🔍AI RiskAtlas
← Scenario library

The Agent With the Master Key

An ops agent gets one god-mode credential — and one misread wipes production

Technique first revealed 04 May 2023

Tool-Using Agent
UntrustedAgent coreOversightThe real worldscopes🧑User🎛️Orchestrator /Agent Loop🧠LLM🔐Identity &Permissions🔧Tool RuntimeHuman ApprovalGate🔌External APIs🗄️BusinessDatabase🌐UntrustedContent📝Audit Logging🗄️Staging DB(intended
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspect
SetupStep 1 / 6

One key to rule them all

To save setup time, the team gives the AI agent one database login that can do absolutely anything — read, write, create, and delete — on every database they own, including the live one customers depend on. The reasoning: 'we don't know in advance what it'll need, so give it everything.'

⚙️Agent credential grant (over-permissioned)config
# agent-identity.yaml  (as deployed)
principal: ai-ops-agent
grants:
  - environments: [dev, staging, prod]   # all of them
    privileges: [SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, TRUNCATE]
scope_to_task: false        # <-- no per-task scoping
require_approval_for: []    # <-- nothing requires sign-off
# rationale (PR comment): "give it full access so it can do whatever the task needs"

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