003Ch2>Step 4: Log every tool call and prompt decision\u003C\u002Fh2>\u003Cp>The goal of this step is to create an audit trail that explains what the assistant saw, what it tried to do, and why a request was allowed or denied. This is essential when the assistant makes a bad call without obvious malicious intent.\u003C\u002Fp>\u003Cp>Log the prompt hash, user identity, session ID, tool name, target resource, policy decision, and result code for every action. Keep the logs separate from the assistant’s normal application logs so security reviewers can search them quickly and preserve them for incident response.\u003C\u002Fp>\u003Cpre>\u003Ccode>{\n  \"event\": \"tool_call\",\n  \"user_id\": \"u_1842\",\n  \"session_id\": \"sess_7f2c\",\n  \"prompt_hash\": \"sha256:8b1c...\",\n  \"tool\": \"create_ticket\",\n  \"resource\": \"zendesk\",\n  \"decision\": \"deny\",\n  \"reason\": \"missing approval scope\"\n}\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>You should see a complete trail for each tool invocation, and a security reviewer should be able to reconstruct who asked for what, which policy was applied, and whether the action succeeded.\u003C\u002Fp>\u003Ch2>Step 5: Add approval gates for high-risk actions\u003C\u002Fh2>\u003Cp>Now you need to stop the assistant from taking irreversible actions on its own. High-risk operations should require a human approval step or a second policy check before execution.\u003C\u002Fp>\u003Cp>Classify actions such as sending external email, deleting records, changing IAM roles, exporting customer data, or opening network access as high risk. For those actions, make the assistant draft the request, but pause execution until a reviewer approves it in a separate workflow.\u003C\u002Fp>\u003Cp>You can implement this with a queue, a ticketing system, or a custom approval service. The important part is that the assistant cannot bypass the checkpoint by rephrasing the request or retrying the tool call.\u003C\u002Fp>\u003Cp>You should see risky actions land in an approval queue, and only approved requests should reach the downstream system.\u003C\u002Fp>\u003Ch2>Common mistakes\u003C\u002Fh2>\u003Cul>\u003Cli>Giving the assistant a human admin token. Fix: create a dedicated role with least privilege and separate credentials.\u003C\u002Fli>\u003Cli>Logging raw prompts with secrets in them. Fix: redact tokens, passwords, and personal data before logs are stored.\u003C\u002Fli>\u003Cli>Letting retrieval access exceed source permissions. Fix: apply the same ACLs and row-level rules to the vector index and document store.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>What's next\u003C\u002Fh2>\u003Cp>Once the baseline is in place, extend it with red-team testing, prompt-injection defenses, policy-as-code checks, and periodic access reviews so you can prove the assistant stays within its guardrails as your product and data estate grow.\u003C\u002Fp>","Set up data-layer controls, encryption, and audit logs to reduce AI assistant security risk.","www.techrepublic.com","https:\u002F\u002Fwww.techrepublic.com\u002Farticle\u002Fnews-ai-agent-data-layer-security-may-2026-2\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779983283626-3sqk.png","ai-agent","en","da563ad3-5725-4184-be52-62ba913b0a42",[17,18,19,20,21,22],"AI security","AI agents","access control","encryption","audit logs","least privilege",[24,25,26],"AI assistants need their own constrained identity, not broad inherited access.","Security for agents must cover the data layer, retrieval layer, and tool layer.","Audit logs and approval gates make assistant actions explainable and reviewable.",2,"2026-05-28T15:47:27.371555+00:00","2026-05-28T15:47:27.365+00:00","a9bee732-b07c-4e5b-a0e6-3048577e32a7",{"tags":32,"relatedLang":42,"relatedPosts":46},[33,34,36,38,40],{"name":20,"slug":20},{"name":17,"slug":35},"ai-security",{"name":19,"slug":37},"access-control",{"name":18,"slug":39},"ai-agents",{"name":21,"slug":41},"audit-logs",{"id":15,"slug":43,"title":44,"language":45},"how-to-secure-ai-assistants-end-to-end-zh","怎麼做 AI 