The first one is that the email summarize “agent” should only have permission to summarize emails. That can be a system permission. Any data that the AI gathers and trains itself on is sandboxed to only be used by that agent.
There needs to be another “agent” that sends email. That agent only has system permissions to send emails. Any data that it collects can only be used by its agent.
You don’t give the AI “admin” access. You treat different capabilities as different users with least privilege. Agents can’t direct other agents. Yes it limits the capabilities.
The first one is that the email summarize “agent” should only have permission to summarize emails. That can be a system permission. Any data that the AI gathers and trains itself on is sandboxed to only be used by that agent.
There needs to be another “agent” that sends email. That agent only has system permissions to send emails. Any data that it collects can only be used by its agent.
You don’t give the AI “admin” access. You treat different capabilities as different users with least privilege. Agents can’t direct other agents. Yes it limits the capabilities.