This part really stood out to me:
"The agent can request an action. It should not be the authority that approves the action."
I've seen a lot of teams spend weeks hardening prompts while leaving the actual authorization decision inside the agent loop. That's a risky trade because prompts are guidance, not enforcement.
What makes agent systems different from traditional apps is that the blast radius grows with every new tool. The first question shouldn't be "Can the agent call this tool?" but "Who is allowed to approve this action when the agent asks?"
To me, the strongest pattern is treating tool calls exactly like API requests: authentication, authorization, audit trail, then execution. Once you look at it that way, letting the agent approve its own tool call feels as strange as letting an API bypass its own permission checks.
Really enjoyed the focus on architecture over prompt engineering here. The security boundary should live in code and policy, not in the model's reasoning.