助理端到端安全","zh",[47,53,59,65,71,77],{"id":48,"slug":49,"title":50,"cover_image":51,"image_url":51,"created_at":52,"category":13},"5efa67dd-b9f7-4a2f-8c68-3a4bc6a6b7d9","claude-code-dynamic-workflow-ai-harness-en","Claude Code 动态工作流：AI 自写 Harness","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781035372495-9czj.png","2026-06-09T20:02:22.33375+00:00",{"id":54,"slug":55,"title":56,"cover_image":57,"image_url":57,"created_at":58,"category":13},"2bd28e0e-0f4b-4987-a961-28763c1e1926","agent-orchestration-enterprise-ai-layer-en","Agent orchestration is the missing layer for enterprise AI","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780984981174-08mj.png","2026-06-09T06:02:31.384174+00:00",{"id":60,"slug":61,"title":62,"cover_image":63,"image_url":63,"created_at":64,"category":13},"95684312-23dc-4a78-a917-df14d132c5fa","ai-agents-use-blockchain-trust-layer-en","AI agents use blockchain as a trust layer","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780980506080-ki4s.png","2026-06-09T04:48:01.710214+00:00",{"id":66,"slug":67,"title":68,"cover_image":69,"image_url":69,"created_at":70,"category":13},"0208e47f-7d4c-4473-a0f9-4cd193b5c139","8-rag-patterns-demos-into-prod-en","8 RAG patterns that turn demos into prod","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780971552707-qpl7.png","2026-06-09T02:18:36.760049+00:00",{"id":72,"slug":73,"title":74,"cover_image":75,"image_url":75,"created_at":76,"category":13},"b413d484-6786-4c32-abdc-77f010ac7eba","fine-tuning-beats-rag-style-not-facts-en","Fine-tuning beats RAG when the goal is style, not facts","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780924681800-5xji.png","2026-06-08T13:17:25.701649+00:00",{"id":78,"slug":79,"title":80,"cover_image":81,"image_url":81,"created_at":82,"category":13},"57beb8b4-c233-400f-b95b-a97be1cf9d02","openclaw-small-business-ai-staff-en","OpenClaw shows how small businesses use AI staff","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780904882032-yp13.png","2026-06-08T07:47:27.730921+00:00",[84,89,94,99,104,109,114,119,124,129],{"id":85,"slug":86,"title":87,"created_at":88},"03db8de8-8dc2-4ac1-9cf7-898782efbb1f","anthropic-claude-ai-agent-task-automation-en","Anthropic's Claude AI Agent: A New Era of Task Automation","2026-03-25T16:25:06.513026+00:00",{"id":90,"slug":91,"title":92,"created_at":93},"045d1abc-190d-4594-8c95-91e2a26f0c5a","googles-2026-ai-agent-report-decoded-en","Google’s 2026 AI Agent Report, Decoded","2026-03-26T11:15:23.046616+00:00",{"id":95,"slug":96,"title":97,"created_at":98},"e64aba21-254b-4f93-aa21-837484bb52ec","kimi-k25-review-stronger-still-not-legend-en","Kimi K2.5 review: stronger, still not a legend","2026-03-27T07:15:55.385951+00:00",{"id":100,"slug":101,"title":102,"created_at":103},"30dfb781-a1b2-4add-aebe-b3df40247c37","claude-code-controls-mac-desktop-en","Claude Code now controls your Mac desktop","2026-03-28T03:01:59.384091+00:00",{"id":105,"slug":106,"title":107,"created_at":108},"254405b6-7833-4800-8e13-f5196deefbe6","cloudflare-100x-faster-ai-agent-sandbox-en","Cloudflare’s 100x Faster AI Agent Sandbox","2026-03-28T03:09:44.356437+00:00",{"id":110,"slug":111,"title":112,"created_at":113},"04f29b7f-9b91-4306-89a7-97d725e6e1ba","openai-backs-isara-agent-swarm-bet-en","OpenAI backs Isara’s agent-swarm bet","2026-03-28T03:15:27.849766+00:00",{"id":115,"slug":116,"title":117,"created_at":118},"3b0bf479-e4ae-4703-9666-721a7e0cdb91","openai-plan-automated-ai-researcher-en","OpenAI’s plan for an automated AI researcher","2026-03-28T03:17:42.312819+00:00",{"id":120,"slug":121,"title":122,"created_at":123},"fe91bce0-b85d-4efa-a207-24ae9939c29f","harness-engineering-ai-agent-reliability-2026","Harness Engineering: From Bridle to Operating System, The Missing Link in AI Agent Reliability","2026-03-31T06:36:55.648751+00:00",{"id":125,"slug":126,"title":127,"created_at":128},"7a09007d-820f-43b3-8607-8ad1bfcb94c8","mcp-explained-from-prompts-to-production-en","MCP Explained: From Prompts to Production","2026-04-01T09:24:40.089177+00:00",{"id":130,"slug":131,"title":132,"created_at":133},"116d5ee9-a4f1-4b5a-aac5-5d035dd22bbe","amazon-bedrock-agents-multi-agent-workflows-en","Amazon Bedrock Agents Gets Multi-Agent Workflows","2026-04-01T09:30:30.197685+00:00"]