Agency is arriving faster
than the controls.
Every quarter, more AI systems move from answering questions to taking actions. The security model underneath them has not kept pace.
Chatbot security was a content problem. Agent security is a systems problem.
For three years the industry has treated AI safety as text filtering — does the model say something it shouldn't. That framing was adequate while models only produced words. It stops being adequate the moment a model can call a tool, write to a database, or authorize a payment. At that point a prompt injection is no longer a bad answer; it is an unauthorized transaction, a deleted table, or data leaving your perimeter. OWASP named this LLM06, Excessive Agency, and it is the gap most AI security tooling still doesn't cover, because inspecting prompts tells you nothing about what the agent is permitted to do.
The controls that actually work here are not new — least privilege, authorization boundaries, blast-radius limits, audit trails, human approval on irreversible actions. They are the same controls that took decades to mature in banking and government systems, now applied to a non-deterministic caller. That is the work: bringing hard-won systems-security discipline to software that improvises. SwishOS exists to do that, and to prove it on a real agent that spends real money before asking anyone else to trust the approach.