If we can remember back to the arrival of ChatGPT, there was a lot of worry about LLMs interacting with systems, from the user’s filesystem to the open Internet. Now we’re all pretty comfortable - sure, there are scams and the occasional company losing its files, but the blast radius from these issues seems contained. This illusion of comfort will fall away as we move to an agentic Internet. With LLMs communicating and transacting, the potential blast radius is suddenly exponentially larger. Once venturing forth from our laptops and closed networks, agents will be the targets of continuous attacks. But agents need to explore this larger world and yet be subject to standard security constraints. ...