Agent Blast Radius

An agent's blast radius is the maximum harm it could cause if fully compromised. It is determined by the tool surface (what actions the agent can take), the delegation chain (whose authority the agent acts under), the data flows it has access to, and the downstream systems its actions can affect. The blast radius is a property of the agent's design, not its current behaviour.

Calculating the blast radius is part of any agentic security review. For each tool the agent can invoke, enumerate what that tool can affect: which data, which systems, which downstream actions. Compose the per-tool impacts. The result is the agent's blast radius envelope.

Blast radius is the answer to the question that determines the clearance decision: 'if this agent is compromised, what is the worst that could happen?' If the answer is 'send a poorly-worded reply', the clearance scope can be broad. If the answer is 'cancel all purchase orders in the system of record', the clearance scope must be much more restrictive, and the human-in-the-loop boundaries become non-negotiable.

Required controls for blast radius management: scope-limited tool access (only the tools the agent needs); human approval boundaries on irreversible actions; allowlists for external API calls; rate limits on per-session impact; and documented re-assessment triggers when the tool surface changes.

Blast radius changes over the agent's lifecycle. The agent that started with three tools may, six months later, have eight. Scope creep is a primary risk category (OWASP Agentic A10) precisely because blast radius grows silently if not actively managed. Quarterly review of the actual tool surface against the approved tool surface is a useful operational control.