Granting a model the ability to act changes the central question from what it can produce to what it can damage. A system that only answers has a failure mode measured in a single incorrect response. An agent with access to a filesystem, a shell, and authenticated accounts has a failure mode measured by the full extent of what those credentials can reach. Blast radius, a term borrowed from systems and safety engineering for the scope of damage when one component fails, is the right frame for reasoning about agents, because an agent will fail, through a flawed instruction, a prompt injection carried in data it processed, or a simple misreading of an ambiguous task, and the only variable that matters when it does is how far that failure propagates.
The design tension is direct and is often resolved in the wrong direction. There is a strong pull toward granting an agent broad access so that it can handle whatever it encounters, and that breadth is exactly what turns a contained mistake into a serious one. Every capability granted to the agent is a capability an attacker inherits the moment they gain influence over it, and a language model is an unusually soft target for that influence, susceptible to being argued into actions a conventional program would never take. An agent scoped to a single read only directory fails harmlessly, an agent holding write access to production systems and a privileged credential fails expensively, and the difference between those outcomes is a decision made at design time about how much authority to concede.
The controls that contain an agent are neither new nor sophisticated, and that is a strength rather than a limitation. Grant the narrowest set of permissions the task actually requires and nothing held in reserve for convenience. Require explicit human confirmation before any irreversible or high impact action rather than allowing the agent to proceed unsupervised. Log every action the agent takes so that a mistake can be traced, understood, and reversed. Run the agent in an environment where the worst plausible outcome is bounded, a sandbox, a short lived and tightly scoped credential, a working directory it cannot escape. This is the same containment applied to any process that is not fully trusted, and an agent, driven by a component that can be manipulated through its inputs, belongs firmly in that category.
An agent is not dangerous because it is capable of reasoning, it is dangerous because it is capable of acting, and capability without containment is simply an unmanaged risk waiting for the input that triggers it. The value of agentic systems is real, and the answer is not to avoid them but to build them on the assumption that they will occasionally do the wrong thing, and to ensure that when they do, the damage is small by design. Engineering for the failure rather than for the demonstration is the discipline that separates the organizations that deploy agents safely from the ones that learn the meaning of blast radius from an incident report.